Privacy & Consent

An Introduction To LGPD: Brazil’s General Data Protection Framework

Pinterest LinkedIn Tumblr

On August 15, 2020, Brazil is set to enforce its data protection policy titled Lei Geral de Proteção de Dados Pessoais commonly called LGPD. The law was passed on August 14, 2018 followed by official sanctioning by President Bolsonaro in July 2019. 

LGPD is closely modeled on the European Union’s GDPR, albeit with some distinct dissimilarities. The official enforcement of LGPD will make organizations responsible for appointing a Data Protection Officer (DPO) who will manage all data processing queries. 

In this post, we explain what LGPD is and its similarities with the GDPR.

An Insight Into Brazil’s Internet User Penetration

Approximately 66% of Brazil’s entire population has access to the Internet and spend about 26 hours a week online. In fact, Brazil’s Internet user penetration has been forecasted at 169 million by the end of 2023. The country is also the fourth largest in the world in terms of Internet user count. 

Brazil Internet User Forecast During The Period of 2017-2023 for LGPD
Source: Statista

With such a large Internet user base, Brazil already has approximately 40 legal norms at the federal level that regulate privacy of users online. However, these are sectoral laws providing only partial protection to individuals. An all-embracing framework such as the LGPD will help users in all sectors of the economy including both private and personal. 

What Is A Data Subject?

Before we jump into the key features of LGPD, it is important to understand what data subjects are. Though data subjects have already been comprehensively defined in the GDPR, LGPD also explicitly states their definition. 

A chart on Data Subject Rights in LGPD

Any individual whose data is being collected and/or processed is a data subject.

Under LGPD’s Article 18, data subjects are empowered with nine different rights over their personal data including: 

  • Access to their data
  • Confirmation of their data’s processing
  • Rectification of outdated or incorrect data
  • Anonymize or delete data that is not LGPD-compliant or has been used out of context
  • Portability: Permission to handover their data to another processor
  • Deletion of personal data
  • Disclosure of information about other processors to whom personal data has been shared
  • Revoking consent on personal data
  • Information regarding denial of consent and its consequences

Key Features Of The LGPD 

Who Does LGPD Apply To 

Similar to the GDPR, LGPD has extraterritorial application. By this we refer to companies and websites that process data from individuals in Brazil regardless of where they operate from. These companies need to be LGPD-compliant. 

Under Article 3, extraterritorial application is further defined as: 

  • Data processing of data collected inside Brazil.
  • Data processing of individuals in Brazil regardless of the data processor’s location. They can be located anywhere in the world.
  • Data processing within the territory of Brazil.

It is also important to note that LGPD is also transversal and multi-sectoral. This means that it will be applied to sectors both private and personal, online and offline.

How Is Data Defined Under LGPD

LGPD broadly defines data in three categories. They are:

TypeDefinitionAdditional Comments
Personal“Personal data is information regarding an identified or identifiable naturalperson.”LGPD does not explicitly define criteria under personal data. However, it can include name, gender, address, ID numbers, etc.
Sensitive“Sensitive data is personal data concerning racial or ethnic origin,religious belief, political opinion, trade union or religious, philosophical or politicalorganization membership, data concerning health or sex life, genetic or biometric data,when related to a natural person.”This is essentially a sub-category of personal data. Under Article 11 of the LGPD, distinct consent is further defined.
Anonymized“Data related to a data subject who cannot be identified.”Important to note that if anonymized data can be used in any way for behavioral profiling, it is reversible and does not qualify under this category.

Additional Definitions Under LGPD

Some of the other important definitions under LGPD for getting more clarity are:

  • Processor: Controller (can be a person or a legal entity) who performs operations using personal data.
  • Processing: Any operation that is carried out with personal data. These operations can include collection, production, receipt, classification, use, access, reproduction, transmission, distribution, and others.
  • Controller: Any person or legal entity who has the authority to make decisions on processing of personal data.
  • Consent: Consent is defined as ‘free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.’

Similarities Between LGPD and GDPR 

As mentioned above, LGPD is closely modeled on the GDPR, thus also being called Brazil’s GDPR. Both the frameworks have several similarities including:

SubjectSimilarities 
Territorial ScopeIrrespective of where data processing is taking place, any business or individual processing their personal data within their respective jurisdiction need to be either LGPD or GDPR-compliant according to their region.
Data Subject Access RequestsData subjects have the complete right to request access to their data or the right to be forgotten.
Appointment Of A Data Protection Officer (DPO)Both LGPD and GDPR require organizations to appoint a DPO if the company:
* Is a public entity.
* Uses large-scale data processing and monitoring of persons.
* Core operations require data processing of unique individuals linked to criminal offenses. 

Despite the necessary criteria, both frameworks still urge organizations not falling under the above categories to appoint a DPO.

Differences Between LGPD and GDPR

SubjectGDPRLGPD
Legal Bases For Data ProcessingCompanies are subject to six legal basis under which personal data is processed. These are:
Consent, ContractLegal, Obligation, Vital Interests, Public Task, Legitimate Interests 
Companies are subject to ten legal basis under which personal data is processed. These are: Consent, Contract, Legal Obligation, Life Protection, Health Protection, Legitimate Interest, Public Task, Protection to Credit, Exercise of Rights in Legal Proceedings, Research by Public Study Entities
Penalties ImposedFines can total upto 4% of yearly revenue or 20 million euros, whichever is higher.Fines can total upto 2% of yearly revenue or 50 million Brazillian Reals, whichever is higher.
Data BreachNotification of data breach is compulsory and companies have to follow a stringent policy of reporting a breach within 72 hours.Notification of data breach is compulsory and companies have to report breaches within a ‘reasonable’ timeframe.

Important Links 

For publishers active in Brazil or using data of Brazillian individuals, following links will help in providing more clarity:


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.