open search
Brazil Internationales Arbeitsrecht

Brazil – new, stricter data protection rules take effect

Print Friendly, PDF & Email

Brazil has adopted a law introducing new and more stringent GDPR-style data protection provisions. On 14 August 2018 President Michel Temer sanctioned the new Brazilian General Data Protection Law (LGPD), which regulates the processing of personal data by individuals, private entities and public authorities.

The LGPD reproduces some of the central points of the European General Data Protection Regulation (GDPR), which became effective on 25 May 2018, and which imposes significant compliance obligations on companies that process data or offer services to individuals in Europe. In common with the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in Brazil or provide services intended for Brazilians.

The Bill of Law that was the starting point for the LGPD was widely discussed for about eight years in various sectors of Brazilian society (including public agencies, data specialists and companies) and its approval is a major step forward for the country in terms of data protection. The new Law is expected to foster business and bring greater legal certainty to relationships involving the processing of personal data.

Aiming at creating an environment offering enhanced protection for consumer data, the new legislation creates requirements and obligations, with which organisations and individuals involved in processing data will have to comply. These requirements include, for example, the need for free, specific and revocable consent from the data subject; easier access to information about data treatment; a right for the data subject to demand the correction or deletion of data; and specific rules on international data transfers.

The Bill of Law submitted for approval to the Presidency was subject to certain vetoes, justified by public interest arguments and the possible unconstitutionality of certain articles. Sections that prohibited the sharing of personal data by the government with private legal entities were excluded. The section stating that if personal data was shared among public law entities, that fact needed to be made public was also excluded, on the basis that it would have an impact on surveillance and control activities by public authorities, and on the activities of the administrative police.

Some administrative sanctions were also excluded from the final text of the Law. The administrative sanctions that still apply include daily fines, or one-off fines of up to 2% of sales of the corporate group in Brazil, up to a ceiling of BRL 50 million.

The most important veto, which had been predicted, related to the creation of the National Data Protection Authority (ANDP) and the National Council for the Protection of Personal Data and Privacy. Several Ministries, in addition to the Central Bank of Brazil, considered the articles establishing these bodies were unconstitutional, given that both the ANPD and the Council should be created on the initiative of the executive branch of government. A Provisional Measure or a new Bill of Law is expected to be published soon, to address this gap.

The Law was published in the Official Gazette on 15 August 2018 and data processors have 18 months from that date to adapt their procedures to comply with the new rules.

Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

The general public's enthusiasm for artificial intelligence (AI) technologies is making its way into the workplace.

While AI offers many advantages, employers must remain aware of the risks that a lack of supervision can generate.  Avoiding discrimination Discrimination is one of the risks most feared by the intrusion of AI into decision-making processes, particularly in terms of recruitment and candidate selection. Failure to comply with non-discrimination rules exposes the employer to various risks, ranging from the invalidity of the decision in…
Internationales Arbeitsrecht Neueste Beiträge

Can employers monitor their employees’ social media posts?

Increasingly, employers are being made aware of employee misconduct that is evidenced by photos, videos or other social media posts. What are employers allowed to do when it comes to their employees‘ posts, what are the limits, what should they bear in mind when using these posts? Here we consider the situation in Germany, with comments from our experts in 19 other jurisdictions. Employee posts…
Brazil Internationales Arbeitsrecht Neueste Beiträge

Data protection in Brazil: what to expect this year

In 2023, the Brazilian General Data Protection Law (LGPD) celebrates five years since its publication. Since its entry into force in 2020, the LGPD has come a long way, but there are several legal issues relating to the protection of personal data that still need further refinement.  Brazilian Data Protection Authority Among the main changes since the enactment of the LGPD has beenthe change in…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.


Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert