With Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’), now expected to enter into force in August 2020, this webinar examines the similarities and differences between the LGPD and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) including in relation to scope of application, key definitions, legal bases, controller and processor obligations, data subjects’ rights and enforcement provisions. The webinar also examines practical compliance challenges, and provides insight on what lies ahead for organisations in preparation for the LGPD.
Understanding the scope of the laws
The webinar highlights that both the LGPD and GDPR apply to any data subject, regardless of their nationality or residency. Differences exist however with respect to territorial scope in that the GDPR applies to organisations that have an ‘establishment’ in the EU, whereas the LGPD applies to data processing operations which are carried out in Brazil. Moreover, both pieces of legislation also have an extraterritorial scope. In particular, they apply to organisations that offer goods and services to data subjects in Europe and Brazil, respectively, regardless of where they are located. It has to be noted that only the GDPR applies to organisations that, although have not any presence in the EU, monitor the behaviour of individuals in the EU.
Differences in legal bases for processing
The webinar provides detail as to the GDPR’s legal bases to process data, which include consent, legitimate interest, performance of a contract, compliance with a legal obligation, public interest and vital interests of the data subject. The scope of the LGPD is described as ‘wider,’ and contains four more legal bases including: (i) to conduct studies by a research body, guaranteeing, whenever possible, the anonymisation of personal data; (ii) for the regular exercise of rights in judicial, administrative or arbitral proceedings; (iii) for the protection of health, in a procedure conducted by health professionals or by health entities; (iv) when necessary for ‘credit protection.’
Data subject rights
Both the GDPR and the LGPD provide data subjects with the right to object and restrict to the processing of their personal data, and allow individuals to request deletion of their personal information. Additionally, the right of access is recognised in both the GDPR and the LGPD, in that organisations must provide individuals with access to their personal data when requested. There are a number of differences between the two pieces of legislation including the time period in which an access request must be responded to, the information which must be included in the response and limitations to the right.
Supervisory authorities and enforcement
Both the GDPR and the LGPD provide for the establishment of a supervisory authority with corrective as well as investigative powers. In addition, both laws provide for the possibility of monetary penalties to be issued in cases of non-compliance. However, the nature of the penalties, the amount and who is subject to them differ. For example, the Brazilian data protection authority can issue penalties up to 2% of an organisation’s revenue up to BRL 50M.
HOW ONETRUST DATAGUIDANCE HELPS
OneTrust DataGuidance provides a suite of privacy solutions designed to help you monitor regulatory developments, mitigate risk, and achieve global compliance. With focused guidance around core topics, comparative Cross-Border Charts, a daily customised news service, and expert analysis, OneTrust DataGuidance provides industry leading solutions to design and support your entire privacy programme.
OneTrust DataGuidance offers a GDPR Benchmarking tool and report, which includes the LGPD. The suite of tools assist organisations to understand and examine core requirements under each law in order to determine their consistency for gap analysis and assessment, and contribute to the development of global compliance programs.
OneTrust DataGuidance also offers a report comparing the GDPR and LGPD legislation based on their scope, key definitions, legal basis, the rights they provide, and their approach to enforcement. Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between the legislations.
TO VIEW THE FREE REPORT, CLICK HERE.