Lei Geral de Protecao de Dados (LGPD)- Part 1

image credit: dataprivacy.foxrothschild.com

The newest entrant to Brazil’s privacy policy framework is the Lei Geral de Protecao de Dados popularly known as the LGPD which came into effect from August 16, 2020. As seen in the previous article, Brazil has a multitude of privacy laws and regulations for almost every major sector of its economy whether its financial services or customer services.

But due to the introduction of the European GDPR which also brings under its scope countries that are outside the EU (only if they are processing European data), many countries have scrambled to bring into effect its own version of the GDPR, Brazil being one of them. 

Brazil’s LGPD has been touted to be very similar to the GDPR. Let us understand in brief some of the key provisions of the LGPD:

  1. Scope: The LGPD applies to natural persons and legal entities carrying out processing as per private or public law. The headquarters of the entity where it is located and even the country where the data is located is not important. However, the following are of importance:
  • The processing operation must be carried out within Brazilian territory.
  • The processing operation must be significant to the supply of goods and services in the Brazilian territory or the processing of data of individuals located in the Brazilian territory
  • The processed personal data has been collected in Brazil. 
  1. Exclusion to the Law: The LGPD is not applicable to the following:
  • Processing of private data by an individual for private and non-economic purposes
  • For journalistic or artistic purposes
  • Academic purposes
  • Public security
  • National defense
  • Safety of the country
  • Crime investigation and punishment activities. 
  1. Principles on which the data processing activities are based on: All data processing activities shall be performed based on the following principles:
  • Purpose: The processing shall be for legitimate, specific and explicit purposes informed to the data subject. No further processing shall be permitted without the data subject’s consent.
  • Adequacy: The processing shall be compatible with the purpose informed to the data subject.
  • Need: Minimum processing shall be put into effect for achievement of purpose
  • Free access: Data subjects shall be entitled to free access of their data
  • Quality of data: Data shall be accurate, clear, relevant and also be updated from time to time.
  • Transparency: Data shall be easily accessible by the data subjects about the processing and the processing agents
  • Security: Adequate measures must be put in place to protect the data from unauthorised access and unlawful or accidental destruction.
  • Prevention: Preventive measures must be put in place to prevent damage due to processing of data
  • Non-discrimination: Data shall not be processed for discriminatory, unlawful or abusive purposes
  • Liability and accounting: There must be proof that can demonstrate that effective measures have been implemented in line with the data protection laws and regulations. 

We shall review the remaining key provisions in Part 2 of the LGPD.