What is LGPDP?

Translating to “General Law of Personal Data Protection”, or more commonly known as LGPD, is a privacy law for Brazil and non-Brazilian citizens. 

Who does LGPDP apply to?

Article 3 This Law applies to any processing operation carried out by a natural person or a legal entity of public or private law, irrespective of the mean, the country in which its headquarter is located or the country where the data are located, provided that:

  1. the processing operation is carried out in the national territory; 
  2. the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in the national territory; or
  3. the personal data being processed were collected in the national territory.

When is the Effective date?

The LGPDP effective date is August 15th, 2020.

Compliance Regulations

Article 18. The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:

  1. confirmation of the existence of the processing;
  2. access to the data;
  3. correction of incomplete, inaccurate or out-of-date data;
  4. anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
  5. portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;
  6. deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
  7. information about public and private entities with which the controller has shared data;
  8. information about the possibility of denying consent and the consequences of such denial;
  9. revocation of consent as provided in §5 of Art. 8 of this Law.

Non-Compliance Penalties

Article 52:

  1. simple fine of up to two percent (2%) of a private legal entity’s, group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of fifty million reais (R$ 50 000 000.00) per infraction;
  2. daily fine, subject to the total maximum referred to in Item 2;