LGPD – Brazil’s General Data Protection Law
Lei Geral de Proteção de Dados Pessoais
LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil
Brazil's new data protection law – the LGPD (Lei Geral de Proteção de Dados Pessoais) – is intended to replace this fractured legal landscape with an overarching regulatory framework.
It will empower individuals with a streamlined set of rights, rather than the partial protection of the sectoral laws in place today and is shaped with great inspiration from the EU’s General Data Protection Regulation.
LGPD (Lei Geral de Proteção de Dados)
empowers data subjects with nine rights,
defines what constitutes personal data,
creates ten legal bases for lawful processing.
It also puts the responsibility on companies and organisations to appoint a Data Protection Officer (DPO) and establishes the Autoridade Nacional de Proteção de Dados (or ANPD, Brazil’s new national data protection authority) with powers of supervision, guidance and enforcement of its administrative sanctions.
LGPD defines a data subject as “a natural person to whom the personal data that are the object of processing refer”. In other words, an individual whose data is being collected and/or processed is a data subject.
LGPD has “transversal” and “multi-sectoral application”, meaning that it applies to both public and private sectors, as well as online and offline.
It also has “extraterritorial application”, which means that websites, companies or organisations that process personal data from individuals in Brazil are bound to comply with the LGPD, regardless of where in the world they are owned or operated from.
Does it impact you?
In Article 3, it is defined that the LGPD applies to:
data processing within the territory of Brazil,
data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,
data processing of data collected in Brazil.
This means that the LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens!
The official translation is available here.