Publicado em 29/01/2020

The General Data Protection Law (LGPD) is fast approaching – Be ready to be compliant by August

Yesterday (28/01), we celebrated the International Data Protection Day. This date aims to promote education and awareness about the rights and obligations related to the use of personal data and of the need to protect privacy.

In this spirit, it’s important to remember that the enforcement date of the Brazilian General Data Protection Law (LGPD – Federal Law nº 13.709/2018) is fast approaching in less than 7 months. For that matter, we have prepared a brief summary of the main doubts brought to us by our clients, as well as the recommended measures for companies to become compliant.

What is the Brazilian General Data Protection Law?

The LGPD is the first Brazilian legislation designed exclusively to regulate personal data in Brazil. Its provisions were heavily influenced by the European General Data Protection Regulation (“GDPR”) and will have a deep impact on the way that personal data collected in Brazil is used.

When will the law come to force? August 2020.

Is my company subject to the LGPD?

The LGPD will be applicable to any and all processing of personal data. According to the law, personal data is understood as all information regarding an identified or identifiable natural person. We point out that this definition may be broader than may you normally interpret. Not only information such as Individual Taxpayers’ Register and ID are considered personal data, but also any and all data that may in any way identify or make an individual identifiable, such as, for example, purchase history, geographic location, salary, internal employee evaluations, titles, medical data, telephone numbers, amongst others.

As for the processing of personal data, it means any and all operation carried out with such personal data, including, but not limited to, the collection, transfer to third parties, aggregate use, processing and even its elimination.

From a practical point of view, this means that LGPD will impact your relationship with your own employees and even with your clients, investors and suppliers. With only a few exceptions, the will significantly affect the way your company interacts with the data of individuals.

Will the law apply to foreign companies?

Yes, if you process data collected in Brazil or your activity imply the offering of goods and services to Brazil, LGPD will apply. Brazilian Law will apply to data protection irrespective of a choice of law clause (actually this is true already, due to the Brazilian Framework for the Internet Law).

What are the penalties for non-compliance?

Penalties vary from warnings to fines (limited to R$ 50 mm), elimination or blockage of data obtained unlawfully, suspension of activities pertaining the processing of data and publicization of the infraction.

I’m already compliant with the GDPR and CCPA, should I be concerned?

Yes, we recommend to review of your Privacy Policy or privacy notice to make sure you are also compliant with the LGPD. Adjustments may be minor, but still relevant to ensure compliance. You should also be aware of the impact of local interpretation of the provisions of the law. Finally, we cannot stress this enough, if your policy is not in Portuguese, it will likely not be legally binding.

How do I become compliant in Brazil?

Most of what we mentioned above applies, we recommend review of all documents that regulate and affect the processing of data in Brazil. From securing legal grounds to ensuring data minimization and data subject rights, you should be aware of all material effects that the law will have in your local operations.

Our Data Protection team is available to assist our clients in the process to ensure compliance with LGPD, including in:

(i) the performance of data flows and gap analysis;

(ii) review of agreements and contractual clauses;

(iii) drafting of internal data protection policies;

(iv) monitoring and updating of internal policies and its implementation;

(v) structuring of operations that involve data protection;

(vi) consulting in the development of products and services that comply with the requirements of LGPD.