The purpose of this article is purely informative - AdOpt does not provide legal advice, and we are not responsible for any actions taken by third parties in the free interpretation of the law.

Summary: All the important information about the General Data Protection Law - LGPD: what it is, why it exists, how it works, when it came into force, who it applies to, potential fines, steps for compliance, and its legal principles.

This text was created to help you understand the law as a whole, from basic principles to compliance, its steps, and prepare you to make the necessary adjustments. Within each topic or subtopic, I've included other more advanced articles to help you delve deeper into individual subjects.

Note: This article serves as a comprehensive repository of everything we have read, know, and have recorded for our readers and clients. In the table of contents below, you can access each section individually.

Oh, and since we're always updating and adding new content here, you'll notice that there's always something new!

Best regards and happy studying!

The General Data Protection Law, known as the "Brazilian GDPR," was enacted during the Temer government in August 2018. It establishes the parameters for the collection, storage, processing, and sharing of personal data.

The General Data Protection Law (LGPD) is a Brazilian legislation that regulates how personal data is used. The law applies to both physical and digital data obtained via the internet.

With the growth of technology giants like Google, Facebook, Amazon, Apple, etc., the personal data of their users and customers became increasingly valuable, as it held the key to understanding the behavior and consumption patterns of these individuals.

Have you ever thought that the user base of Facebook is larger than the population of many countries in the world? Within this private and 100% controlled universe, there was no prevailing international legislation, and everyone was treated "equally," beyond international treaties or diplomatic orders.

Add to this the fact that over 50 million Facebook profiles were manipulated by a company, giving rise to the Cambridge Analytica scandal, which amplified the public debate on privacy and data usage. The way companies obtained data and shared it with third parties, relying on masked authorizations, began to be questioned.

Everyone leaves their traces on the internet: login data, passwords, age, location, preferences, personal tastes, political and religious opinions, credit cards, and even our faces. People constantly share this information, sometimes without being aware of it.

In this scenario of debates and insecurities about privacy, Brazil followed a global trend and created the General Data Protection Law. This measure will force all companies to adjust - and if they do not, the penalties are severe.

Diplomatic Risks Stemmed from Personal Data

Certainly, what we refer to as internal legislation would be precisely the Terms of Use of the platform and its privacy policy. However, do these terms truly uphold the rights of citizens in their respective countries? How can a country, infinitely smaller than Facebook (in terms of population and even budget), protect its citizens' data?

Isn't this a risk of diplomatic and international proportions? Does Facebook wield more power than the president of your country?

Now, let's consider Amazon. What impact does it have on local commerce and entrepreneurs when it decides to enter a new market? The megalomania of the world's largest e-commerce platform continues to penetrate new markets and countries with extremely controlled and competitive prices, along with delivery and customer service standards that are, for many local businesses, an operational dream.

Here, we face yet another risk, the economic one. If internet-generated data informs me that you left a pair of shoes in your e-commerce cart, or that you have an interest in cooking, what power do I have in my hands if I sell shoes or kitchen items globally?

This is just to illustrate two aspects. We could also delve into the realm of communications, encompassing all devices (from Apple to Android), the servers that run all these digital technologies (AWS, Oracle, Microsoft), and even healthcare. Just like the shoe example above, imagine a scenario where data reveals an emergency or continuous-use medication need. Would a pharmaceutical company be interested in this data?

In the end, it's no wonder that in 2017, The Economist declared that data would be the new oil. And, just like any scarce and valuable resource, there's a race for it. Legislations come into play, and the international rule tends to be "grab what you can while it's unregulated."

It's precisely in this context of companies growing at an astonishing pace, driven by the technology they create, and the inadequacy of strong legislation to protect citizens beyond the terms of use of Big Tech companies, as they are known, that the GDPR (General Data Protection Regulation) was born on May 25, 2018, for citizens in the European Union.

It's common for companies to have forms on their websites collecting emails and information to send offers and personalized content to customers and prospects. E-commerce platforms require basic information to complete purchases: name, last name, email, address, and all the digits of your credit card.

What's the problem with this? None, if you work ethically. In fact, it's what a business needs to send its offers and satisfy its customers. But after scandals like the Cambridge Analytica incident, people started to worry more about their privacy and how their data was being used questionably (and dangerously) by some companies.

• Why is Company X collecting data?
• What data are they collecting?
• For what purpose are they using customers' personal information?
• With whom are they sharing this data?

LGPD, which came into effect in 2020, will make this relationship between individuals and companies fairer and apply fines ranging from 2% of revenue up to 50 million reais. People will know what data is being collected and why. Companies interested in this data will provide this information, making their work ethical and transparent.

But, to better understand Brazilian legislation and its implications for individuals (CPF) and companies (CNPJ), it's necessary to look at a previous law: GDPR, a European law created in 2016.

The General Data Protection Regulation (GDPR), in Portuguese Regulamento Geral de Proteção de Dados, is a European law. This regulation was created in 2016 and implemented in 2018.

It's important to note that since data usage became relevant in Europe, around the 1980s, this topic began to be discussed. Before GDPR emerged, the European Union already had, since 1995, the Data Protection Directive aimed at personal data protection.

GDPR came into effect during a turbulent period, marked by scandals and cases of data misuse by companies. Consequently, pressure increased for other countries to adhere and create legislation with the same purpose.

For the first time in history, a European citizen could enter ANY company to ask if they had data about them, or on them, and demand that it be formally delivered to them, or even require its deletion, without prejudice to other laws. Companies faced hefty fines if they didn't comply with such requests.

Using a trendy term, citizens were empowered as never before.

GDPR revolutionized markets as a whole because, regardless of where you operated, it protected European citizens beyond borders. How so? If a European citizen accessed a Brazilian website, that site was obligated to handle the citizen's data in accordance with GDPR or an equivalent local law if such a law existed.

This is where the turmoil began because no country had - at that time - such legislation. Consequently, GDPR foresaw this and stated that if there was no local legislation or if the local legislation was less stringent in terms of privacy rights, GDPR would override local legislation in those terms.

With LGPD, Brazil joins a list of around 100 countries that have adequate data protection regulations. This step is also important for international trade relations because countries that follow the law only partner with those who adhere to the same security and privacy guidelines.

Can you then visualize the pressure this put on all countries that negotiated, sold, or accessed European citizens' data?

Soon, local legislations that were nearly a CTRL-C, CTRL-V of GDPR began to emerge to protect their own citizens and attempt to balance the market. Each country also had its interpretation not only in theory but could also observe what was happening in the European domestic market with companies there, which were already facing these changes in their day-to-day operations.

Fines, more fines against Google, Facebook, etc., were applied, and billions of euros were paid out until technologies and processes were properly adapted. And even today, much work is being done for the market to get used to this situation and navigate this sea, now completely demarcated.

In the end, this is the context that forced many countries to have their own privacy laws (even North Korea has a privacy law, believe it or not). So, Brazil quickly took the initiative to create the General Data Protection Law - LGPD so it could already argue for its own interests. Since its creation in 2018, until today it had a market adaptation period for companies to comply, a period that ended in August 2020, leaving only the fines to come into effect in August 2021.

According to articles one and three of the law, LGPD applies to any natural or legal person, whether public or private, as long as:

• Data processing occurs in Brazil.
• It aims to offer goods or services within the national territory.
• Data collection was performed in Brazil.

In other words, foreigners who contact Brazilian companies and provide their data should also have their privacy respected according to the law.

And to whom does the law not apply?

According to the fourth article, the law does not apply to natural persons who use data for non-economic and personal purposes. It also doesn't apply to data used exclusively for journalistic, artistic, academic, public safety, and national defense purposes, as well as investigations and criminal actions.

But, to better understand in which cases the law applies and in which it doesn't, we need to understand the principles behind the regulation, which is based on GDPR.

The sixth article of the General Data Protection Law specifies ten principles on which the regulation is based. These are the same principles as GDPR. It's important to understand them because the law relies on them, and by knowing them, you'll know how to act and how not to.

They are:

1. Purpose: Data collected can only be processed for legitimate and specified purposes to data owners. No company can collect information for one purpose and use it for another. In practice: If you collected an email saying you would send informative fashion content, you cannot send clothing offers.
2. Adequacy: Data processing must be adequate for the purpose. No data can be used in a way that hasn't been previously informed. In practice: If you collected information to send emails, informing the owner, you cannot send content to them through Facebook.
3. Necessity: Companies should only collect information necessary for their objectives. In practice: If you want to send informative content via email, why would you ask for a person's physical address? This wouldn't align with the necessity principle.
4. Free Access: Every user must have easy and free access to learn how a company uses their data and for how long. In practice: A customer can review the information you have about them and decide to delete some they no longer want to share.
5. Data Quality: This principle ensures that the data processed will be accurate, up-to-date, and relevant. In practice: If a data owner notices their data is outdated, they can request changes.
6. Transparency: Transparency provides data owners with easy access to information about the data held, how it's processed, and who processes it. In practice: If a customer receives an email from you with an offer, they can ask for the purpose of the email and the criteria used, as well as who was responsible for data processing.
7. Security: According to this principle, companies must protect the information they are given. In practice: If a customer provides their credit card information and verification code to shop in your store, you must ensure this information is protected and kept confidential, preventing leaks and fraud.
8. Prevention: According to this principle and the previous one, every company must take measures to prevent data misuse. In practice: Your company will be penalized if this data is transmitted to other companies.
9. Non-Discrimination: No data can be used for illicit or abusive discriminatory purposes. In practice: If a company processes data based on social class and uses it to offer advantages to people of a higher social class, the company will be penalized.
10. Accountability and Accountability: Every company must be accountable for the data it obtains and show who the agents protecting that data are. In practice: Your company must have documentation proving how data is obtained and protected, in accordance with LGPD.

But, knowing the principles behind the law and how to act in accordance with them, a question arises: under what circumstances can data be used?

The direct or indirect act, online or offline, of accessing the personal data of Brazilian citizens.

Any "information related to an identified or identifiable natural person." In other words, data is considered personal when it allows the direct or indirect identification of the natural person behind the data, such as name, last name, date of birth, personal documents (such as CPF, RG, CNH, Work Permit, Passport, and voter ID, Reservist Card), addresses, phone numbers, personal emails, cookies, and IP addresses.

LGPD also defines sensitive personal data, those related to: "racial or ethnic origin, religious belief, political opinion, union membership or membership in a religious, philosophical, or political organization, data related to health or sexual life, genetic or biometric data, when linked to a natural person." Due to their greater potential for identification and even harmful and discriminatory qualifications, the processing of such data has even stricter rules.

It is important to note that when we have your data but it does not allow direct or indirect identification, we have what is called Anonymized Data. Many companies use encryption to anonymize all their data, thus avoiding even greater risks in case of leaks, for example.

This applies to all data collection interactions, online or offline, direct or indirect.

Any natural person, yes. It is important to note, however, that Legal Entities have specific legislation that regulates their data and the types of sensitive information or information that should be public.

Therefore, you as an employee of a particular company, when acting on behalf of that company, for example by sending an email on behalf of the company. Such data and information are considered part of the Legal Entity.

For this reason, your company's emails, phone number, employee registration, etc., are not your personal data and are subject to separate legislation, parallel to LGPD.

However, your CPF, RG, Work Permit, etc., which the company uses and processes to hire you or sell you a product or service, are yours and are covered by the General Data Protection Law LGPD.

There are numerous examples: when responding to satisfaction surveys in exchange for gifts, providing your CPF at the pharmacy for a discount, accessing your profile by giving your date of birth at your favorite store, identifying yourself and taking a photo to enter a commercial building... All these occasions constitute the collection of personal data, some sensitive (surveys by institutes mentioning race, sexual orientation, and religion), and are under the control of LGPD. Therefore, companies must accelerate the review of all their internal processes because any company with just 1 registered customer or 1 employee, for example, could already be questioned by citizens freely.

For this reason, in an age where Big Data with its numerous databases spread across the world and in the clouds is a very valuable asset, companies are studying numerous ways not only to be able to keep their operations running freely but also to reduce risks in compliance.

The General Data Protection Law grants some rights to data subjects. It is important to know this because 1) your company needs to know how to proceed and which rights to respect; 2) your own data is also shared with companies.

There are 10 rights:

1. To confirm that data is being used.
2. To access the data.
3. To correct and update provided data.
4. To request data anonymization, preventing them from being identified as an individual.
5. To request that data be transferred to another organization.
6. To request complete data erasure (irreversible).
7. To be informed about data sharing between organizations if required by law.
8. To be informed about the possibility of non-consent and the consequences of not consenting to data.
9. To fully revoke consent, freely and free of charge.
10. To request the motivations behind a decision. For example, if a loan company validates a customer's credit based on a database, the customer can ask for the criteria and data used for that decision.

But now let's focus on one of the most critical points: what are the penalties for companies that do not comply with this set of laws?

LGPD provides for six administrative penalties or fines. If companies and organizations do not fully comply with the law, they are subject to fines and measures, which vary according to the severity of the violation.

Let's see what these six fines are:

1. Warning. This warning will come with a deadline for the company to adapt and correct itself. If this is not done within the deadline, there will be a penalty.
2. Simple fine based on revenue. This fine can be up to 2% of the legal entity's revenue. The limit is 50 million reais per violation.
3. Daily fine. This fine also has a limit of 50 million reais.
4. Publicizing the violation. In this case, the violation becomes public, and the damage to the company's image can be enormous.
5. Blocking of personal data. This administrative sanction prevents companies from using the personal data collected until the situation is regularized.
6. Deletion of personal data. This final penalty requires the company to completely delete the data collected in its services.

But, be cautious!

The ANPD - National Data Protection Authority will provide much more information on this, and we do not yet have a broad jurisprudence on the subject. Caution is advised, but we are still at the beginning of this chapter.

Here's another article about fines to help you

ANPD is the federal government agency responsible for the enforcement and implementation of LGPD (General Data Protection Law) in Brazil. Its role extends beyond just developing regulations aimed at promoting a culture of personal data protection, fostering adaptations and adjustments for the market. ANPD also conducts audits of companies and can apply fines and other administrative sanctions in cases of non-compliance with LGPD.

This agency falls under the federal branch of government and is currently not entirely independent.

Regardless of your company's size, focus on two perspectives that can guide you through the entire process: the Operational perspective and the lens of a Privacy Culture. They may not be your complete solution, but they are an excellent starting point. These perspectives will be the core of the other necessary steps, helping you deduce and measure things according to your company's size and sector.

Remember, your first challenge may indeed be compliance, but the next one will be maintaining that compliance. Therefore, it's not enough to have the best control spreadsheet if the company's culture does not support its maintenance. Below, we list some tasks that will help you better understand the steps you need to take, whether independently or with the help of a third-party consultancy, when viewed from an Operational and Cultural perspective.

• Develop processes to assist you in mapping and managing all the data you control or operate. Transparency and awareness that data are now protected by law, and that "from the janitor to the CEO," everyone has responsibilities.

• Review the company's processes, bringing co-responsibilities to the areas in order to list the handovers and contracts, internal and external responsibilities that each area is responsible for.

• Always keep your Data Mapping / Data Inventory updated to facilitate consultation whenever necessary. Here you can delve into this subject

• Risk analysis and security for potential data breaches. Both in online and offline environments, what are the risks of a data breach? This should be mapped and listed in your control.

• List tools and points of contact between people and data. What is your responsibility and how does it reflect on your suppliers and technologies that you bring or participate in the operation of as a supplier?

• Analysis of key internal and external contracts and compliance needs. Image rights, labor contracts, warranties, after-sales service. Every contractual relationship (LGPD's legal basis) needs to be rethought as a risk and/or an opportunity to access and process this data.

• Alignment of the expertise required for LGPD to be implemented comprehensively and to emphasize the importance of this perspective, focused on personal data and its risks, throughout the day. You must have noticed that LGPD has a multidisciplinary nature. Who are the best people around you or on your team to help you with these new routines?

• Parallel and complementary legislations that are reinforced or overwritten by LGPD. Consult lawyers, regional councils, and understand how your sector is responding to LGPD's guidelines.

• Incorporate into the company's daily life a preference for appropriate planning and processes that prioritize the privacy of data subjects, regardless of the area and/or department.

• Delegate to department managers the co-responsibility and custody of personal data that pass through their departments. Educate, reinforce, open channels for questions so that everyone - EVERYONE in the company has this awareness.

• Just as fiscal laws mandated the obligation and right to issue invoices and later the possibility of adding CPFs to invoices, requiring many changes in specific departments, similarly, other previously exempt departments carry this responsibility in their processes. Convey to marketing, for example, that their actions now carry a different weight, and everyone is responsible for them.

• So, always think long-term, about how to create routines and correct mistakes in order to stop them, not push them forward!

• Understanding the principles of Privacy By Design - Embed this in your values and strengthen a culture of privacy.

• Understanding the business model and the legal bases for your company and your customers. The entire chain is interconnected and co-responsible when this data is transmitted. Keep your processes and bring rigor to the others involved.

In short, this is quite an extensive list that we hope will help guide you through the challenge of compliance. Yes, it's significant, and yes, it's hard work, but it's necessary not only from a business perspective but primarily when we put ourselves in the shoes of the data subjects that we all are.

Now that you understand the principles behind LGPD, you've probably thought of various ways to comply with the regulation. All companies are making adjustments to align with best practices according to the regulations.

To assist you, we've listed 12 practical measures for your company to collect data in accordance with the regulations:

1. Identify all types of information collected by your company, both online and offline. With whom is this information shared? How is it used? How long will it be stored? Answering these questions is the first step.
2. Ensure that the data collected is truly essential for the operations conducted in your business. Do not collect unnecessary data – it's not in compliance with the law, and even if it were, it would be a waste of resources for your company.
3. Appoint a Data Protection Officer. Depending on the size of your operations, this could be a new role negotiated with one of your employees.
4. Have an accessible and specific privacy policy regarding all procedures for using personal data. Ensure that the privacy policy also states the reason for data processing.
5. Inform all your customers in advance about changes to terms of use and privacy policies.
6. Train the employees in your company responsible for data processing and ensure that everyone is up to date with LGPD.
7. Demand clear and unambiguous consent from data owners. They should have no doubts about what they are doing – and it's your task to clear any doubts through your communication.
8. Have mechanisms to prove that data subjects have indeed consented to data processing and to prove the revocation of consent if it occurs. These two procedures are called OPT-IN and OPT-OUT, respectively.
9. Have mechanisms to obtain consent from legal guardians for the data of minors, if you have customers in that age group.
10. Provide simple and easily accessible means for data subjects to request the deletion of their data.
11. Inform customers if their data is shared with third parties, always specifying who these third parties are and the reason for this action.
12. Ensure the deletion of personal data as soon as it reaches the purpose of processing. If a customer has signed up to receive offers for a specific product, and that product no longer exists, ensure that the data will be deleted and not used for other purposes.

With this information in hand, you are prepared to comply with the General Data Protection Law. To assist you further, we've created a tool that will tell you if your website is compliant. You can access the tool here.

In the section above, I listed various tasks that will help you with compliance.

But it's all in vain if transparency doesn't speak loudly and is woven into all these steps. Obviously, your size and market directly impact the level of transparency that is already required of you.

For example: at first glance, we don't assume accounting transparency from a restaurant. Just as we don't seek the cleanliness of a law firm's kitchen. However, in terms of Personal Data and, above all, Sensitive Personal Data, both have a responsibility – still equivalent under LGPD. Because the way they collect, process, and operate this data can offer risks according to the law. And when we talk about a fine proportional to the size of our company (2% of gross revenue), every caution is warranted.

In other words, even before wanting to avoid your responsibility or justify your size and market, always put yourself in the shoes of the data subject, which we all are when we step out from behind the counter, and have respect for the data entrusted to us.

When we make a historical analysis, it's easy to understand that GDPR was the pioneer in this field and influenced all the others when it was created in 2016. The texts are all public and available for consultation on the internet by all of us.

So, here, we have listed the main points of similarity and difference:

Differences:

1. Territory where each one is valid.
2. Which data subjects the law applies to.
3. The definition of personal data.
4. Who processes the data.
5. Sale of personal data.
6. Fines and penalties.

Similarities:

1. Transparency regarding data usage.
2. The power to update and delete data.
3. Responsible Authority.

In this link, you can find a more detailed explanation of each of the points mentioned above.

The law has been in force since August 2020, and the beginning of fines and penalties was set for August 2021. In other words, if you haven't started yet, you are already late because, on average, a company takes 18 months to become compliant.

Need some tips? In this very article, go to the section: Where to Begin LGPD Compliance for My Company? In it, we have several questions that you could start trying to answer, whether through independent compliance or via consultancies, for example.

In this link, we have prepared a series of texts that are practically an introductory e-book that will also help you with the topic.

There is much to do to create a mature jurisprudence, indeed. With each decision supported by LGPD, given by judges and appellate judges... or with each appeal that mentions LGPD in its defense, a new opportunity for our understanding is created.

However, we still don't have many definitions about this (Feb. 2021) because ANPD is still establishing its processes and operational guidelines. As soon as we have the direct action and fine(s) from ANPD, we will have these records for eventual consultations.

It's worth keeping an eye on these decisions at https://lgpdnews.com/ as they always provide us with up-to-date LGPD news.

We still don't have many definitions about this (Jun. 2022) because ANPD is still establishing its processes and operational guidelines. As soon as we have the direct action from ANPD, we will have these records for eventual consultations.

This depends a lot on the size of your company, the market you operate in, and your understanding of the law. Not to mention the maturity of your company's processes for the new processes and routines that LGPD brings with it.

In this article itself, go to the section: Where to Begin LGPD Compliance for My Company? In it, we have several questions that you could start trying to answer, whether through independent compliance or via consultancies, for example.

Without getting too legalistic or trying to give you a perfectly technical answer, the Legal Bases of the General Data Protection Law – LGPD are the reasons and justifications, supported by LGPD, for which companies not only can but must have access to the eventual data of data subjects in order to perform their functions.

It's essential that you understand them in detail and, above all, find the legal basis that allows for the direct or adjusted maintenance of your company's current operations.

Below are the 10 Legal Bases of the General Data Protection Law – LGPD.

1. Data Subject's Consent.
2. Legitimate Interest.
3. Legal Obligation.
4. Compliance with Public Policies.
5. Research Bodies.
6. Contract Performance.
7. Exercise of Rights.
8. Protection of Life.
9. Health Protection.
10. Credit Protection.

There are numerous discussions and deep dives for each of them.

We've put together this article here that compiles descriptions for you to start delving into each of them.

Certainly, the most popular Legal Bases of LGPD are Consent and Legitimate Interest due to the ease with which one can attempt to justify access or an eventual need for Personal Data, manifest in the commercial relationship between the company and the data subject (you and me).

However, we must be very cautious about the subjectivity by which we can consider them as the basis for our data collection, processing, etc. According to Article 8 of LGPD, Consent cannot be generic, subjective, or biased. So make sure that the consents collected are detailed and 100% valid in accordance with the law.

In this article, we have a very detailed explanation: Demystifying the Legal Basis of Legitimate Interest.

Is Consent the Best Legal Basis of the General Data Protection Law - LGPD?

Some argue this thesis, but it's not everything!

Biased consent can invalidate everything...

There are already studies comparing consent with the so-called "Adhesion Contracts," the famous "I Agree" in contracts we never read, which are easily broken by the other party's lawyers, mainly due to the lack of Clarity, Options for making a customized decision for that person/occasion, among others.

If this is your case, and you only see Consent as the Legal Basis for the use of personal data, consult a lawyer who specializes in LGPD to help you with the stages of communication, collection, storage, and management of these consents.

There is still a lot to discuss on this topic. For now, this is what we have, but we will soon provide further updates and study topics.