The Context of Personal Data Protection in Brazil

technology 23 Oct 2018
The Context of Personal Data Protection in Brazil

Written by: Giuseppe Mateus Boselli Lazzarini and Maria Cecília Oliveira Gomes


Our society is increasingly becoming more data-driven, then the exchange of personal data, which is part of our daily professional and private life, is a requirement to access the most diverse types of products and services. In order to protect the rights of data subjects, in particular their privacy, it is extremely important that the processing of such data be properly regulated and become a relevant subject in the legal environment. In such sense, a major milestone in the discussion was the elaboration of Directive 95/46/EC, which in May 2018 was replaced by Regulation 2016/679, of April 27, 2016, widely known as the General Data Protection Regulation (“GDPR”)[1], the general data protection law of the European Union.

In the wake of the debate in the European Union, Law No. 13709 of August 14, 2018, also known as the General Data Protection Regulation (“LGPD” in Portuguese), was enacted this year in Brazil. The LGPD regulates online and offline personal data processing operations, both in the public and private sectors looking to provide data subjects with a lot more privacy and security. Brazil was one of the last major world economies to regulate the matter of personal data protection, with the approval of the LGPD and its enforcement in February 2020, it is expected that Brazil once again is part of the countries with high levels of protection in the world.

Below are the most relevant points in the new data protection legislation in Brazil:

Scope of Application: The law must be applied when at least one of the following cases is observed:

  1. the processing operation is conducted in the Brazilian territory;
  2. the processing activity looks to the offer or provision of good or services or the processing of data belonging to subjects located within the Brazilian territory;
  3. the personal data, object of the processing, has been gathered in the Brazilian territory.

As it can be seen, the application of the LGPD is not subject to the country an entity processes the data in nor to the country such data is located at.

The Concept of Personal Data: All information related to an identified or identifiable subject is considered as personal data. In other words, any data which, separately or in conjunction with some other data, allows for the identification of a person. Data which could subject the person to discriminatory treatment, e.g. ethnicity, health, religion – and data enabling unambiguous identification of the subject – such as biometrics – considered as sensitive personal data which requires higher safety standards in their processing.

Public data: publicly accessible personal data, such as that in the databases managed by the public administration (e.g. in the Diário Oficial, Diário de Justiça, public notaries) and that found in websites, such as social network profiles, which is also considered personal data with regulated and limited processing.

Processing agents and their responsibility: those responsible for the processing of personal data are categorized in the LGPD according to competency, with distinct levels of responsibility. A Controller is the legal or natural person who makes decisions regarding the processing of personal data. An operator is the person processing the data on behalf of the controller. Both the controller and the operator can be jointly and severally liable for damages caused as a result of the processing of personal data which they are involved in. However, an operator is only liable when failing to comply with the legal orders of a controller or the obligations imposed by the data protection legislation. Because of the difference in the attribution of their responsibility, it is important to make a clear distinction between a controller and an operator, who may even be a single person or company.

Legal Grounds: the processing of personal data is only allowed through a legal ground and a specific purpose. The new law lists ten legal grounds for the processing of data, of which we shall mention:

  1. the unequivocal consent provided by the data subject;
  2. compliance with the legal or regulatory obligations by the processing agents; and
  3. meet the legitimate interests of the processing agents[2].

Information Security: a security norm is required, which should involve technical and administrative measures for the protection of personal data. Such norm must be incorporated in the business model from its inception in accordance with the concept of privacy by design.

Data Subjects’ Rights: personal data subjects have the right to request from controller:

  1. a confirmation of the existence of the processing;
  2. access to their data;
  3. correction of data, which is incomplete, incorrect or outdated;
  4. anonymity[3], blocking or exclusion of data, which is unnecessary, excessive or processed in a divergent manner from the law;
  5. portability of data to other services and products;
  6. exclusion of data that has been processed through the legal ground of consent;
  7. information of the entities which data has been shared with;
  8. information on the alternative not to provide consent and the consequence of such refusal; and
  9. revoking previously granted consent.

Registration of activities: all processing activities must be registered, with information on the types of data processed, the legal grounds and processing purposes, information security practices, sharing of personal data, methods used, etc.

International Data Transfer: international data transfer is allowed in several situations, among which, outstandingly: (a) upon specific and informed consent for the transfer by the data subject; (b) for the protection to the life of the data subject and third parties; (c) when the transfer is necessary for international cooperation purposes; (d) when the data is transferred to countries or entities upon level of personal data protection is acknowledged as adequate.

Regulatory Authority: the bill that gave rise to the LGPD[4] provided for the creation of the Autoridade Nacional de Proteção de Dados (“ANPD”), National Data Protection Authority, an autonomous public authority responsible for overseeing the application of the personal data protection legislation in Brazil. Among the attributions of the authority would be the elaboration of guidelines for the “Domestic Policy for Protection of Personal Data and Privacy”, supervision and enforcement of sanctions in case of non-compliance with the legislation, promotion of studies on domestic and international practices for the protection of personal data, among others. The creation of the ANPD was vetoed because of a problem of legislative competence, however, there is a promise of its creation through a Provisional Measure in the future. This is important because, although it does not create the national authority, the LGPD still provides for a number of functions to be exercised by it, such as taking action in cases of information security incidents.

Report on the impact on personal data protection: similar to the Data Protection Impact Assessment (DPIA), this is a methodology adopted by the GDPR, containing information regarding data processing operations, describing the procedures, their risks and safety measures. The existence of such a report may be mandatory in situations previously characterized as hazardous or otherwise as determined by the national authority where the processing is based on the legitimate interest of the processing agents.
Penalties: Administrative penalties are provided for in cases of violation to the data protection legislation. Penalties, such as warnings, either simple or daily fines[5], publication of the infraction, blocking personal data related to the infraction and the exclusion of such data are possible.

Transition period: the LGPD will come into force in February 2020, to allow for the adaptation of entities in order for them to be compliant with the new regulation.

Any company willing to enter the Brazilian market must naturally agree with the LGPD. However, because of its cross-border nature, the law can be applied even to companies that do not act directly in that market, as long as some part of the data processing takes place in the Brazilian territory.

Although the points examined here are the most relevant of the Brazil’s new data protection legislation, there are a number of other aspects and specificities which the LGPD covers. When it comes to compliance with the legislation then, the advice of specialized lawyers is recommended.

[1] Available at: Accessed on 10.02.2018.
[2] Legitimate interests are situations that can automatically characterize purposes which legitimize the processing of personal data, such as fraud prevention and guarantee of network security and information in the systems of processing agente.
[3] The anonymity process creates the anonymous side of data out of its personal side, i.e.  data out of which it is not possible to identify its subject.
[4] The text approve Bill of Chamber no. 53, of 2018, which gave rise to LGPD, can be seen at: Accessed on 10.02.2018.
[5] The fines can reach 2% of the revenues of a legal person in Brazil, limited to the total amount of R$ 50 million per infraction.


Giuseppe Mateus Boselli Lazzarini and Maria Cecília Oliveira Gomes – are researchers at Baptista Luz Advogadosmember of the Câmara.

← Israel e Brasil investirão US$ 5 milhões em cooperação tecnológica Santa Catarina lidera em tecnologia →

Leave A Reply

Comments are closed