IP expert, Latin America IP SME Helpdesk
Did you already have enough with the GDPR compliant cookie tsunami that was displayed in every website once the GDPR was approved and entered into force in the European Union?
The GDPR came into our life on May 2018, and since then all companies in the EU have been worried about the personal data of European citizens and how to comply with the Regulation. But this is not only the case for Europe, many other countries have enacted national laws protecting the personal data of their citizens, this is the case for already more than 120 countries around the globe that engage some way or another with the international privacy laws for data protection. And this is also the case for Brazil.
3 months after the GDPR was born in Europe, in August 2018 Brazil approved Law No. 13.709 of 14 August 2018, the General Personal Data Protection Law ('LGPD'), which was further amended by Law No. 13.853 of 8 July 2019.
Last year, it came as a surprise to us all that Brazil´s Senate had passed the General Personal Data Protection Law (LGPD), which is now into force, and penalties have entered into force last August 2021.
But when does LGPD apply? In the following circumstances:
- when the processing of personal data: a) takes place in Brazil and b) the purpose of the processing is to offer or provide goods or services.
- if the processing of personal data of individuals was collected when these individuals were in Brazil.
In a nutshell: the LGPD applies to any person located in Brazil whose data has been collected or processed, regardless of where the company that collects it is located.
Differences between the GDPR vs LGPD
Overall, both laws are really comprehensive and apply to the processing of natural person’s data in the EU and Brazil, respectively, which is been carried out by controllers and processors.
An interesting overview of what are the differences between the European and the Brazilian Data Protection Act and Law has already been covered by several sources (e.g. 1, 2, 3), so we will try to summarize them all hereby:
|
LGPD |
GDPR |
|
The LGPD applies to companies of all sizes, with some exceptions, such as journalistic, artistic, academic, public security and national defense |
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU, though some obligations do not apply to EU SMEs |
|
The LGPD states that anonymised data may be deemed as personal data when the data subject can be identified |
The GDPR does not specifically address the processing of anonymised data
|
|
The LGPD gives companies just 15 days to respond to data requests from consumers |
The GDPR gives companies 1 month to respond to data requests from consumers |
|
Maximum fines: - 2% of global revenues - 50 million reais (approximately €8 million) |
Maximum fines: - 4% of global revenues - €20 million |
|
It is established that a company must report that it has been the victim of a data breach, within a “reasonable time” |
It is established that a company must report that it has been the victim of a data breach, within 72 hours |
|
In the processing of minors’ data, LGPD includes more restrictive consent requirements than the GDPR: - enhanced protection up to the legal age - obligation to use audio-visual methods to make it easier to understand |
GDPR imposes enhanced protection on the under 16-year-old.
Some Member States may lower this enhanced protection to 13-year-olds. |
|
Data transfers to a third country or international organisations are more restrictive than the GDPR, since it does not allow exceptions |
GDPR offers exceptions and requirements to data transfers to a third country or international organisation |
The role of the National Data Protection Authority (ANPD)
Penalties foreseen under the LGPD, once taking effect, will be directly applied by the ANPD. The Brazilian LGPD imposes fines of up to 2% of a company’s global revenue, or 50 million reals (approximately €8 million). These penalties may be applied by ANPD multiple times. If a company suffers multiple security breaches, that amount will be charged for each breach.
The Regulation on the supervision and application of administrative penalties (draft in Portuguese: here), will soon be submitted by the ANPD.
Last November 2020, the ANPD was established, and since then a 3-year Strategic Plan (2021-2023) has been published by ANPD on February 2021. These 3 strategic plans are: (i) to promote the strengthening of the culture of personal data protection; (ii) establish the effective regulatory environment for the protection of personal data; and (iii) improve the conditions for the fulfilment of legal competences. (Hereby the full document-in Portuguese)
Furthermore, in January the ANPD set up a biannual regulatory Agenda, in which it is foreseen a 2-year plan with priorities of the ANPD from the publication of Internal regulations, to a good practices guide for the public.
EU SMEs should be paying attention to this Guides. One good example is that now we know, thanks to the Guides (in Portuguese) that companies need a Data Privacy Officer (DPO). Controllers must appoint one DPO and make its contact information easily accessible, though this DPO is clarified to be either an employee or an outside agent (could be a company).
Importance of the LGPD to an EU SME
Needless to say, that it does not matter the size of the company under the LGPD. All companies must comply to it. Do you have doubts? If your company is processing data from Brazilian citizens, even though you are not in Brazil, the LGPD will apply to your company. For instance, if your company’s website collects personal data from people located in Brazil and does so in order to supply goods or services, it must comply with the General Data Protection Law of Brazil.
It is likely that you will have to ensure that your company adapts to the requirements of the Law, and that it has the resources to carry out the necessary tasks: create policies and apply processes to comply with regulations. Get ready!
- Designate a Data Protection officer (DPO): a person to be in charge of the needs of the company to comply with the LGPD
- Document security policies and have the proper controls in place (maintenance too)
- Implement access controls, and encryption of data in storage and in transit
- Make sure to perform full disk encryption on those endpoint devices that have access to client data
- Make sure backup and recovery systems are operational so that you can serve customer requests regardless of operational issues that may affect you.
If you have further doubts on how the Brazilian LGPD may affect your company, or how to comply with it, contact us.
Details
- Publication date
- 30 September 2021