Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Brazil - Data Protection Overview
September 2024
1. Governing Texts
Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (LGPD) was passed in 2018 and entered into effect on September 18, 2020.
The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer (DPO) appointments, Data Protection Impact Assessments (DPIA), data transfers, data breaches, data subject rights, and the establishment of the Brazilian data protection authority (ANPD).
The approval of the Constitutional Amendment n. 115 (only available in Portuguese here) to the Constitution of the Federative Republic of Brazil added the individual right to personal data protection to the list of fundamental rights and guarantees, which already included the right to privacy.
1.1. Key acts, regulations, directives, bills
- LGPD
- Law No. 10.406 of January 10, 2002, for the Civil Code (only available in Portuguese here)
- Law No. 8.078 of September 11, 1990, Which Provides for Consumer Protection (only available in Portuguese here) (the Consumer Protection Code)
- Legislative Decree No. 2848 of December 7, 1940, for the Criminal Code (only available in Portuguese here)
- ANPD's Resolution No. 1/2021 of October 28, 2021, for the regulation of the Supervisory and Administrative Sanctioning Process within ANPD (only available in Portuguese here) (ANPD Resolution No. 1/2021)
- ANPD's Resolution No. 2/2022 of January 27, 2022, for the regulation of the applicability of LGPD for small-size data processing agents (only available in Portuguese here) (ANPD Resolution No. 2/2022)
- ANPD's Resolution No. 4/2023 of February 24, 2023, for the regulation of the dosimetry and application of administrative penalties (only available in Portuguese here) (ANPD Resolution No. 4/2023)
- ANPD's Statement No. 1/2023 of May 22, 2023, on the processing of personal data of children and adolescents (only available in Portuguese here) (ANPD Statement No. 1/2023)
- ANPD's Resolution No. 15/2024 of April 24, 2024, for the regulation of the reporting data breaches involving personal data (only available in Portuguese here) (ANPD Resolution No. 15/2024)
- ANPD's Resolution No. 18/2024 of July 16, 2024, for the regulation of the data protection officer (DPO) (only available in Portuguese here) (the DPO Regulation)
- ANPD's Resolution No. 19/2024 of August 23, 2024, for the regulation of international data transfers and the Standard Contractual Clauses (SCCs) (only available in Portuguese here) (the Data Transfer Regulation)
1.2. Guidelines
The ANPD has issued guidance documents. The following are noteworthy:
- Technical Note No. 49/2022 - Technical opinion from the General Inspection Coordination on updating WhatsApp's Privacy Notice (only available in Portuguese here);
- Technical Note No. 4/2023 - Technical opinion from the General Coordination of Technology and Research regarding compliance alignment with the LGPD and its application in the pharmaceutical retail sector (only available in Portuguese here) (Pharmaceutical sector Technical Note);
- Technical Note No. 6/2023 - Technical opinion from the General Inspection Coordination on the processing of personal data of children and adolescents by de social network TikTok, when they register on the platform (only available in Portuguese here);
- Guidance on Cookies and Personal Data Protection (Cookies Guideline) (only available in Portuguese here);
- Guidelines to the definition of data processing agents and the data protection officer (version 2.0 – April 2022) (Data Processing Agent's Guideline) (only available in Portuguese here) (the Guidance);
- Guidelines to information security for small-size data processing agents (version 1.0 – October 2021) (only available in Portuguese here) (Small-size agents Guideline);
- Guidelines to the application of the LGPD by data processing agents in the electoral context (2021) (only available in Portuguese here);
- Guidelines to the data processing by public agents (version 1.0 – January 2022) (only available in Portuguese here); and
- Guidelines on the legal basis of Legitimate Interest (version 1.0 – February 2024) (only available in Portuguese here) (Guidelines on Legitimate Interest).
1.3. Case law
In May 2021, a decision issued by the Brazilian Federal Supreme Court (STF) suspended the effect of Provisional Measure No. 954/2018 (only available in Portuguese here) which obligated telecom companies to share the mobile numbers and addresses of its customers with the Brazilian Institute of Geography and Statistics (IBGE) for use in official statistics. The grounds for the court's decision recognized the right to data protection as an autonomous and fundamental right, being an important milestone in the Brazilian legal privacy landscape.
In March 2023, the Brazilian Superior Court of Justice (STJ) adopted an unprecedented decision in which it considered that the leak of simple personal data does not, by itself, generate compensation for moral damages. The ministers judged the case of a customer of the energy concessionaire Enel São Paulo, who sought compensation for the leak and improper sharing of her personal data. The sentence denied the request but was reformed by the Court of Justice of the State of São Paulo. On appeal, the company took the matter to the STJ, which held that the leaked information is provided in any registration, not being protected by secrecy and, for this very reason, access by third parties would not violate the right to personality of the data subject. In the words of the rapporteur minister, 'the leak of personal data, despite being an undesirable failure in the processing of data of a natural person by a legal entity, does not have the power, by itself, to generate compensable moral damage. That is, moral damage is not presumed, and it is necessary that the data subject prove any damage arising from the exposure of such information.'
2. Scope of Application
2.1. Personal scope
The LGPD provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy as well as the free development of the personality of the natural person (Article 1 of LGPD).
2.2. Territorial scope
The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by public or private law irrespective of the means, the country in which its headquarters is located, or the country in which the data is located, provided (Article 3 of the LGPD):
- the processing operation is carried out in the national territory.
- the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; and
- the personal data being processed was collected in the national territory.
According to Article 3(§1) of the LGPD, data collected in the national territory is considered to be those whose data subject is in the national territory at the time of collection, regardless of nationality, residence, or citizenship.
2.3. Material scope
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity (Article 1 of the LGPD). The following data processing activities are exempted from the application of the LGPD (Article 4 of the LGPD):
- processing carried out by a natural person, exclusively for private and non-economic purposes.
- processing for journalistic and artistic purposes.
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD).
- processing carried out with the exclusive purpose of public safety, national defense, state security, or investigation activities and prosecution of criminal offenses; or
- processing activities of personal data originating outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity (Article 1 of the LGPD). The following data processing activities are exempted from the application of the LGPD (Article 4 of the LGPD):
- processing carried out by a natural person, exclusively for private and non-economic purposes.
- processing for journalistic and artistic purposes.
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD).
- processing carried out with the exclusive purpose of public safety, national defense, state security, or investigation activities and prosecution of criminal offenses; or
- processing activities of personal data originating outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3.2. Main powers, duties and responsibilities
The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data (Article 55J of LGPD):
- supervise the protection of personal data, including through the conduction of inspections, or the determination of their occurrence;
- guarantee the observance of commercial and industrial secrets, with due respect for the protection of personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of the LGPD;
- develop guidelines for the protection of personal data and national privacy policy;
- receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
- decide how data processing agents could be transparent regarding personal data processing activities;
- request, from public authorities that carry out personal data processing activities, information regarding the scope and nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure compliance with the LGPD;
- amend privacy and personal data protection regulations and procedures, including regarding DPIAs;
- listen to data processing agents and society in matters of relevant interest;
- collect and apply its revenue and publish a detailed report regarding its revenue expenses;
- conclude agreements with data processing agents to eliminate irregularities, legal uncertainties, or litigious situations in administrative proceedings;
- enact rules, guidelines, and simplified procedures, including regarding deadlines, for small and micro companies, start-ups, and innovative businesses to help them achieve compliance with the LGPD;
- ensure that processing activities of personal data from elderly people are carried out in a simple, clear, accessible, and adequate manner to their understanding;
- decide, at an administrative level, on the LGPD's interpretation, its competencies, and cases in which it is silent;
- implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
- inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defense, and the right to appeal;
- report to the appropriate authorities the criminal offenses that come to their knowledge;
- report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
- disseminate throughout society knowledge about legal norms and policy on personal data protection and its security measures;
- encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
- prepare studies about national and international practices on personal data protection and privacy;
- promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature;
- connect with government regulators in the exercise of their authority in specific areas of regulated economic and governmental activity; and
- draft managing reports on its annual activities.
4. Key Definitions
Data controller: Natural person or legal entity, governed by public or private law, in charge of making decisions about the processing of personal data (Article 5(VI) of LGPD).
Data processor: Natural person or legal entity, governed by public or private law, which processes personal data in the name of the controller (Article 5(VII) of LGPD).
Personal data: Information related to an identified or identifiable natural person (Article 5(I) of LGPD).
Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organization membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person (Article 5(II) of LGPD).
Health data: There is no definition under the law.
Biometric data: There is no definition under the law.
Pseudonymization: The processing by means of which a data loses the possibility of direct or indirect association to an individual, unless for the use of additional information separately kept by the controller in a controlled and safe environment (Article 13(§ 4º) of LGPD).
Data protection officer: Person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the ANPD (Article 5(VIII) of LGPD).
Anonymization: Use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of a direct or indirect association to an individual (Article 5(XI) of LGPD).
5. Legal Bases
5.1. Consent
Consent must be a free, informed, and unequivocal expression by which the data subject agrees to the processing of their personal data for a specific purpose and can be applied to 'regular' personal data, sensitive personal data and data processing activities of children and adolescents (Articles 7, 11, and 14 of the LGPD). In addition, in the case of processing sensitive data based on consent, it is necessary that the consent be obtained in a specific and highlighted form, as provided in Article 11(I) of LGPD. It is recommended that the authorization be included separately from the main text or; furthermore, that resources be used to highlight the consent, and to indicate which sensitive data will be collected and for which specific purpose the same will be used by the processing agent.
Regarding consent, the ANPD in its Cookies Guidance points out that:
Free: The freedom of consent is conditioned to the effective possibility of the data subject to accept or refuse the use of their data, without negative consequences or interventions by the controller that may vitiate or impair their manifestation of will. Thus, the 'forced' consent, which is conditioned on full acceptance of conditions, without the provision of effective options to the data subjects, renders the consent invalid.
Informed: Consent must also be informed, requiring that the data subjects be presented with all the necessary information to make an informed assessment and decision. Thus, the data subject must be provided with clear, precise, and easily accessible information about the form of the processing, the retention period, and the specific purposes that justify the collection of their data, among other information indicated in Article 9 of the LGPD.
Any change in the purposes adopted to obtain consent changes the legal assumption adopted, requiring new consent by the data subject, or the use of another legal basis, according to the new purpose established and with all the necessary information for this purpose. Consent must also be unequivocal, which requires obtaining a clear and positive manifestation of will from the data subject, not being based on inference or obtained in a tacit way or from an omission from the data subject. Therefore, the use of pre-selected authorization options or the adoption of tacit consent mechanisms is not recommended.
It is important to note that it is the controller's responsibility to prove that consent has been obtained respecting all the parameters established by the LGPD (Article 8 (§2) of the LGPD). Thus, it is good practice to record and document all the requirements necessary to prove that the consent is unbiased and contains all the necessary information.
5.2. Contract with the data subject
Applicable to data processing activities necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject (Articles 7 (V) of the LGPD). This legal basis does not apply to sensitive personal data.
5.3. Legal obligations
Personal data and sensitive data can be processed for compliance with a legal or regulatory obligation by the controller (Article 7(II) and Article 11(II)(a) of the LGPD).
5.4. Interests of the data subject
There are no specific legal bases to process personal data to pursue the interests of the data subject. However, the legitimate interest of the data controller can be applied in situations to protect the regular exercise of their rights or the provision of services that benefits them.
For more details, please see the section on the legitimate interests of the data controller below.
5.5. Public interest
There are no specific legal bases to process personal data to pursue public interests. However, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments (Article 7(III) of the LGPD).
For sensitive personal data (Article 11 (II)(b) of the LGPD), the shared processing of data necessary for the execution by the public administration of public policies provided for in laws or regulations is permitted.
5.6. Legitimate interests of the data controller
The legitimate interest of the data controller or third parties cannot be applied to process sensitive data, and when supporting a processing activity on this legal base the data controller need to (Article 7(IX) and Article 10 of the LGPD):
- guarantee that the legitimate interest is based on legitimate purposes;
- guarantee that the legitimate interest pursued does not override the fundamental rights and freedoms of the data subject;
- guarantee that the personal data being processed is strictly necessary for the intended purpose;
- adopt measures to ensure transparency of data processing based on its legitimate interests; and
- guarantee that the data subject has a reasonable expectation in relation to the processing activity.
Regarding legitimate interests, the ANPD in its Cookies Guidance points out that:
- the interest of the controller will be considered legitimate when it is compatible with the legal system and does not conflict with the provisions of the law. The controller must assess, prior to entering into any transaction based on legitimate interest, whether, in the case in question, the fundamental rights and freedoms of the data subject that require protection of personal data prevail and therefore prevent the processing from taking place;
- it is important to prove the adoption of technical and administrative measures capable of safeguarding the operation and the data used, ensuring the security of the processing and transparency for the data subjects; and
- in order for processing to be appropriate, the controller must be sure that the intended use does not infringe rights and freedoms and could be reasonably foreseen by the data subject, that is, that it would be possible for the data subject to suppose that the use could occur with their personal data from the information provided by the controller at the time of collection of the personal data.
In its Guidelines on Legitimate Interest, the ANPD states that the legitimate interest must be::
- compatible with the legal system;
- based on concrete situations;
- related to legitimate, specific, and explicit purposes; and
- clearly and precisely described.
ANPD clarifies that the legitimate interest of a third party may be that of any natural or legal person or group of persons other than the controller.
Finally, the ANPD suggests that a Legitimate Interest Assessment be conducted for activities based on this legal basis.
5.7. Legal bases in other instances
Other legal bases to process personal data are (Article 7 and Article 11 of the LGPD):
- for carrying out studies by research bodies;
- regular exercise of rights in judicial or administrative lawsuits or arbitration proceedings;
- regular exercise of rights in a contract (specific for sensitive data);
- protection of the life or of the physical safety of the data subject or a third party;
- credit protection, which cannot be applied to sensitive data;
- fraud prevention and to guarantee security to the data subject (specific for sensitive data); and
- protection of health, only applying however to procedures carried out by health professionals, health services, or sanitary authorities.
6. Principles
Article 6 of the LGPD foresees that any activities of processing personal data should be performed observing the following principles (Article 6 of the LGPD):
- good faith;
- purpose: processing for legitimate, specific, and explicit purposes informed to the data subject, without any possibility of further processing inconsistent with these purposes;
- adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;
- necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that is relevant, proportionate, and non-excessive in relation to the purposes of the data processing;
- free access: guarantee to the data subjects of facilitated and free-of-charge consultation about the form and duration of the processing, as well as about the completeness of their personal data;
- data quality: guarantee to the data subjects of the accuracy, clarity, relevancy, and updating of the data, in accordance with the need and for achieving the purpose of the processing;
- transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
- security: use of technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
- prevention: adoption of measures to prevent the occurrence of damage as a result of the processing of personal data;
- non-discrimination: the impossibility of processing data for discriminatory, unlawful, or abusive purposes; and
- accountability: proof, by the controller or processor, of the adoption of effective measures able to prove observance of and compliance with the personal data protection rules, as well as of the effectiveness of these measures.
7. Controller and Processor Obligations
7.1. Data processing notification
There is no obligation to notify data processing activities.
7.2. Data transfers
The international transfer of personal data is permitted solely in the following cases (Article 33 of the LGPD):
- to countries or international organizations that provide an appropriate level of protection of personal data provided for by the LGPD;
- when the controller provides and demonstrates guarantees of compliance with the principles and rights of the data subject and data protection regime established in the LGPD, in the form of:
- specific contractual sections for a given transfer;
- Standard Contractual Clauses (SCCs);
- Binding Corporate Rules (BCRs); and
- seals, certificates, and codes of conduct regularly issued;
- when the transfer is required for international legal cooperation between government intelligence, investigations, and police bodies, in accordance with international law instruments;
- when the transfer is required for the protection of the life or physical integrity of the data subject or any third party;
- when the ANPD authorizes such transfer;
- when the transfer results in a commitment undertaken under an international cooperation agreement;
- when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
- when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes;
- when necessary to comply with a legal or regulatory obligation by the controller;
- when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject; or
- to allow the regular exercise of rights in judicial, administrative, or arbitration procedures.
There are no specific requirements for outsourcing. It is not prohibited under the LGPD; however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.
Data Transfer Regulation:
On August 23, 2024, the ANPD issued the Data Transfer Regulation, regulating international data transfers and approving standard contractual clauses (SCCs). The Data Transfer Regulation introduces significant changes to the framework for cross-border data transfers, such as:
- Scope: The Data Transfer Regulation governs data transfers to countries or international organizations deemed adequate by the ANPD and those relying on appropriate safeguards, such as SCCs, Binding Corporate Rules (BCRs), and specific contractual clauses;
- Adequacy Decisions: The ANPD can issue adequacy decisions for countries or international organizations ensuring a level of data protection comparable to Brazil's. The assessment considers factors like legislation, enforcement mechanisms, and judicial redress;
- SCCs: The Data Transfer Regulation introduces ANPD-approved SCCs that organizations can use for data transfers. These SCCs provide minimum safeguards for data subject rights and are mandatory for transfers falling under their scope;
- Binding Corporate Rules (BCRs): BCRs are permitted for intra-group data transfers. Organizations must demonstrate compliance with the LGPD's principles and data subject rights;
- Specific Contractual Clauses: In exceptional circumstances, controllers can request the ANPD to approve specific contractual clauses if SCCs are unsuitable;
- Transparency and Accountability: Controllers must provide transparent information to data subjects about international transfers, including details about the transfer, safeguards, and their rights. They must also maintain records of processing activities;
- Data Subject Rights: Data subjects have the right to information, access, rectification, erasure, and objection regarding their transferred data;
- Data Breach Notification: The Data Transfer Regulation emphasizes the obligation to report data breaches involving international transfers to the ANPD and affected individuals; and
- Liabilities: Controllers and processors are accountable for compliance with the Data Transfer Regulation. The ANPD can impose administrative sanctions for violations.
Transition Period:
Organizations have a 12-month transition period from the Data Transfer Regulation's publication date to incorporate the ANPD-approved SCCs into their contracts.
7.3. Data processing records
The controller and the processor should maintain a record of the personal data processing operations they carry out, especially where they are based on a legitimate interest (Article 37 of the LGPD). There are no requirements on which kind of information should be registered in these records.
For small-size data processing agents (as defined by ANPD Resolution No. 2/2022), in June 2023 the ANPD made available a simplified template to comply with the obligation to register the data processing activities (only available in Portuguese here).
7.4. Data protection impact assessment
The ANPD may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard to commercial and industrial secrecy (Article 10(§3º) of the LGPD). This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as a guarantee for the security of the information, an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted (Article 38 of the LGPD).
On April 6, 2023, the ANPD published a new page on its website for clarifications on the DPIA, with 15 questions and answers on the subject (only available in Portuguese here), but has yet not regulated this matter.
7.5. Data protection officer appointment
A DPO must be appointed by controllers. The ANPD could exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations (Articles 41 and 41(§ 3º) of LGPD). The identity and contact details of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controllers' website
In July 2024, the ANPD issued the DPO Regulation, which regulates the role and activities of DPOs. Key takeaways from this resolution include:
- Formal Appointment: The DPO must be formally appointed in a written document outlining their roles and responsibilities. This document should be made available to the ANPD upon request;
- Substitutes: The appointment document should also designate a formal substitute for the DPO in case of absence, impediment, or vacancy;
- Public Sector DPOs: Public entities subject to Law No. 12.527/2011 (the Access to Information Law) (only available in Portuguese here) must appoint a DPO if they process personal data. The appointment should preferably fall on civil servants or public employees with an unblemished reputation;
- DPO for Data Processors: While not mandatory, appointing a DPO is considered a best practice for data processors and may be considered a positive factor in demonstrating compliance with the LGPD;
- Qualifications: The controller is responsible for determining the necessary professional qualifications for the DPO, considering their knowledge of data protection legislation and the context of the organization's data processing activities;
- Resources: Controllers must provide the DPO with the necessary human, technical, and financial resources to perform their duties effectively. This includes ensuring their autonomy and access to high-level decision-makers within the organization; and
- Conflict of Interest: The DPO must act with ethics, integrity, and technical autonomy, avoiding conflicts of interest. They must disclose any potential conflicts to the controller, who is responsible for taking appropriate measures to prevent or mitigate such conflicts. This may involve not appointing the individual as DPO, implementing safeguards, or replacing the designated DPO.
Activities of the DPO
The activities of the DPO are further detailed in the DPO Regulation and include:
- Accepting and responding to data subject requests: This includes receiving and processing requests related to data subject rights, providing clarifications, and taking appropriate action;
- Receiving communications from the ANPD: The DPO acts as the primary point of contact between the controller and the ANPD, receiving and responding to communications, and ensuring compliance with regulatory requests;
- Providing guidance and training: The DPO is responsible for educating and training employees and contractors on data protection practices, policies, and procedures;
- Assisting with data protection initiatives: The DPO plays a key role in implementing and maintaining data protection initiatives, such as:
- Data Protection Impact Assessments (DPIAs): Assisting with the development and implementation of DPIAs for high-risk processing activities;
- Data breach management: Developing and implementing data breach response plans, including notification procedures;
- Data processing records: Establishing and maintaining records of data processing activities;
- Data protection policies and procedures: Developing and implementing internal data protection policies and procedures; and
- Monitoring compliance: The DPO is responsible for monitoring the controller's compliance with data protection legislation and regulations, identifying potential risks, and recommending corrective actions.
Small-size data processing agents
Small-size data processing agents (as defined by ANPD Regulation No. 2/2022), are exempt from the obligation to appoint a DPO, although its appointment will be considered as an application of best practices and data protection governance as states in Article 52(§1º) (IX) of LGPD, in conjunction with Article 11 (§2) of ANPD Regulation No. 2/2022.
7.6. Data breach notification
The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects (Article 48 of LGPD).
Rules on data breach notifications were laid down in ANPD Resolution No 15/2024. The ANPD clarified that a security incident capable of causing significant risk or harm to data subjects is one that may significantly affect the interests and fundamental rights of data subjects and, in addition, involves sensitive personal data; data of children, adolescents, or the elderly; financial data; authentication data in systems; data protected by legal, judicial or professional secrecy; or data processed on a large scale.
The communication to the ANPD must be made by the controller within three working days from the day on which the controller becomes aware that the security incident involved personal data (Article 6 (§1) of ANPD Resolution No 15/2024), and must contain the following information:
- a description of the nature and category of personal data affected;
- the number of data subjects affected, detailing, where applicable, the number of children, adolescents or elderly people;
- the technical and security measures used to protect personal data, adopted before and after the incident, with due regard for commercial and industrial secrets;
- the risks related to the incident, identifying possible impacts on data subjects;
- the reasons for the delay, in the event that the communication has not been made within three working days;
- the measures that have been or will be adopted to reverse or mitigate the effects of the incident on the data subjects;
- the date on which the incident occurred when this can be determined, and the date on which the controller became aware of it;
- the details of the DPO or whoever represents the controller;
- identification of the controller and, if applicable, a declaration that it is a small processing agent;
- identification of the processor, where applicable;
- a description of the incident, including the main cause, if this can be identified; and
- the total number of data subjects whose data is processed in the processing activities affected by the incident.
The information may be supplemented, in a reasoned manner, within 20 working days from the date of the first communication. For small-size data processing agents (as defined by ANPD Regulation No. 2/2022), the ANPD Resolution No. 15/2024 establishes a double deadline.
There may be specific rules for regulated sectors that also oblige the agent to notify other authorities in the event of a security incident. These standards must be observed.
The communication to the data subject must also be made within three working days and must contain the information set out in Article 9 of ANPD Resolution No. 15/2024.
The ANPD also released an orientation and security incident reporting form (only available in Portuguese here).
7.7. Data retention
Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time possible and cannot be processed after the purpose for its processing has been accomplished. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities (Article 40 of LGPD).
7.8. Children's data
The processing of personal data of children and adolescents to be carried out for their best interest (Article 14 of LGPD). According to the Brazilian Child and Adolescent Statute (only available in Portuguese here) children are described as individuals of less than 12 years old, and adolescents as individuals that are older than 12 years old but younger than 18 years old.
Also, to process the personal data of children, LGPD requires the collection of specific and explicit consent provided by at least one of the parents or legal guardians. An exception could be applied when the collection is necessary to contact the parents or the legal guardian, used a single time and without storage, or for their protection, and where they cannot be transferred to third parties under any circumstance, without the aforementioned consent (Article 14(§1) of the LGPD).
However, on May 22, 2023, ANPD published Statement No. 1/2023 establishing that the processing of personal data of children and adolescents can be carried out based on any of the legal basis provided in Article 7 or in Article 11 of LGPD, as long as their best interest is observed and prevails, to be evaluated in the specific case, under the terms of Article 14 of the LGPD. The Statement is a kind of deliberative instrument with the purpose of interpreting the personal data protection legislation, being an act of the ANPD and that has binding effects on the ANPD.
In the Guidelines on Legitimate Interest, the ANPD recommended carrying out a balancing test, similar to the assessment of legitimate interests, as a method to assess the existence of the best interests of the child and/or adolescent.
7.9. Special categories of personal data
Controllers are also required to have an appropriate legal basis in order to be allowed to process sensitive personal data, as summarized below (Article 11 of the LGPD):
- consent;
- compliance with a legal or regulatory obligation;
- shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations;
- for carrying out studies by research bodies;
- regular exercise of rights in lawsuits or administrative or arbitration proceedings or in a context of a contract;
- protection of the life or of physical safety;
- protection of health (only applied to procedures carried out by health professionals, health services, or sanitary authorities); and
- fraud prevention and guarantee the security of the data subject.
7.10. Controller and processor contracts
There are no specific rules on controller and processor agreements under the LGPD, the only requirement is that a data processor should follow all the instructions provided by the data controller. It is for the data controller to verify compliance with its instructions and the regulations related to data protection. It is worth mentioning that ANPD emphasizes that the position of a data processing agent as a controller or processor is determined by your concrete actions in a specific context and not by a formal designation (for example, in a contract).
8. Data Subject Rights
The LGPD establishes the following rights for data subjects (Article 18 of the LGPD):
- confirmation of the existence of processing;
- access to data;
- correction of incomplete, inaccurate, or outdated data;
- anonymization, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
- portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the ANPD, and subject to commercial and industrial secrecy;
- elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
- information on the public and private entities with which the controller has shared data;
- information on the possibility of not providing consent and on the consequences of such denial;
- revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
- review of decisions based on the processing of personal data carried out exclusively by automated means.
The rights of confirmation of the existence of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD). For the other data subject rights, the ANPD must regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§4º) of the LGPD).
In February 2024, the ANPD opened a public consultation in which the society could contribute by answering questions for the drafting of a normative proposal aimed at regulating data subject's rights. The aim is to receive contributions on aspects related to the form, deadlines, and operationalization for the exercise of rights by data subjects, as well as on the procedures for their operationalization by controllers. The public consultation ended in March 2024, and it is hoped that a version of the regulation will soon be available.
8.1. Right to be informed
The LGPD specifies that data subjects have the right of access to information concerning the processing of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference in requirements for the right to be informed when personal data is obtained directly from the data subject or third party.
8.2. Right to access
The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information regarding the data subject's personal data that is being processed (Article 18 of the LGPD).
8.3. Right to rectification
The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or out-of-date data, at any time and by means of request (Article 18(III) of the LGPD).
8.4. Right to erasure
This right is to be exercised upon request when the processing is considered unnecessary, or excessive or when the data is processed in non-compliance with the provisions of the LGPD. Also, data subjects have the right to request the removal of their personal data which is processed under the legal base of consent (Article 18(VI) of the LGPD), with an exception applied to data stored for:
- compliance with legal or regulatory obligations by the controller;
- studies by a research body ensured, whenever possible, the anonymization of personal data; and
- transfer to third parties, provided that in compliance with the data processing requirements set forth by LGPD.
8.5. Right to object/opt-out
Also, in case of non-compliance with LGPD, data subjects have the right to object to processing activities founded on a legal basis other than consent (Article 18(§ 2º) of the LGPD).
8.6. Right to data portability
The data subject has the right to request the review of decisions made solely based on automated processing of personal data affecting their interests, including decisions intended to define their personal, professional, consumer, and credit profile, or aspects of their personality (Article 20 of the LGPD).
8.7. Right not to be subject to automated decision-making
The LGPD does not entitle the data subject not to be subject to automated decision-making. However, the LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD). Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).
Finally, the controller may be required to provide the criteria used in automated decision-making and may undergo audits to be carried out by the ANPD to evaluate such criteria, respecting its commercial and industrial secrets (Article 20(§1) (§2) of the LGPD).
8.8. Other rights
Not Applicable.
9. Penalties
Under the LGPD, the following sanctions may be imposed (Article 52 of the LGPD):
- warnings, with an indication of a term for the adoption of corrective measures;
- simple fines of up to 2% of the sales revenue of the legal entity of private law, group, or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50 million (approx. $9.1 million) per infraction;
- daily fines, with due regard for the total limit referred to in the previous item;
- disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
- blockage of the personal data to which the infraction relates, until its regularization;
- elimination of the personal data to which the infraction relates.
- partial suspension of the functioning of the databases which are the subject of the non-compliant action for up to six months, extendable for a further six months;
- suspension of the exercise of the personal data processing activity to which non-compliance refers, for up to six months, extendable for a further six months; and
- partial or total prohibition to execute activities related to data processing.
The sanctions will be applied after an administrative procedure (according to ANPD Resolution No. 01/2021) that allows for the opportunity of broad defense, in a gradual, isolated, or cumulative manner, according to the peculiarities of the concrete case and considering the following parameters and criteria:
- gravity and nature of the infractions and the personal rights affected;
- violator's good faith;
- the advantage obtained or intended by the violator;
- the economic condition of the violator;
- recidivism;
- degree of the damage;
- cooperation of the violator;
- reiterated and proven adoption of internal mechanisms and procedures capable of minimizing the damage;
- adoption of a policy of good practices and governance;
- prompt adoption of corrective measures; and
- proportionality between the seriousness of the fault and the intensity of the sanction.
The application of administrative sanctions will occur based on clear and established requirements, according to the criteria and parameters for pecuniary and non-pecuniary sanctions by the ANPD, as well as the forms and metrics for calculating the basic amount of the fines defined by Resolution No 4/2023.
9.1 Enforcement decisions
Since the publication of the ANPD Resolution No 4/2023, the ANPD has already imposed several sanctions, most of them for public entities and due to violations of security measures and incident reporting duties. The sanctions applied consider the conduct of the controller and processor towards reducing the effects of the infraction and adapting to the legal principles (good faith, cooperation, the prompt adoption of corrective measures, and the adoption of a policy of good practices and governance are essential elements).
The first fine involved the Telekall Inforservice and the imposition of:
- a warning, without corrective measures, for the lack of appointment of the DPO (violation of Article 41 of the LGPD);
- a fine of BRL 7,200 (approx. $1,310), for the absence of a legal basis to adequately support the data processing activity (violation of Article 7 of the LGPD); and
- a fine of BRL 7,200 (approx. $1,310), for failing to cooperate with the investigation (violation of Article 5 of the Resolution No. 1/2021).
For the State Department of Education of the Federal District (SEEDF), the ANPD has issued a warning for the following conduct:
- for failing to keep a record of data processing operations, as required by Article 37 of the LGPD;
- for not drawing up a DPIA following a request from the ANPD, in accordance with article 38 of the LGPD;
- for failing to notify data subjects of the occurrence of a security incident, pursuant to article 48 of the LGPD;
- for failing to submit relevant information to the ANPD for the evaluation of personal data processing activities within the deadline set by the ANPD (Article 5 of ANPD Resolution No. 1/2021).
In total, seven inspection processes have already been concluded with the imposition of the respective sanctions. On the ANPD's website, there is a list of the cases that are still being conducted (only available in Portuguese here).