Applicability:
The LGPD applies to any data processing activities carried out by public or private entities, regardless of where they are based, as long as the processing involves personal data of individuals located in Brazil or if the data processing is related to the offering of goods or services or the monitoring of individuals within Brazil.
Lawful Basis for Data Processing:
Similar to the GDPR, the LGPD requires businesses to have a lawful basis for processing personal data. The law provides ten lawful bases, including the necessity of processing for compliance with a legal or regulatory obligation, performance of a contract, consent of the data subject, protection of the data subject's life or physical safety, execution of public policies, legitimate interests, and the exercise of rights in judicial, administrative, or arbitration proceedings.
Data Subject Rights:
The LGPD grants several rights to data subjects, which allow them to have more control over their personal data. These rights include:
a. Right to Access: Data subjects have the right to obtain confirmation of the existence of processing, access their personal data, and obtain information about the purposes of the processing, the categories of personal data involved, and the recipients of the data.
b. Right to Rectification: Data subjects can request the correction of incomplete, inaccurate, or outdated personal data.
c. Right to Erasure: Data subjects have the right to request the deletion of their personal data, subject to certain exceptions.
d. Right to Data Portability: Data subjects can request the transfer of their personal data to another data controller, in a structured, commonly used, and machine-readable format.
e. Right to Withdraw Consent: Data subjects have the right to withdraw their consent for data processing at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.
f. Right to Information on Data Sharing: Data subjects have the right to information about entities with which their personal data is shared.
g. Right to Object: Data subjects can object to the processing of their personal data in certain situations, including processing based on legitimate interests.
Consent Requirements:
The LGPD sets strict requirements for obtaining consent for data processing. Consent must be provided in a clear and conspicuous manner, be specific for each processing purpose, and cannot be bundled with other terms and conditions. Consent must be obtained before any data processing takes place, and data subjects must be informed of their right to withdraw consent.
Data Protection Officer (DPO):
Certain organizations are required to appoint a Data Protection Officer (DPO) responsible for overseeing data protection activities within the organization and acting as a point of contact for data subjects and the national data protection authority.
Data Breach Notification:
The LGPD mandates businesses to report data breaches to the national data protection authority and affected data subjects without undue delay. Data subjects must be informed about the nature of the breach, the affected data, the measures taken to address the breach, and the recommended actions they should take to protect themselves.
Data Processing Agreements:
The LGPD requires organizations to establish data processing agreements with third-party processors that handle personal data on their behalf. These agreements must define the roles and responsibilities of each party in protecting personal data and ensure compliance with the LGPD.
Data Protection Impact Assessments (DPIAs):
Certain high-risk data processing activities require Data Protection Impact Assessments (DPIAs) under the LGPD. DPIAs are assessments aimed at identifying and mitigating privacy risks associated with data processing.
International Data Transfers:
The LGPD imposes restrictions on the transfer of personal data to countries or international organizations that do not offer adequate data protection. Transfers may be made under specific conditions, including obtaining explicit consent from data subjects or through other mechanisms recognized by the national data protection authority.
Enforcement and Penalties:
The LGPD is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), Brazil's national data protection authority. Non-compliance with the LGPD can result in fines of up to 2% of the organization's revenue in Brazil or up to BRL 50 million per violation.
In conclusion, the Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law that seeks to protect the privacy and rights of individuals whose personal data is processed by businesses and organizations. With strong similarities to the GDPR, the LGPD introduces stringent requirements for data processing, grants data subjects various rights to control their data, and imposes
significant penalties for non-compliance. To comply with the LGPD, organizations must be transparent about data processing activities, obtain valid consent, respect data subject rights, and implement appropriate security measures to safeguard personal data. By adhering to the LGPD's provisions, businesses can build trust with their customers, demonstrate their commitment to data protection, and operate responsibly in the digital age.