Inspired by the European regulation (General Data Protection Regulation - GDPR), the Brazilian General Law on Data Protection (in Portuguese, LGPD, Lei Geral de Proteção de Dados Pessoais) aims to implement a well-established set of rules on obtaining, using, storing, modifying and exchanging personal data managed by various organizations.

What is the Brazilian General Data Protection Law?

LGPD, sometimes called the Brazilian GDPR, is the legal framework that refers to the use and processing of personal data of users in Brazil, regardless of the location of the organization that processes the information. The Brazilian National Congress adopted the law in August 2019, but it was vetoed on August 15, 2020.

As already mentioned, LGPD has several similarities with GDPR. It applies to individual organizations, public or private, but also to institutions that collect and process personal data of individuals in Brazil.

The actions that LDPG descibes include the collection and use of personal data of people in Brazil, without their consent, both by public authorities and by the private sector. The law also refers to the use of personal information to discriminate against individuals.

Where does LGPD apply?

LGPD law refers to people located in Brazil. Thus, any company that interacts with Brazilians and collects certain data from them must comply with the provisions of the LGPD. Included are organizations or websites that operate anywhere in the world, as the location of the organization is not relevant.

There are some exceptions to the application of the LGPD provisions. These include:

  • A person who processes data for strictly personal purposes

  • Data for academic, journalistic and artistic purposes

  • If the information is necessary for criminal investigations, if it endangers national security, if it is used by the national defense to ensure public safety, for criminal investigations, etc.

What are the penalties provided by the law?

Depending on the severity of the non-compliance with the provisions of the LGPD, companies that violate the new law will be subject to the application of warnings, fines, suspensions and partial or total bans to carry out their activities.

The maximum fine amounts to up to 2% of the organization's revenues or the amount of 50 million Brazilian reals, the equivalent of 11 million euros.