Brazil - Data Protection Overview
1. Governing Texts
The Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') was passed in 2018 and entered into effect on 18 September 2020.
The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer ('DPO') appointments, Data Protection Impact Assessments ('DPIA'), data transfers, data breaches, and the establishment of the Brazilian data protection authority ('ANPD').
As per the approval of the Constitutional Amendment n. 115 (only available in Portuguese here) to the Constitution of the Federative Republic of Brazil, have included the individual rights to the personal data protection to the list of fundamental rights and guarantees.
1.1. Key acts, regulations, directives, bills
- Law No. 10.406 of 10 January 2002 for the Civil Code (only available in Portuguese here);
- Law No. 8.078 of 11 September 1990 Which Provides for the Consumer Protection (only available in Portuguese here) ('the Consumer Protection Code'); and
- Legislative Decree No. 2848 of 7 December 1940 for the Criminal Code (only available in Portuguese here).
The Brazilian data protection authority ('ANPD') has issued the following guidance:
- Guidelines to definition of data processing agents and the data protection officer (version 2.0 – April 2022) (Data Processing Agent's Guideline) (only available in Portuguese here) ('the Guidance');
- Guidelines to information security for small size data processing agents (version 1.0 – October 2021) (only available in Portuguese here) ('Small size agents Guideline');
- Guidelines to the application of the LGPD by data processing agents on the electoral context (2021) (only available in Portuguese here);
- Guidelines to the data processing by public agents (version 1.0 – January 2022) (only available in Portuguese here);
1.3. Case law
On May 2021, a decision issued by the Brazilian Federal Supreme Court ('STF') suspended the effect of the Provisional Measure No. 954/2018 (only available in Portuguese here) which obligated telecom companies to share the mobile number and addresses of its customers with the Brazilian Institute of Geography and Statistics ('IBGE') for use in official statistics. The grounds for the court's decision recognised the right to data protection as an autonomous and fundamental right, being an important milestone in the Brazilian legal privacy landscape.
2. Scope of Application
2.1. Personal scope
The LGPD provides for the processing of personal data, including by digital means, by a natural person or a legal entity of either public or private law, with the purpose of protecting the fundamental rights of freedom and privacy as well as the free development of the personality of the natural person (Article 1 of LGPD).
2.2. Territorial scope
The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by public or private law irrespective of the means, the country in which its headquarters is located, or the country in which the data is located, provided (Article 4 (IV) of the LGPD):
- the processing operation is carried out in the national territory;
- the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; and
- the personal data being processed was collected in the national territory.
According to Article 3(§1) of the LGPD states data collected in the national territory is considered to be that whose data subject is in the national territory at the time of collection.
2.3. Material scope
The LGPD applies to the processing of personal data, including by digital means, carried out by a natural person or by a public or private legal entity (Article 1 of the LGPD). The following data processing activities are exempted from the application of the LGPD (Article 4 of the LGPD):
- processing carried out by a natural person, exclusively for private and non-economic purposes;
- processing for journalistic and artistic purposes;
- processing for academic purposes (but observing the rules foreseen in Articles 7 and 11 of the LGPD);
- processing carried out with the exclusive purpose of public safety, national defence, state security, or investigation activities and prosecution of criminal offences; or
- processing activities of personal data originated outside of Brazil, from countries that provide an adequate level of data protection (compared with the LGPD) are not subject to the LGPD, since this personal data is not shared or communicated with Brazilian processing agents.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The ANPD is the main regulator. The ANPD is a body of federal public administration, member of the Presidency of the Republic, and is composed of (Article 55(C) of the LGPD):
- board of directors, as the highest body of direction;
- National Board of Personal Data Protection and Privacy;
- internal affairs office;
- legal advisory body; and
- other administrative and specialised units required for the enforcement of the LGPD.
The board of directors of the ANPD is composed of five directors, including the President Director, all of them nominated by the President of the Republic, and which must be Brazilians with an unblemished reputation, a high level of education, and a great reputation in the field of specialisation of the position for which they will be nominated for.
The members of National Board of Personal Data Protection and Privacy were nominated in August of 2021 for a two year mandate (only available in Portuguese here).
3.2. Main powers, duties and responsibilities
The ANPD is responsible for the enforcement of the LGPD and has the following powers available to ensure the protection of individuals' data (Article 55(J) of LGPD):
- supervise the protection of personal data, including through the conduction of inspections, or the determination to their occurrence;
- supervise commercial and industrial secrets, observing the protection of personal data and the secrecy of information when protected by law or when the breach of secrecy violates the fundamentals of the LGPD;
- receive and process data subject claims against the controllers (after being submitted to the controller and not solved according to the LGPD);
- decide how data processing agents could be transparent regarding the personal data processing activities;
- request, from public authorities that carry out personal data processing activities, information regarding the scope and nature of the data and other details of the processing, with the possibility to issue technical opinions to ensure compliance with the LGPD;
- amend privacy and personal data protection regulations and procedures, including regarding DPIAs;
- listen to data processing agents and the society in matters of relevant interest;
- collect and apply its revenue and publish a detailed report regarding its revenue expenses;
- conclude agreements with data processing agents in order to eliminate irregularities, legal uncertainties, or litigious situations in administrative proceedings;
- enact rules, guidelines, and simplified procedures, including regarding deadlines, for small and micro companies, start-ups, and innovative businesses in order to help them achieve compliance with the LGPD;
- ensure that processing activities of personal data from elderly people is carried out in a simple, clear, accessible, and adequate manner to their understanding;
- decide, at an administrative level, on the LGPD's interpretation, its competences, and cases in which it is silent;
- implement simplified mechanisms, including by electronic means, for the registration of complaints about personal data processing that is non-compliant with the LGPD;
- inspect and sanction cases of data processing that are non-compliant with the LGPD through administrative proceedings that ensure the right to adversary proceedings, full defence, and the right to appeal;
- report to the appropriate authorities the criminal offences that come to their knowledge;
- report to the internal affairs bodies any non-compliance with the LGPD by bodies and entities of federal public administration;
- disseminate throughout society knowledge about legal norms and policy on personal data protection and its security measures;
- encourage the adoption of standards for services and products that facilitate the control and the protection of personal data by their subjects, considering the specificities of the activities and the size of controllers;
- prepare studies about national and international practices on personal data protection and privacy;
- promote actions of cooperation with personal data protection authorities from other countries, of international or transnational nature; and
- draft managing reports on its annual activities.
4. Key Definitions
Data controller: Natural person or legal entity, governed by public or private law, in charge of making decisions about the processing of personal data (Article 5(VI) of LGPD).
Data processor: Natural person or legal entity, governed by public or private law, which processes personal data in the name of the controller (Article 5(VII) of LGPD).
Personal data: Information related to an identified or identifiable natural person (Article 5(I) of LGPD).
Sensitive data: Personal data on racial or ethnic origin, religious belief, political opinion, trade union or religious affiliation, or philosophical or political organisation membership, as well as data relating to health or sex life, or genetic or biometric data, when related to a natural person (Article 5(II) of LGPD).
Health data: There is no definition under the law.
Biometric data: There is no definition under the law.
Pseudonymisation: The processing by means of which a data loses the possibility of direct or indirect association to an individual, unless for the use of additional information separately kept by the controller in a controlled and safe environment (Article 13(§ 4º) of LGPD).
Data protection officer: person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the ANPD (Article 5(VIII) of LGPD).
Anonymisation: use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of a direct or indirect association to an individual (Article 5(XI) of LGPD).
5. Legal Bases
The consent must be free, informed, and unequivocal expression by which the data subjects agree to the processing of their personal data for a specific purpose and can be applied to 'regular' personal data and sensitive personal data (Articles 7, 11, and 14 of the LGPD).
5.2. Contract with the data subject
Applicable to data processing activities necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject (Articles 7, 11, and 19 of the LGPD).
5.3. Legal obligations
Personal data and sensitive data can be processed for compliance with a legal or regulatory obligation by the controller (Article 7(II) of the LGPD).
5.4. Interests of the data subject
There are no specific legal bases to process personal data in order to pursue interests of the data subject. However, the legitimate interest of the data controller can be applied in situations to protect the regular exercise of their rights or provision of services that benefits them.
For more details, please see the section on the legitimate interests of the data controller below.
5.5. Public interest
There are no specific legal bases to process personal data in order to pursue public interests. However, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments (Article 7(III) of the LGPD).
5.6. Legitimate interests of the data controller
The legitimate interest of the data controller or data subject cannot be applied to process sensitive data, and when supporting a processing activity on this legal base the data controller need to (Article 7(IX) of the LGPD):
- guarantee that the personal data being processed is strictly necessary for the intended purpose; and
- adopt measures to ensure transparency of data processing based on its legitimate interests.
5.7. Legal bases in other instances
Other legal bases to process personal data are (Article 7 of the LGPD):
- for carrying out studies by research bodies;
- regular exercise of rights in judicial or administrative lawsuits or arbitration proceedings;
- protection of the life or of the physical safety of the data subject;
- credit protection, which cannot be applied to sensitive data;
- fraud prevention and to guarantee security to the data subject (specific for sensitive data); and
- protection of health, only applying however to procedures carried out by health professionals, health services, or sanitary authorities.
Article 6 of the LGPD foresees that any activities of processing of personal data should be performed observing the following principles (Article 6 of the LGPD):
- good faith;
- purpose: processing for legitimate, specific, and explicit purposes informed to the data subject, without any possibility of further processing inconsistent with these purposes;
- adequacy: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing;
- necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that is relevant, proportionate, and non-excessive in relation to the purposes of the data processing;
- free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
- data quality: guarantee to the data subjects of the accuracy, clarity, relevancy, and updating of the data, in accordance with the need and for achieving the purpose of the processing;
- transparency: guarantee to the data subjects of clear, precise, and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
- security: use of technical and administrative measures able to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
- prevention: adoption of measures to prevent the occurrence of damage in view of the processing of personal data;
- non-discrimination: impossibility of processing data for discriminatory, unlawful, or abusive purposes; and
- accountability: proof, by the controller or processor, of adoption of effective measures able to prove observance of and compliance with the personal data protection rules, as well as of the effectiveness of these measures.
7. Controller and Processor Obligations
7.1. Data processing notification
There is no obligation to notify data processing activities.
7.2. Data transfers
The international transfer of personal data is permitted solely in the following cases (Article 33 of the LGPD):
- to countries or international organisations that provide an appropriate level of protection of personal data provided for by the LGPD;
- when the controller provides and demonstrates guarantees of compliance with the principles and rights of the data subject and data protection regime established in the LGPD, in the form of:
- specific contractual sections for a given transfer;
- Standard Contractual Clauses ('SCCs');
- Binding Corporate Rules ('BCRs'); and
- seals, certificates, and codes of conduct regularly issued;
- when the transfer is required for international legal cooperation between government intelligence, investigations, and police bodies, in accordance with international law instruments;
- when the transfer is required for the protection of life or physical integrity of the data subject or any third party;
- when the ANPD authorises such transfer;
- when the transfer results in a commitment undertaken under an international cooperation agreement;
- when the transfer is required for the enforcement of a public policy or legal attribution of the public utility, upon disclosure of the provisions of item I of the main provision of Article 23 of the LGPD;
- when the data subject has provided specific and highlighted consent for such transfer, with prior information on the international nature of the operation, clearly distinguishing it from any other purposes;
- when necessary to comply with a legal or regulatory obligation by the controller;
- when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; or
- to allow the regular exercise of rights in judicial, administrative, or arbitration procedures.
There are no specific requirements on outsourcing. It is not prohibited under the LGPD; however, if it involves cross-border transfers of personal data, the rules under the LGPD must be observed.
The ANPD announced, on 18 May 2022, that as of the same date, it is accepting comments and submissions for the preparation of regulations on international data transfers going forward, open public hearings to debate the subject, as well as building these standards together with society.
7.3. Data processing records
The controller and the processor should maintain a record of the personal data processing operations they carry out, especially where they are based on a legitimate interest (Article 37 of the LGPD).
There are no requirements on which kind of information should be registered in these records.
For small size data processing agents (as defined by ANPD Regulation No. 2/2022 only available in Portuguese here ('ANPD Regulation No. 2/2022')), there will be a simplified template (not published yet) to comply with the obligation to register the data processing activities.
7.4. Data protection impact assessment
The national authority may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard for commercial and industrial secrecy (Article 10(§3º) of the LGPD)
This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as guarantee for security of the information, and an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted. (Article 38 of the LGPD)
It is worth mentioning that the ANPD has not regulated this matter yet.
7.5. Data protection officer appointment
A DPO must be appointed by controllers. The ANPD could exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations (Article 41 and 41(§ 3º) of LGPD).
The identity and contact details of the DPO must be publicly, clearly, and objectively disclosed, preferably on the controllers' website. The activities of the DPO consist of the following (Article 41(§ 1º) of the LGPD):
- to accept complaints and communications from data subjects, provide clarifications, and take measures;
- to receive communications from the supervisory authority and take measures;
- to instruct the employees and contractors of the entity on the practices to be adopted in relation to personal data protection; and
- to carry out any other duties established by the controller or in supplementary rules.
As a best practice, it is considered important that the DPO has freedom in the carrying out their assignments. With regard to their professional qualifications, these must be defined by a value judgment made by the controller that indicates it, considering knowledge of data protection and information security at a level that meets the needs of the organisation's operation (Topic 6 (6.1)(72) of the Guidance).
Therefore, while the LGPD does not prevent the same DPO from acting on behalf of different organisations, it is important that they are able to carry out their duties efficiently. Thus, before appointing a DPO, the controller must consider whether they will even be able to meet their demands and those of other organisations at the same time. Responsibility for the activities of processing personal data remains the responsibility of the controller or operator of data, as established in Article 42 of the LGPD (Topic 6 (6.1)(74) of the Guidance).
The DPO must also have adequate resources to carry out their activities, which may include Human Resources. Other features that should be considered are time (deadlines appropriate), finance and infrastructure (Topic 6 (6.1)(73) of the Guidance).
Small size data processing agents
Small size data processing agents (as defined by ANPD Regulation No. 2/2022), are exempt of the obligation to appoint a DPO, although its appointment will be considered as an application of best practices and data protection governance as foreseen in Article 52(§1º)(IX) of LGPD.
7.6. Data breach notification
The controller must notify the ANPD and data subjects of the occurrence of any security incident that may result in any relevant risk or damage to the data subjects (Article 48 of LGPD).
The content of the notice, must at a minimum, contain the following information (Article 48(§ 1º) of LGPD):
- a description of the nature of the affected personal data;
- information on the data subjects involved;
- indication of the technical and security measures used for data protection, with due regard for trade and industrial secrets;
- the risks relating to the incident;
- the reasons for the delay, in case the notice is not immediate; and
- the measures that were or shall be adopted to reverse or mitigate the effects of the loss.
As well as the ANPD released an orientation and security incident reporting form (only available in Portuguese here).
For small size data processing agents (as defined by ANPD Regulation No. 2/2022), there will be a flexible and simplified procedure to report data breaches (not published yet).
Furthermore, the Resolution No. 4.658/2018 of the Brazilian Central Bank (only available in Portuguese here) for financial entities establish specific requirements for cloud computing agreements.
7.7. Data retention
Each sector has it owns rules related to data retention. The LGPD only sets forth that data shall be stored for the shortest period of time possible and cannot be processed after the purpose for its processing has been accomplished. Moreover, the ANPD may regulate the period of time in which controllers and processors must keep their records of processing activities (Article 40 of LGPD).
7.8. Children's data
The processing of personal data of children and adolescents to be carried out for their best interest, pursuant to the provisions of this Article and of the applicable law (Article 14 of LGPD)
Also, to process personal data of children, LGPD requires the collection of specific and explicit consent provided by at least one of the parents or legal guardians. An exception could be applied when the collection is necessary to contact the parents or the legal guardian, used a single time and without storage, or for their protection, and where they cannot be transferred to third parties under any circumstance, without the aforementioned consent (Article 14(§ 1º) of the LGPD)
According to the Brazilian Child and Adolescent Statute (only available in Portuguese here) children describe individuals of less than 12 years old, and adolescents as individuals that are older than 12 years old but younger than 18 years old.
7.9. Special categories of personal data
Controllers are also required to have an appropriate legal ground set out in the LGPD in order to be allowed to process sensitive personal data, as summarised below (Article 11 of the LGPD):
- compliance with a legal or regulatory obligation;
- for carrying out studies by research bodies;
- execution of a contract or preliminary procedures related to a contract (data subjects need to be a party of this contract);
- regular exercise of rights in lawsuits or administrative or arbitration proceedings;
- protection of the life or of the physical safety;
- protection of health (only applied to procedures carried out by health professionals, health services, or sanitary authorities); and
- fraud prevention and to guarantee security to the data subject.
7.10. Controller and processor contracts
There are no specific rules on controller and processor agreements under the LGPD, the only requirement that a data processor should follow is all the instructions provided by the data controller to verify compliance with its instructions and the regulations related to data protection.
8. Data Subject Rights
The LGPD establishes the following rights for data subjects (Article 18 of the LGPD):
- confirmation of the existence of processing;
- access to data;
- correction of incomplete, inaccurate, or outdated data;
- anonymisation, blocking, or elimination of unnecessary or excessive data or of data processed in non-compliance with the provisions of the LGPD;
- portability of the data to other service providers or suppliers of products, by the means of an express request, pursuant to the regulations of the ANPD, and subject to commercial and industrial secrecy;
- elimination of the personal data processed with the consent of the data subjects, except in the cases set forth in Article 16 of the LGPD;
- information on the public and private entities with which the controller has shared data;
- information on the possibility of not providing consent and on the consequences of such denial;
- revocation of the consent, pursuant to the provisions of Article 8(5) of the LGPD; and
- review of decisions based on processing of personal data carried out exclusively by automated means.
The rights of confirmation of the existence of processing and access to data must be addressed by the controller immediately when in a simplified format or up to 15 days when in a clear and complete declaration (Article 19(II) of LGPD).
For the other data subject rights, the ANPD shall regulate the appropriate timeframe that should be observed by data controllers (Article 19 (§4º) of the LGPD).
8.1. Right to be informed
The LGDP specifies that data subjects have the right of access to information concerning the data processing of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference in requirements for the right to be informed when personal data is obtained directly from the data subject or third party.
8.2. Right to access
The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information regarding the data subject's personal data that is being processed (Article 18 of the LGPD).
8.3. Right to rectification
The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or out-of-date data, at any time and by means of request (Article 18(III) of the LGPD).
8.4. Right to erasure
This right is to be exercised upon the request and consent of the data subject (Article 18(VI) of the LGPD).
8.5. Right to object/opt-out
The LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD).
Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).
Also, data subjects have the right to request the removal of its personal data which is processed under the legal base of consent, with an exception applied to data stored for:
- compliance with legal or regulatory obligation by the controller;
- studies by a research body ensured, whenever possible, the anonymisation of personal data; and
- transfer to third parties, provided that in compliance with the data processing requirements set forth LGPD.
8.6. Right to data portability
A data subject has the right to the portability of their data, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets (Article 18(V) of the LGPD).
8.7. Right not to be subject to automated decision-making
The data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting their interests, including decisions intended to define their personal, professional, consumer, and credit profile, or aspects of their personality (Article 20 of the LGPD).
8.8. Other rights
Under the LGPD, the following sanctions may be imposed (Article 51 of the LGPD):
- warnings, with indication of a term for adoption of corrective measures;
- simple fines of up to 2% of the sales revenue of the legal entity of private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in the aggregate, to BRL $50 million (approx. €9.6 million) per infraction;
- daily fines, with due regard for the total limit referred to in item two;
- disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed;
- blockage of the personal data to which the infraction relates, until its regularisation;
- elimination of the personal data to which the infraction relates;
- partial suspension of the functioning of the databases which are the subject of the non-compliant action for up to six months, extendable for a further six months; and
- partial or total prohibition to execute activities related to data processing.
9.1 Enforcement decisions
There are no enforcement decisions yet.