open search
Brazil Internationales Arbeitsrecht

Brazil – new, stricter data protection rules take effect

Print Friendly, PDF & Email

Brazil has adopted a law introducing new and more stringent GDPR-style data protection provisions. On 14 August 2018 President Michel Temer sanctioned the new Brazilian General Data Protection Law (LGPD), which regulates the processing of personal data by individuals, private entities and public authorities.

The LGPD reproduces some of the central points of the European General Data Protection Regulation (GDPR), which became effective on 25 May 2018, and which imposes significant compliance obligations on companies that process data or offer services to individuals in Europe. In common with the European legislation, the LGPD establishes the principle of extraterritoriality, that is, the Law also applies to companies based outside Brazil that treat data collected in Brazil or provide services intended for Brazilians.

The Bill of Law that was the starting point for the LGPD was widely discussed for about eight years in various sectors of Brazilian society (including public agencies, data specialists and companies) and its approval is a major step forward for the country in terms of data protection. The new Law is expected to foster business and bring greater legal certainty to relationships involving the processing of personal data.

Aiming at creating an environment offering enhanced protection for consumer data, the new legislation creates requirements and obligations, with which organisations and individuals involved in processing data will have to comply. These requirements include, for example, the need for free, specific and revocable consent from the data subject; easier access to information about data treatment; a right for the data subject to demand the correction or deletion of data; and specific rules on international data transfers.

The Bill of Law submitted for approval to the Presidency was subject to certain vetoes, justified by public interest arguments and the possible unconstitutionality of certain articles. Sections that prohibited the sharing of personal data by the government with private legal entities were excluded. The section stating that if personal data was shared among public law entities, that fact needed to be made public was also excluded, on the basis that it would have an impact on surveillance and control activities by public authorities, and on the activities of the administrative police.

Some administrative sanctions were also excluded from the final text of the Law. The administrative sanctions that still apply include daily fines, or one-off fines of up to 2% of sales of the corporate group in Brazil, up to a ceiling of BRL 50 million.

The most important veto, which had been predicted, related to the creation of the National Data Protection Authority (ANDP) and the National Council for the Protection of Personal Data and Privacy. Several Ministries, in addition to the Central Bank of Brazil, considered the articles establishing these bodies were unconstitutional, given that both the ANPD and the Council should be created on the initiative of the executive branch of government. A Provisional Measure or a new Bill of Law is expected to be published soon, to address this gap.

The Law was published in the Official Gazette on 15 August 2018 and data processors have 18 months from that date to adapt their procedures to comply with the new rules.

Verwandte Beiträge
Belgium Internationales Arbeitsrecht Neueste Beiträge

How to deal with ex-employees’ email accounts: the Belgian DPA strengthens its position

The Belgian DPA has recently fined a company for delaying the closure of ex-employees’ email accounts. The Belgian Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed email addresses linked to employees (surname and first name) who had left the company after 2.5 years. According to the DPA, non-closure of these email addresses constitutes…
Corona Internationales Arbeitsrecht Neueste Beiträge

What personal data can organisations process in the fight against coronavirus?

Many organisations are taking preventive measures to prevent the spread of Covid-19, ranging from health and travel questionnaires to temperature measurement. This article gives a view from Belgium on the data protection implications of these measures. Due to the outbreak of COVID-19, organisations are taking various preventive measures to prevent the spread of the virus. These range from questionnaires (about recent destinations, medical symptoms, etc.)…
Internationales Arbeitsrecht

European Court of Justice - A ‘Like’ button on your website? Then you are a joint data controller with Facebook!

Website operators who feature a ‘Like’ button have been ruled to be joint controllers for data protection purposes in a recent European Court of Justice judgement. In a judgment of 29 July 2019 (Fashion ID GmbH & Co, C-40/17) the European Court of Justice ruled that operators of a website that features a ‘Like’ button are controllers jointly with Facebook. This means they must make an arrangement with…
Abonnieren Sie den KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert