LGPD Unveiled: A Closer Look at Brazil’s Data Protection Regulations

Unraveling the complexities of data protection may be tedious, especially if you are not familiar with them. Discover more in this insightful post as our compliance specialist, Tiana Dermendjieva, delves into the intricacies of data protection in Brazil.

The LGPD (Lei Geral de Proteção de Dados), or the Brazilian General Data Protection Law, was officially made law on August 14, 2018. This came after several years of in-depth talks and consultations. A lot of the ideas in the LGPD come from the GDPR (General Data Protection Regulation).

This study delves into the similarities and differences between two laws, exploring aspects like their scope, data controllers’ roles, treatment of children’s data, legal grounds for data usage, record-keeping rules, cross-border data transfer, the role of Data Protection Officers, response to data breaches, individuals’ rights, and supervisory authorities’ powers.

Personal scope
Similarities
GDPRLGPD
Protects only living natural personsExplicitly protects only natural persons
Does not cover deceased individuals or legal personsDoes not cover legal persons
Applies to data controllers and data processorsApplies to data controllers and data processors (processing agents)
Businesses, public bodies, institutions, and not-for-profits can be controllers or processorsBusinesses, public bodies, institutions, and not-for-profits can be controllers or processors
The Data Controller determines purposes and means of processing personal dataThe Data Controller is in charge of making decisions regarding processing of personal data
The Data processor processes data on behalf of the controllerThe Data processor processes data in the name of the controller
Differences
Applies to automated and non-automated means if part of a filing systemApplies to any processing operation
Does not specifically addressData can be considered personal when used for behavioral profiling if the person is identified
Territorial scope
Similarities
GDPRLGPD
The GDPR applies to the processing of personal data by organizations established in the EU, regardless of whether the processing takes place in the EU or notThe LGPD applies, irrespective of the location of an entity’s headquarters, or the location of the data being processed, if the data being processed belongs to individuals located in Brazil or if the personal data being processed was collected in Brazil.
In relation to the extraterritorial scope, the GDPR applies to the processing activities of organizations that are not established in the EU, where processing activities are related
to the offering of goods, or services to individuals in the EU.
The LGPD also applies, irrespective of the location
of an entity’s headquarters, or the location of the
data being processed, if the purpose of an entity’s
processing activity is to offer or provide goods
or services to individuals located in Brazil.
Differences

Applies to non-EU organizations that monitor behavior of individuals in the EU

No specific provisions for monitoring behavior of individuals in Brazil

Applies to natural persons, regardless of nationality or place of residence

Interpreted to apply to any person, regardless of nationality or residency, if in Brazil at the time of data collection
Material Scope
Similarities
GDPRLGPD
Covers any operation performed on personal dataAny operation carried out with personal data
Any information that directly or indirectly relates to an identified or identifiable individualInformation regarding an identified or identifiable natural person
Data revealing racial or ethnic origin, political opinions, religious beliefs, etc. Specific requirements for its processing.Data concerning racial or ethnic origin, religious belief, political opinion, etc. Specific requirements for its processing.
Excludes processing for purely personal or household purposesExcludes processing for purely private and non-economic purposes
Excludes anonymous dataExcludes anonymized data
Excludes data processing in the context of law enforcement or national securityExcludes data processing for purposes of law enforcement and national security
Provides specific requirements for journalistic, academic, artistic or literary expressionGenerally, does not apply to processing for public safety, journalistic, artistic or academic purposes
Differences
Applies to automated and non-automated means if part of a filing systemApplies to any processing operation
Does not specifically addressData can be considered personal when used for behavioral profiling if the person is identified
Controllers and Processors

The GDPR and LGPD have similar definitions and responsibilities for data controllers and processors, as well as similar liability clauses, although there are nuanced differences in terms of joint and several liabilities and exemptions.

GDPR mandates a contractual or legal agreement binding processors to controllers, outlining processing terms, while it does not specifically address liability in Consumer-Based Services.

In contrast, the LGPD does not necessitate a contract, requiring processors to follow controller instructions. Additionally, in LGPD, joint liability arises in consumer-based services due to the application of the Consumer Protection Code.

Children’s Data

Both the GDPR and the LGPD emphasize clear and accessible information for children.
Unlike GDPR, which allows Member States to set a minimum age not below 13, LGPD consistently establishes the minimum age at 13. Both regulations necessitate using available technologies to reasonably verify consent and ensure that information is presented in a manner understandable to children.

Legal Basis

The GDPR and the LGPD share several commonalities in their legal bases for processing personal data.

Similarities
GDPRLGPD
Consent is required from the data subject for specific purposes.Consent must be provided by the data subject

Necessary for fulfilling a contract to which the data subject is a party.
Necessary for executing a contract or preliminary procedures related to a contract at the request of the data subject.
Necessary for compliance with a legal obligation of the controller.Necessary for fulfilling a legal or regulatory obligation by the controller.
Necessary to protect the vital interests of the data subject or another person.Necessary for the protection of life or physical safety of the data subject or a third party.
Necessary for a task carried out in the public interest or under official authority.By the public administration for processing and sharing data necessary for executing public policies provided in laws and regulations.
Legitimate interests pursued by the controller or a third party, unless overridden by interests or rights and freedoms of the data subject.Necessary to meet the legitimate interests of the controller or a third party, except when overridden by the fundamental rights and freedoms of the data subject.
The legal basis for processing sensitive data in GDPR is explicit consent from the data subject.The legal basis for processing sensitive data in LGPD is explicit consent for specific purposes, required from the data subject or their legal representative.
Another legal basis in GDPR is that it’s necessary for employment, social security, and social protection.In LGPD, it’s necessary for compliance with a legal or regulatory obligation by the controller.
In GDPR, it’s necessary to protect the vital interests of a person who is physically or legally incapable of giving consent.In LGPD, it’s necessary for the protection of life or physical safety of the data subject or a third party.
GDPR allows processing when it’s necessary for legal claims or defense.LGPD permits processing when it’s necessary for the regular exercise of rights, including in contract and legal proceedings.
GDPR allows for processing for reasons of public health and safety, provided it meets specific conditions.LGPD allows for processing when it’s necessary for health protection in procedures conducted by health professionals or health entities.
Differences
GDPR does not offer further unique legal bases for processing personal data.In LGPD, unique legal bases include conducting studies by a research body, regular exercise of rights in legal proceedings, protection of health, and credit protection.
GDPR uniquely allows processing by non-profit bodies with specific and allows processing of data made public by the subject.In LGPD, unique bases include fraud prevention and instances where the data subject’s fundamental rights and freedoms that require protection of personal data prevail.
Data Transfers

Regarding the data transfers, the GDPR and LGPD do share some similarities. The GDPR evaluates adequacy as assessed by the European Commission, allowing transfers to such countries. Safeguards in both regulations involve mechanisms such as binding corporate rules, standard data protection clauses, approved codes of conduct, and certification mechanisms. Additional legal grounds for data transfer encompass judicial cooperation, explicit consent, contract performance, public interest, legal claims, and vital interests. Moreover, both regulations permit transfers based on legally binding instruments between public authorities and administrative arrangements.

In the LGPD, the transfer to countries with adequate protection is similarly allowed, with safeguards including specific contractual clauses, standard contractual clauses, global corporate rules, and recognized quality seals, certificates, and codes of conduct. The LGPD also recognizes other legal grounds, such as international legal cooperation, protection of life or physical safety, specific and outstanding consent, contract execution, and legal proceedings. Additional transfer grounds in LGPD include specific contractual clauses, supervisory authority authorization, international cooperation agreements, and compliance with legal or regulatory obligations. These frameworks highlight the importance of establishing secure and lawful mechanisms for the international transfer of personal data.

The GDPR introduces distinctive provisions, allowing transfers of personal data from public registers and transfers based on the legitimate interests of the controller. The latter provision specifically applies to non-repetitive, limited-number subject transfers, provided suitable safeguards are in place to ensure data protection. In contrast, LGPD lacks similar unique provisions, indicating a divergence in the specific regulations governing data transfers between the GDPR and LGPD frameworks.

Data Processing Records

Both the GDPR and the LGPD share the commonality that controllers and processors are obligated to maintain records of their personal data processing activities.

However, differences arise in the specifics of these requirements.

Under the GDPR, small organizations with fewer than 250 employees may be exempt from record-keeping unless their processing activities pose risks to data subjects, are not occasional, or involve special data categories. Detailed obligations outline what controllers and processors must record, including name and contact details, processing purposes, data categories, recipients, international transfers, erasure time limits, and security measures.

Unlike the GDPR, the LGPD imposes a universal obligation for record-keeping on all organizations, regardless of their size or the type of data processed. Exemptions to this requirement are contingent upon approval from the supervisory authority. Noteworthy is the LGPD’s lack of explicit specifications regarding the detailed information controllers or processors are required to record, setting it apart from the more detailed and prescriptive record-keeping obligations outlined in the GDPR. These subtle distinctions underscore the divergent approaches adopted by the two regulations in addressing the responsibilities related to recording data processing activities.

DPIA (Data Protection Impact Assessment)

Some of the similarities for the DPIA between the GDPR and LGPD may include:

Similarities
GDPRLGPD
Establishes the requirement for a DPIA to be conducted in specific circumstances. Member States’ supervisory authorities can further determine which processing operations require a DPIA.Establishes the requirement for a DPIA to be conducted in specific circumstances. The Brazilian data protection authority (‘ANPD’) can further determine which processing operations require a DPIA.
Defines a DPIA as ‘an assessment of the impact of the envisaged processing operations on the protection of personal data.’Defines a DPIA as the documentation from the controller containing the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and mechanisms to mitigate the risk.
Specifies when a DPIA is required: a) high risk to rights and freedoms; b) systematic and extensive evaluation based on automated processing; c) large scale processing of special categories of data; d) systematic monitoring of publicly accessible areas on a large scale.Does not explicitly establish when a DPIA is required. The ANPD can request the controller to perform and provide a DPIA.
Specifies what a DPIA must include: (i) a systematic description of estimated processing operations and purposes; (ii) an assessment of necessity and proportionality; (iii) an assessment of risks to rights and freedoms.Specifies what a DPIA must include: (i) a description of the types of data processed; (ii) methods used to collect data; (iii) methods of information security; (iv) description of mechanisms to mitigate risks.
Differences
Requires the controller to consult the supervisory authority prior to processing if DPIA indicates high risk without mitigation measures.Does not establish a prior consultation process regarding DPIAs.
Includes provisions on measures to take to mitigate risks, such as safeguards, security measures, and mechanisms to ensure protection of personal data and demonstrate compliance.Does not include any explicit provisions on the measures to take to mitigate the risks
DPO (Data Protection Officer)

The GDPR does provide for appointing one for a company. However, it does not include a definition of a DPO. Some of the tasks of DPO include:

◦ Advising the controller or processor on GDPR compliance
◦ Monitoring compliance and staff training
◦ Advising on DPIAs
◦ Acting as a point of contact for data subjects and authorities. Contact details must be published and communicated to the supervisory authority.

It also obligates both controllers and processors to appoint a DPO in specific circumstances related to scale and types of data processed.

The LGPD does also provide for appointing a DPO and it also includes a definition of a DPO as a person designated by the controller, acting as a communication channel between the controller, data subjects, and the supervisory authority. The tasks are:

◦ Accepting complaints and communications from data subjects
◦ Receiving communications from the supervisory authority and advising entity’s employees
◦ Orienting employees and contractors on data protection practices
◦ Carrying out other duties as determined by the controller or in complementary rules. Identity and contact information should be publicly disclosed.

Only controllers must appoint a DPO, and there are no specific limitations on when a DPO must be appointed; this is left to the ANPD.

The difference between the GDPR and LGPD is that the GDPR allows a group of undertakings to appoint a single DPO, provided they are easily accessible from each establishment. It also stresses the independence of the DPO and mandates the provision of monetary and human resources for fulfilling their tasks. In contrast, the LGPD does not explicitly mention whether a group of entities may appoint a single DPO and it does not explicitly establish the independence of the DPO or provide for monetary and human resources to be given to the DPO for fulfilling their tasks.

Data Security and Data Breaches
Similarities
GDPRLGPD
Recognizes integrity and confidentiality as principles. Requires protection against unauthorized or unlawful processing, accidental loss, destruction, or damage using technical or organizational measures. Controllers and processors must adopt measures that ensure a level of security appropriate to the risk.Recognizes security as a principle. Requires the use of technical and administrative measures to protect against unauthorized access and accidental or unlawful situations like destruction, loss, alteration, etc. Controllers and processors must adopt measures to protect against unauthorized access and accidental or unlawful situations.
In case of a data breach, notification to the supervisory authority is required unless the breach is unlikely to result in a risk. Notification to data subjects is required when the breach is likely to result in a high risk. The notification must include: (i) description of the nature of the breach; (ii) contact details of the DPO; (iii) likely consequences; (iv) measures taken to mitigate the adverse effects; and (v) reason for the delay.Controllers must communicate to the ANPD and the data subject in case of a security incident that may create risk or relevant damage. The communication must include: (i) description of the affected personal data; (ii) information on the data subjects; (iii) technical and security measures; (iv) risks related to the incident; (v) reasons for delay; and (vi) measures to reverse or mitigate the effects.
Difference
Provides a list of security measures including pseudonymization, encryption, and measures for ongoing confidentiality, integrity, and availability. Timeframe for notification to the national authority is within 72 hours. Ensures that any person with access to data processes them only on instructions from the controller, unless required by law.ANPD may provide minimum technical standards taking into account the nature of the processed information, characteristics of the processing, and current state of technology. Timeframe for communication to the ANPD is to be defined. States that processing agents or any other person involved in processing phases must ensure information security.
Individuals’ rights

The GDPR and LGPD share several key rights concerning data subjects. Both regulations grant individuals the Right to Erasure, allowing them to withdraw consent under specified conditions. The Right to be Informed mandates detailed privacy notices, encompassing personal data categories, DPO contact, and third-country transfers. The Right to Object permits objections to data processing based on legitimate interests, with a specific provision for opting out of direct marketing. Both frameworks implicitly address the Right not to be Subject to Discrimination through principles like fair processing and transparency.

Notably, the GDPR’s Right of Access requires a response within one month, extendable by two more months, and provides a comprehensive list of information to include. In contrast, the LGPD stipulates a 15-day response time for the Right of Access, with less explicit guidance on the information to be included. Regarding the Right to Data Portability, the GDPR emphasizes a ‘structured, commonly used, machine-readable format,’ while the LGPD allows portability to another service or product provider and imposes limits on sensitive health data for economic advantage unless expressly consented by the data subject. These nuanced variations underscore the convergence and divergence between the GDPR and LGPD in safeguarding data subject rights.

Enforcement

The two regulations empower their respective supervisory authorities to impose monetary penalties for violations. In alignment, both frameworks consider factors such as severity, intent, and cooperation with the authority when determining the fines. Additionally, supervisory authorities, including the GDPR and the LGPD’s ANPD, are authorized to develop guidelines for calculating these penalties.

However, notable differences exist between the two regulations.

The GDPR enforces a single category of administrative fine, applicable to government bodies as well, with penalties reaching up to 2% or 4% of the global annual turnover or €10 million/€20 million, whichever is higher. Member States can establish rules for applying fines to public bodies. In contrast, the LGPD introduces two types of fines—simple and daily—with daily fines designed to enforce previous decisions.

The LGPD fines are limited to 2% of a private legal person’s revenues in Brazil, capped at BRL 50,000,000 per infraction, and notably, government agencies are exempt from administrative fines under the LGPD.

These distinctions highlight the varied approaches and nuances in the penalty structures of the GDPR and LGPD.

Supervisory Authority
Similarities:
GDPRLGPD
Investigatory powers include ordering controllers and processors to provide information, conducting audits, and gaining access to data and premises.Investigatory powers primarily focus on requesting information from controllers and processors.
Corrective powers include issuing warnings, reprimands, and imposing temporary or definitive limitations including bans on processing, as well as administrative fines.Corrective powers include issuing warnings, fines, publicizing the infraction, and blocking or deletion of the data processing to which the infraction refers.
Responsible for handling complaints from data subjects and cooperating with data protection authorities from other countries.Also handles complaints from data subjects and cooperates with data protection authorities from other countries.
Promotes public awareness and understanding about data protection, including the risks, rules, and safeguards.Promotes public awareness specifically on the protection of personal data and on security.
Differences:
Each Member State establishes its own supervisory authority, determining qualifications and conditions for appointment and reappointment.The ANPD is a federal public administrative agency with a structure that includes the Board of Directors, the National Council for Data Protection and Privacy, and other departments
Subject to financial control only if it does not affect independence. Has separate, public annual budgets.Does not have financial autonomy, and its budget is set forth by the Presidency.
Conclusion

While the GDPR and the LGPD share significant similarities across various aspects of data protection, there are nuanced differences that should not be overlooked.

Achieving compliance with the GDPR does provide a strong foundation for LGPD compliance, but it is not a one-size-fits-all solution.

To fully comply with the LGPD, organizations may either adapt existing GDPR-based compliance documents to also meet LGPD requirements or develop a separate set of compliance documents specifically tailored to the LGPD.

This approach ensures that you are not only compliant but also well-prepared for the legal and regulatory landscapes of multiple jurisdictions.

For more information, please contact us at [email protected].