In 2018, Brazil took an important step towards the protection of personal data with the enactment of the General Personal Data Protection Law (LGPD). The law (Law No. 13,709/2018), which came into force in 2020, establishes clear rules on how companies and public bodies must collect, store and use citizens’ data.
What is the LGPD?
The LGPD is a Brazilian law that aims to guarantee the protection of citizens’ personal data. It applies to any organization that processes personal data, regardless of its size or field of activity. The law defines personal data as any information that allows an individual to be identified, such as name, CPF, address, telephone number, email, photos, etc.
What are the principles of LGPD?
The LGPD is based on 10 principles that guide the processing of personal data:
- Purpose: The data must be processed for legitimate, specific, explicit and informed purposes to the holder.
- Adequacy: Data processing must be compatible with the purposes informed to the holder.
- Necessity: Data collection must be limited to the minimum necessary to achieve its purposes.
- Free Access: The holder has the right to consult the form and duration of the processing of their data free of charge.
- Data Quality: Data must be accurate, clear, relevant and up-to-date.
- Transparency: Clear and complete information about the processing must be made available to data subjects.
- Security: Security measures must be adopted to protect data against unauthorized access.
- Prevention: Adoption of measures to prevent the occurrence of damage due to the processing of personal data.
- Non-Discrimination: Data cannot be used for discriminatory, illicit or abusive purposes.
- Responsibility and Accountability: The controller must demonstrate the adoption of effective data protection measures.
What do companies need to do to comply with the LGPD?
Companies need to implement a series of measures to comply with the LGPD, including:
- Appoint a data protection officer (DPO): The DPO is responsible for ensuring the company’s compliance with the LGPD.
- Map the personal data that is processed: The company needs to identify which personal data it collects, stores and uses.
- Define the purposes of processing: The company needs to define for what purposes personal data will be processed.
- Obtain the consent of the data subject: The company needs to obtain the free and express consent of the data subject for the processing of their personal data.
- Adopt security measures: The company needs to implement security measures to protect personal data against unauthorized access, destruction, loss, alteration, improper communication or any other form of illicit treatment or that violates the law.
- Allow the exercise of data holders’ rights: The company needs to ensure that data holders can exercise their rights of access, rectification, portability, erasure and opposition to the processing of their personal data.
What are the sanctions for non-compliance with the LGPD?
Companies that do not comply with the LGPD may be subject to administrative sanctions, such as fines of up to R$50 million, and even criminal sanctions, such as imprisonment of up to 5 years.
What can consumers do to protect their personal data?
- Read companies’ privacy policies carefully: Privacy policies inform how consumers’ personal data will be collected, stored and used.
- Require companies to explain how their data will be used: Consumers have the right to know how their data will be used and can request this information from companies.
- Deny consent to the processing of personal data: Consumers can deny consent to the processing of their personal data.
The LGPD represents a milestone in the protection of personal data in Brazil, bringing benefits to both citizens and companies. Compliance with the LGPD not only avoids penalties, but also improves consumer confidence and strengthens companies’ reputations. Adopting robust data protection practices is, therefore, a crucial investment for the digital future of organizations.