ICANNWiki

General Personal Data Protection Law: Difference between revisions

MarkWD (talk | contribs)
Bureaucrats, Check users, Interface administrators, Administrators (Semantic MediaWiki), Curators (Semantic MediaWiki), Editors (Semantic MediaWiki), steward, Suppressors, Administrators, Temporary account IP viewers
25,069 edits
VisualWikitext
Larissa G. de Barros (talk | contribs)
Trusted Users
52 edits
+NEW PAGE
 
normalization
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
On August 14, 2018, Law 13.709/2018 was enacted in Brazil, regulating the processing of personal data, both by the public authorities and by the private sector. The Law became known as LGPD, the General Data Protection Law, and aims to strengthen the protection of personal data in Brazil.
{{Norm
| norm_title = Brazilian General Data Protection Law
| alternative_name = Lei Geral de Proteção de Dados Pessoais (LGPD)
| norm_type =  Law
| issuing_body = Parliament of Brazil
| scope_geo =  National
| country = Brazil
| norm_status = Active
| official_text = https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
| norm_language = Portuguese
}}


== Scope of the Law ==
The '''Brazilian General Data Protection Law''' (Portuguese: ''Lei Geral de Proteção de Dados Pessoais'', or '''LGPD'''), officially ''Law No. 13.709/2018'', is Brazil's comprehensive data protection legislation. It establishes rules for the collection, processing, storage, and sharing of personal data, both online and offline. The LGPD aligns Brazil with international data protection standards, such as the European Union's General Data Protection Regulation (GDPR), and represents a major milestone in the country’s digital governance framework.<ref>https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm</ref>
The Law shall apply to any processing operation carried out by a natural person or legal entity under public or private law, regardless of the means, the country of its headquarters or the country where the data are located, provided that the processing operation is carried out in the national territory; the processing activity aims to offer or provide goods or services or to process data of individuals located in the national territory or the personal data subject to the processing were collected in the national territory<ref>[https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm General Personal Data Protection Law]</ref>.
<ref>https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/</ref>


== The concept of personal data for Brazilian law ==
== Background and Legislative Context ==
Brazilian law defines personal data in three types:
The LGPD was sanctioned on '''August 14, 2018''', and entered into force on '''September 18, 2020''' (with administrative sanctions becoming applicable as of '''August 1, 2021'''). The law was inspired by global data protection trends, notably the GDPR, and was developed in response to increasing public concern over the misuse of personal data and the lack of comprehensive regulation in Brazil.


# '''<u>Personal data:</u>''' information related to an identified or identifiable natural person.
Prior to the LGPD, Brazil's legal framework for privacy and data was fragmented across multiple sectoral laws. The LGPD consolidated and standardized rules under a unified statute.
# '''<u>Sensitive personal data</u>''': personal data about racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, data related to health or sexual life, genetic or biometric data, when linked to a natural person.
# '''<u>Anonymized data</u>''': data related to a data subject that cannot be identified, considering the use of reasonable and available technical means at the time of its processing<ref>[https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm General Personal Data Protection Law]</ref>.


== The concept of data subject ==
== Scope and Applicability ==
In turn, the holder of personal data is understood as the natural person to whom the personal data that are subject to processing refer<ref>[https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm General Personal Data Protection Law]</ref>. Therefore, contrary to this, the Law does not apply to the protection of data of legal entities.
The LGPD applies to '''any individual or legal entity''', public or private, that processes personal data within Brazil or targets individuals located in Brazil, regardless of where the data processor is based. It covers both '''digital and non-digital data processing activities'''.
(Ref: ''Articles 1 and 3'', LGPD)


== The concept of personal data processing for Brazilian law ==
== Key Concepts and Definitions ==
The concept of personal data processing for Brazilian law is defined within the General Personal Data Protection Law, because Art. 5, item X of the Law understands that processing is "any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction"<ref>[https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm General Personal Data Protection Law]</ref>.
 
* '''Personal Data''': Information related to an identified or identifiable natural person.
* '''Sensitive Personal Data''': Includes data on racial or ethnic origin, religious belief, political opinion, health, sexual orientation, biometric and genetic data, among others.
* '''Data Subject''': The natural person to whom the personal data refers.
* '''Controller''': The person or entity responsible for decisions regarding the processing of personal data.
* '''Processor''': The person or entity that processes personal data on behalf of the controller.
(Ref: ''Article 5'', LGPD)
 
== Principles of Data Processing ==
Data processing under the LGPD must adhere to the following principles:
 
* '''Purpose''': Processing must have a legitimate, specific, and explicit purpose.
* '''Adequacy''': Compatibility between the data processed and the purposes.
* '''Necessity''': Limited to the minimum necessary data.
* '''Free Access''': Individuals must have access to their data.
* '''Data Quality''': Accuracy and clarity of data.
* '''Transparency''': Clear, accessible information about data processing.
* '''Security''': Use of technical and administrative measures to protect data.
* '''Accountability and Prevention''': Demonstration of compliance and risk mitigation.
(Ref: ''Article 6'', LGPD)
 
== Legal Bases for Processing ==
The '''LGPD establishes 11 legal bases''' that authorize the processing of personal data. These are divided according to the nature of the data:
* '''10 legal bases apply to the processing of personal data''' (Article 7)
* '''8 legal bases apply to the processing of sensitive personal data''' (Article 11)
 
=== Legal Bases for Processing Personal Data (Article 7) ===
 
# '''Consent''': The data subject has provided free, informed, and unambiguous consent.
# '''Compliance with legal or regulatory obligation''': Processing is required to fulfill legal duties.
# '''Public administration''': Processing is necessary for public administration to implement public policies.
# '''Research''': Processing is carried out for academic, historical, or statistical research purposes, preferably anonymized.
# '''Contract performance''': Processing is necessary to enter into or fulfill a contract with the data subject.
# '''Legal rights''': To exercise rights in judicial, administrative, or arbitration proceedings.
# '''Life and physical safety''': To protect the life or physical integrity of the data subject or third parties.
# '''Health protection''': Processing by health professionals, health services, or health authorities to safeguard health.
# '''Legitimate interest''': When processing is necessary for the legitimate interests of the controller or third parties, provided it does not violate fundamental rights and freedoms of the data subject.
# '''Credit protection''': For credit scoring and financial risk analysis, within the limits of applicable law.
(Ref: ''Article 7, LGPD'')
 
=== Legal Bases for Processing Sensitive Personal Data (Article 11) ===
Sensitive data—such as health data, biometric identifiers, racial or ethnic origin, and others—require enhanced protection. '''Eight legal bases''' authorize their processing:
 
# '''Specific and explicit consent''': The data subject gives distinct, highlighted consent.
# '''Legal or regulatory obligation''': Similar to regular personal data, when required by law.
# '''Public administration''': For public policy implementation by government bodies.
# '''Research''': For scientific or historical research purposes, with anonymization when possible.
# '''Legal rights''': In judicial, administrative, or arbitral proceedings.
# '''Life and physical safety''': To protect vital interests of the data subject or others.
# '''Health protection''': Processing by health professionals or services for preventive care, diagnosis, or treatment.
# '''Fraud prevention and data subject security''': A specific legal basis that applies '''only to sensitive data''', aiming to ensure integrity and security, including authentication in digital systems.
 
==== '''Important Distinction''': ====
The following legal bases do '''not apply to sensitive personal data''':
 
* '''Contract performance'''
* '''Legitimate interest'''
* '''Credit protection'''
(Ref: ''Article 11, LGPD'')
 
== Rights of Data Subjects ==
Under the '''LGPD''', data subjects are granted the following rights regarding their personal data, which they can exercise at any time by request to the data controller:
 
# '''Confirmation of Processing:''' Know whether their data is being processed.
# '''Access to Data:''' Access their personal data held by the controller.
# '''Correction:''' Request correction of incomplete, inaccurate, or outdated data.
# '''Anonymization, Blocking, or Deletion:''' Apply these measures to unnecessary, excessive, or unlawfully processed data.
# '''Data Portability:''' Transfer their data to another service provider, respecting commercial and industrial secrecy.
# '''Deletion of Consent-Based Data:''' Request deletion of data processed based on consent, unless legally required to retain.
# '''Information on Sharing:''' Know with whom their data has been shared.
# '''Refusal of Consent:''' Be informed about the option of not giving consent and the consequences.
# '''Withdrawal of Consent:''' Revoke consent at any time.
 
Additional rights include:
 
* '''Object to Processing:''' Challenge data processing based on non-consent legal bases if it violates the LGPD.
* '''Petition to ANPD:''' File complaints with the National Data Protection Authority.
* '''Review of Automated Decisions:''' Request human review of decisions made solely by automated processing (e.g., profiling or credit scoring).
 
Controllers must respond to requests '''free of charge''' and within regulatory deadlines. Data must be provided in a clear, accessible format, either digitally or on paper.
(Ref: ''Articles 18–20'', LGPD)
 
== Obligations of Data Controllers and Processors ==
Controllers and processors must implement, for example:
 
* Data protection policies and impact assessments
* Security measures (technical and administrative)
* Clear communication channels for data subjects
* Incident notification procedures (within a reasonable time to the '''ANPD''' and, if necessary, to data subjects)
(Ref: ''Articles 37–41'', LGPD)
 
== Role of the National Data Protection Authority (ANPD) ==
The '''Autoridade Nacional de Proteção de Dados (ANPD)''' is the Brazilian regulatory authority created to enforce the LGPD. It is responsible for:
 
* Overseeing compliance
* Investigating and applying administrative sanctions
* Issuing guidance and regulations
* Promoting data protection awareness
 
The ANPD also acts as a bridge between Brazil’s legal framework and international data protection standards, facilitating cooperation with other supervisory authorities.
(Ref: ''Articles 55–59'', LGPD)
 
== Sanctions and Enforcement ==
Non-compliance with the LGPD can result in administrative sanctions, including:
 
* Warnings
* Fines of up to '''2% of a company’s revenue in Brazil''', capped at '''BRL 50 million''' per infraction
* Publicizing the infraction
* Blocking or deletion of data
 
The law also allows for civil and criminal liability under other applicable legislation.
(Ref: ''Article 52'', LGPD)
 
== International and Multistakeholder Relevance ==
The LGPD plays a significant role in the '''global data governance landscape'''.
 
By harmonizing with principles of the '''GDPR''', it facilitates '''cross-border data flows''' and '''international cooperation'''. The law also reinforces Brazil’s participation in global forums related to '''Internet governance''', such as the '''Internet Governance Forum (IGF)''' and '''ICANN’s multistakeholder ecosystem''', by ensuring trust and accountability in data-driven systems.


== References ==
== References ==
<references />
{{reflist}}
.
Retrieved from "https://staging.icannwiki.org/General_Personal_Data_Protection_Law"