Data protection in Brazil: get to know everything that will change with the new law (LGPD)

Data protection in Brazil: get to know everything that will change with the new law (LGPD)

New technologies create a large number of opportunities for optimizing resources, but when misused they can compromise the security of citizens’ information. One of the biggest concerns of all companies is the protection of information. Never before had the need to protect data been so evident. Citizens must have control over their personal data and the legal framework of digital business should be simplified and clarified. This happens because, unfortunately, often the personal data of users are illegally captured, which can compromise their entire privacy. All this scenario has boosted the creation of the General Regulation on Data Protection (GDPR) for the European Union, which came into force in May this year, and now Brazil is preparing to receive a new law very similar to the one that already exists in Europe. After more than 8 years of debates in civil society, here comes Law No. 13,709/2018, the Brazilian data protection law. The legislation (LGPD) was sanctioned on August 14 and is expected to come into force in February of 2020. In this article, we highlight the main aspects of this new legislation!

Purpose of the law

The law states in its Article 1 that its purpose is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

Next, in article 2, the law refers to its foundations: privacy, informational self-determination, freedom of expression, information, communication and opinion; inviolability of intimacy, honor and image, economic and technological development and innovation, free initiative, free competition and consumer protection, human rights, free development of personality, dignity and the exercise of citizenship by natural persons.

Concepts of the new law

The holder of the data is the person that the law aims to protect and is the carrier of “personal data that are subject to treatment”, so that legal entities of a collective nature are excluded from the scope of the new law: this law is exclusively to protect people.

The concept of data processing is very important in this legislation and is defined as “any operation carried out with personal data, such as collecting, producing, receiving, classifying, using, accessing, reproducing, transmitting, archiving, storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion or extraction”. This context is very broad and applies to all data processing operations carried out by an individual or collective person, both in the public sector and in the private sector. In order for the law to apply, this data processing must be carried out in Brazilian territory. In the case of foreign citizens, personal data are subject to the new law when they are collected in Brazil and when their treatment is intended to provide goods or services in Brazil.

What will change in practice?

Obligation to delete data when required by the user

Citizens will be able to require companies to delete their personal data, whenever requested by users. The new regulation allows the personal data of each citizen to be destroyed at his request.

Data portability

Citizens may require companies to send their personal data in a format that allows them to be sent to another company, facilitating their migration and making it simpler to change service provision. Whenever a citizen changes banks or a television service provider, he or she will not have to provide his/her personal data again, as they can be easily migrated from one company to another.

Need for express user authorization

Citizens will have full information about how companies treat their data, how they store it, how long they store it and with whom they share their information. The new law applies to all activities involving the use of personal data, including treatment over the internet.

Obligation to notify in case of violation of personal data

Businesses and organizations have a duty to notify the competent authority in situations which put individuals at risk and to communicate to the citizen concerned all high-risk violations as quickly as possible so that appropriate action can be taken. In case of data leaks, the company must inform the competent authority (National Data Protection Authority, an indirect public administration body linked to the Ministry of Justice), which will be responsible for monitoring, implementing and enforcing the law , within a “reasonable period”.

What happens in case of default?

In case of data leakage or any other violation of the law, fines may reach 2% of the billing, with a limit of R $50 million, and may also imply the suspension of the company’s activities.

Companies around the world face growing data security and confidentiality threats, which forces them to reevaluate their data management strategies. At present, all people at some point do something online that involves sending personal data, such as buying a product, subscribing to a service or making a bank transfer. This legislation makes Brazil more compliant with regard to the protection of personal data.


About the author

Marketing administrator

Leave a Reply