Bra­zil: LGPD in force on Sep­tem­ber 18, 2020

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

Take-Aways (AI)
  • LGPD came into force on Sep­tem­ber 18, 2020; enforce­ment pro­vi­si­ons expec­ted from August 1, 2021
  • LGPD is simi­lar to GDPR, but is not a direct adop­ti­on and con­ta­ins seve­ral spe­ci­fic deviations.
  • Ter­ri­to­ri­al scope also inclu­des pro­ce­s­sing wit­hout a Bra­zi­li­an branch under cer­tain conditions.
  • Key dif­fe­ren­ces: exemp­ti­ons, miss­ing clau­ses (e.g. con­trac­tu­al obli­ga­ti­ons, impact assess­ment thres­holds), DPO obli­ga­ti­on and fines.

Bra­zil enac­ted its new data pro­tec­tion law – Law No. 13,709 of August 14, 2018, Gene­ral Law on Per­so­nal Data Pro­tec­tion (“Lei Geral de Pro­te­ção de Dados”, “LGPD”) today, Sep­tem­ber 18, 2020. Enforce­ment pro­vi­si­ons are expec­ted to enter into force on August 1, 2021.

The LGPD is simi­lar to the GDPR in many respects, but is not a direct adoption.

Pro­ce­s­sing by com­pa­nies wit­hout an estab­lish­ment in Bra­zil are spa­ti­al­ly sub­or­di­na­te to the LGPDwhen they:

  • expor­ted on the ter­ri­to­ry of Brazil;
  • its pur­po­se is to offer goods or ser­vices to natu­ral per­sons in Brazil;
  • per­so­nal data that has been obtai­ned in Bra­zil. This applies if the data sub­ject was in Bra­zil at the time of the acqui­si­ti­on – the facts the­r­e­fo­re over­lap with tho­se of beha­vi­oral obser­va­ti­on pur­su­ant to Art. 3(2)(b) GDPR.

Howe­ver, the LGPD con­ta­ins a nota­ble excep­ti­on to the scope, which is wit­hout pre­ce­dent in the GDPR: it does not app­ly to the pro­ce­s­sing of per­so­nal data that is

  • were pro­cu­red out­side Brazil,
  • not be trans­mit­ted across borders,
  • are not the sub­ject of com­mu­ni­ca­ti­on (?), and
  • not be shared with a Bra­zi­li­an con­trol­ler or pro­ces­sor; if 
  • the sta­te of pro­ce­s­sing has an ade­qua­te level of protection.

Some more Dif­fe­ren­ces to the GDPR, based on data from dataguidance.com:

  • Anony­mous data may excep­tio­nal­ly be con­side­red per­so­nal data if they are used to crea­te or enrich a per­so­na­li­ty pro­fi­le (but this also applies under the GDPR, becau­se by lin­king them to a per­son, fac­tu­al data are likely to beco­me per­so­nal data);
  • con­cre­te spe­ci­fi­ca­ti­ons for con­tracts bet­ween con­trol­lers and pro­ces­sors are missing;
  • the LGPD con­ta­ins a spe­ci­fic legal basis for the pro­ce­s­sing of (i) sen­si­ti­ve per­so­nal data by rese­arch insti­tu­ti­ons for rese­arch pur­po­ses and (ii) ordi­na­ry per­so­nal data for cre­dit assess­ment purposes;
  • an SME exemp­ti­on from the obli­ga­ti­on to keep a pro­ce­s­sing regi­ster is missing;
  • Thres­hold cri­te­ria for con­duc­ting a data pro­tec­tion impact assess­ment are miss­ing, and the super­vi­so­ry aut­ho­ri­ty may order that one be con­duc­ted. Pro­vi­si­ons for con­sul­ting the super­vi­so­ry aut­ho­ri­ty are missing;
  • the obli­ga­ti­on to appoint a DPO applies only to respon­si­ble per­sons, but here wit­hout excep­ti­on (alt­hough the super­vi­so­ry aut­ho­ri­ty may issue imple­men­ting regulations);
  • the super­vi­so­ry aut­ho­ri­ty may issue mini­mum data secu­ri­ty requirements;
  • a maxi­mum time limit for report­ing data secu­ri­ty brea­ches is missing;
  • Requests from the per­sons con­cer­ned must be ans­we­red wit­hout delay; if this is not pos­si­ble, rea­sons must be given. Requests for infor­ma­ti­on must gene­ral­ly be ans­we­red within 15 days;
  • the infor­ma­ti­on obli­ga­ti­on is some­what broa­der than under the GDPR;
  • Fines can be impo­sed sim­ply or per day of vio­la­ti­on (e.g. in case of dis­re­gard of an injunc­tion), in each case up to the amount of appro­xi­m­ate­ly CHF 8.5 million.