Publicado em 27/08/2020

LGPD will come to foce in up to 15 work days

The new postponement of LGPD was rejected by the Senate. LGPD will therefore become enforceable as of President Bolsonaro’s sanction/veto of PLV n. 34/2020, which must happen in up to 15 business days. Administrative sanctions remain suspended and will only be applicable from August, 2021.

Yesterday, in the digital session of August, 26, 2020, the Brazilian Senate confirmed that Brazil’s General Data Protection Law (Federal Law n. 13.709/2018 – LGPD) will come into effect concurrently with President Bolsonaro’s sanction to PLV n. 34/2020. This means that the LGPD will come into force sometime within the next 15 business days.

In order to assist you to better understand what this means, we prepared answers to a few FAQs on the matter:

How can I ensure compliance with the LGPD?

We recommend that companies take two steps to ensure compliance with the LGPD: 

(i) Data mapping – companies should initially investigate which personal data they hold (which has been collected in Brazil) so they can properly assess how such information is used; then

(ii) Implementation – after having made a map of the companies’ operations involving personal data, we can pinpoint the documents and policies which must be drafted to ensure compliance. Such documents and policies usually involve companies’ privacy policy, guidelines on data subjects’ rights, review of agreements the company has entered into with clients, contractors and providers, its employees (if there is a local operation), amongst others.

 I have yet to start preparing for the LGPD. What should I do?

The compliance procedure will be very similar to the one described above. The difference is that we work with our clients to understand how to establish strategic procedures based on the company’s concerns and business model, also considering the costs and time available for compliance.

Sanctions for failure to comply with the LGPD remain suspended. What does this mean?

Administrative penalties for failure to comply with the LGPD will remain suspended and may only be applied from August 2021. Amongst these are pecuniary sanctions (up to R$50 million per infringement) and non-pecuniary sanctions (warnings, obligation to publicize the infringement and obligation to delete personal data).

If sanctions can only be applied from August 2021 onwards, should I stop worrying about the LGPD until then?

No. Although the administrative sanctions will not be applicable until next year, as of the LGPD’s entry into force, users can enforce compliance with the new law and ensure their rights are protected. Additionally, failure to comply with users’ rights and other infringements may result in legal procedures against the company.

Will Brazil have a Data Protection Authority? 

Yes, today Executive Decree n. 10.474 of 2020 was issued establishing the internal structure of the National Data Protection Authority – ANPD. ANPD will be an administrative body that will have amongst its functions the duty to verify compliance with the LGPD and to issue recommendations and regulations connected to the law. This Decree is an important step to ensure that ANPD may be functioning at least by the end of this year.

The Technology and Data Protection Team of Dias Carneiro is following-up the developments of the matter and is available for any clarifications.