- Why Us?
- White Label
There are over 140 million internet users in Brazil, representing the largest internet market in Latin America and the fourth largest in the world in terms of number of users. Brazil has over 40 legal rules at the federal level that refer to data protection and privacy, so, obviously, a legislative framework for this issue is already in place.
However, these laws are sectoral, meaning that they refer specifically to banking, real estate, consumer protection and other similar limited areas where they can be applied.
LGPD (Lei Geral de Proteção de Dados Pessoais) - is meant to replace this segmented legal landscape with a general regulatory framework that encompasses all others.
The role of the LGPD is to give people in Brazil a set of general rights, in a simplified manner that will replace the sectorally applied laws that are in force today. The set of laws is modeled according to the General Data Protection Regulation of the European Union, the similarities between these two being obvious and easy to observe.
This similarity led to the assignment of a new name to the LGPD, that of the "Brazilian GDPR". This resemblance is not exaggerated at all, because if you are following the provisions of the GDPR, you can almost breathe a sigh of relief, because most of them are also found in the LGPD.
However, there are some differences. So it is important to study the provisions of the LGPD and the differences between this law and the GDPR. In this way, you will not be surprised when the provisions of the LGPD come into force.
To make this process easier for you, we will list below the significant differences between LGDP and GDPR. But first, we will present to you what LGPD is and in which cases it applies exactly.
The law on data protection in Brazil is called Lei Geral de Proteção de Dados Pessoais, which means "the general law of personal data protection".
It is officially abbreviated to LGPDP, although it is most commonly known and called LGPD.
It was adopted on August 14, 2018 and finally sanctioned by President Bolsonaro in July 2019. It contains sixty-five articles.
The effective date of the LGPD application should be 16 August 2020, but, as a result of several legislative blockages, it still needs to be voted on until 27 August 2020 at the latest. Some articles may be applied only starting with August 2021. That is also the time when we will start seeing the first sanctions for those who do not comply.
LGPD brings much-needed clarifications to the Brazilian legal framework. LGPD aims to unify more than 40 different statutes that currently legislate personal data by replacing certain regulations and supplementing others. This unification of previously dispersed and often contradictory regulations is just a similarity it shares with the EU General Data Protection Regulation, the document from which it was inspired.
The LGPD focuses on the national specifics, illustrated by the fact that the legal basis of this data protection law are based on liability, limitation of purposes, minimization of data processing, security and privacy.
Article 18 explains the nine fundamental rights that data subjects have, namely:
Although the GDPR is known for granting data subjects eight fundamental rights, they do not differ much from those mentioned by the LGPD. The main difference is that the LGPD explicitly mentions “The right to information about public and private entities with which the controller has shared data” while “GDPR” has formulated this right in a more general manner, namely “The right to be informed ”.
Brazil’s new law on data protection applies to any private or public person or company that processes personal data that:
The LGPD also includes an extraterritorial aspect and will apply to global enterprises that meet these criteria mentioned above. The location of these companies is not relevant.
LGPD law does not apply in the following cases:
There are many similarities between LGPD and GDPR. One of these is that LGPD, like GDPR, has global applicability, as any website that processes personal data from individuals in Brazil is required to comply with it. However, there are some differences as well.
Probably the most significant difference between LGPD and GDPR relates to what qualifies as a legal basis for data processing. The GDPR has six legal bases for processing, and a data controller must choose one of them as a justification for using a data subject's information. Unlike the GDPR, the LGPD mentions a list of 10 legal reasons for data processing:
Credit protection as a legal basis for data processing is a major difference from the GDPR.
In the GDPR, a so-called DPIA (Data Protection Impact Assessment) is established to assess the potential risks of data processing. It is also necessary for processors to notify those data protection authorities if the high risks associated with the data processing are assessed.
The LGPD also establishes the DPIA, but does not indicate how they will be used, nor does it set out requirements for the warning to any administrative authority.
The LGPD imposes an obligation on companies to have a Data Protection Officer (DPO), while this is only required in certain circumstances in the GDPR.
The time limits for notifying data breaches are clearly defined in the GDPR as 72 hours, while the LGPD freely provides for data breaches to be reported to the authorities in a "reasonable time".
Compared to the GDPR, the LGPD is much less severe in fining and penalizing violations and non-compliance.
The maximum fines for non-compliance with the GDPR are set at EUR 20 million or 4% of a company's overall annual turnover, taking into account the highest amount. LGPD sets its maximum fines at 50 million Brazilian reals (approximately 11 million euros) or 2% of the company's annual turnover.
The LGPD treats the international transfer of personal data similarly to the General Data Protection Law, assessing whether the foreign country has an adequate level of data security laws. And, of course, based on the prior, explicit and express consent of the data subject.
However, the LGPD (unlike the GDPR) does not apply to the transmission of data through Brazil without further processing.
In this global context in which personal data becomes an essential aspect of internet privacy, it is very important that your website and your analytics tool comply with all these provisions.
TWIPLA is 100% GDPR & CCPA & LGPD compliant. We use an independent cookieless tracking system that has received various awards. The website owner is the sole owner of the information and is in absolute control of it. There is no cross-tracking and we do not sell data to third parties.
Gain World-Class Insights & Offer Innovative Privacy & Security