Get compliant with LGPD with Ayottaz
Understand if your business is impacted by Lei Geral de Proteção de Dados Pessoais or LGPD
What is LGPD?
The Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (LGPD) can be considered as Brazil’s answer to the GDPR – with the Brazilian law aligning with the European Regulation in many ways, while differing in others. It’s intended to replace or supplement its current dispersed legal landscape (of over 40 federal sector-based norms) with one main regulatory framework.
The LGPD aims at creating a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors.
In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory.
Who does LGPD apply to?
As with the GDPR, the LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. In practical terms, the LGPD applies to you if:
- your data processing activities are carried out in Brazil (e.g. you use servers based in Brazil);
- you offer or supply goods or services to persons located in Brazil, regardless of their nationality; or
- you process data which refer to individuals located in Brazil (even if the person was only in Brazil at the time of the collection of the data and has since changed locations).
Data Controller
natural or legal person that is in charge of making decisions regarding the processing of personal data as defined under LGPD
Data Processor
natural person or legal entity, of public or private law, that processes personal data in the name of the controller
The LGPD applies to data controllers and data processors, together referred to as processing agents, who may be businesses, public bodies, institutions as well as not-for-profit organisations
What does LGPD mean for businesses?
In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory. The LGPD also applies, irrespective of the location of an entity’s headquarters, or the location of the data being processed, if the purpose of an entity’s
processing activity is to offer or provide goods or services to individuals located in Brazil.
Rights under LGPD
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Data Protability
- Right to Object
- Right to revoke consent
- Rights concerning wholly automated processing
- Right to information about entities with which data is shared
- Right to access information detailing possibility to deny consent
What are the penalties under LGPD?
Under the LGPD, companies can be fined up to 2% of the previous year's gross revenue or R$50 million (around $9 million USD), whichever is higher. This is known as a simple fine. However, repeat offenders could face a daily fine instead. These companies are fined a set amount for every day they're in breach of the Act, up to a total maximum of R$50 million.
Ayottaz can simplify your LGPD compliance journey
There’s no ‘one size fits all” approach to preparing for LGPD. Rather, each business needs to know exactly what needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens. You are expected to put into place comprehensive but proportionate governance measures.
That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.
Under LGPD provisions, companies need to implement appropriate technical and organisational measures. This could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), technical updations, mapping of your data as well as continuing documentation on processing activities.
