	Global Data Privacy Guide
	Brazil
	(Latin America/Caribbean) Firm Demarest Advogados Contributors TATIANA CAMPELLO Updated 01 Mar 2022
What is the key legislation?	Brazil approved the Brazilian General Personal Data Protection Law ("*Law No. 13,709/2018") published on August 15, 2018, (“LGPD”), which came into force on September 18, 2020, the administrative sanctions provisions have only been in force since August 1, 2021. It is worth mentioning that besides the provisions in the LGPD, general principles and provisions on data protection and privacy are provided in the Federal Constitution, Civil Code* and other laws and regulations that address particular types of relationships, such as Law No. 12,965/14 and its Regulation on Decree No. 8,771/2016 (collectively referred to as the "Brazilian Internet Act"), the Consumer Protection Code and labor laws. Note: The LGPD regulates the processing of personal data, including in digital media, by a natural or legal person, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person. It applies to the processing of personal data in the following situations (i) processing that takes place in Brazil; (ii) when products or services are offered in Brazil or when processing involves individuals located in Brazil; and (iii) when the data is collected in Brazil. The LGPD determines some exceptions of applicability. For the purpose of the LGPD “processing”, means any operation of collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion or extraction of personal data. For reference and knowledge, the Brazilian Internet Act establishes principles, guarantees, rights and duties for the use of the Internet (in any operation of collection, storage, retention and handling of personal data or communications data by Internet connection providers and Internet applications providers, where, at least, one of these acts takes place in Brazil), including general principles for the protection of privacy and personal data on the Internet.
What data is protected?	Personal data and sensitive personal data, as detailed below. Note: The *LGPD* defines “personal data” as any data related to an identified or identifiable natural person, including identification numbers, location data or electronic identifiers, when these are related to a person. Moreover, sensitive personal data is defined as data concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person. Personal data is defined by the Brazilian Internet Act regulation as data related to the natural person identified or identifiable, including identification numbers, locational data or electronic identifiers (such as IP protocol), when these are related to an individual. In addition to the definition of personal data, there are some rights protected under the aforementioned legal framework such as private communications and individuals' intimacy, privacy, and image rights. In general aspects, both definitions above mentioned, by the Brazilian Internet Act and the LGPD are in conformity.
Who is subject to privacy obligations?	In general aspects, any legal entity or individual is subject to privacy obligations. In addition, (i) the Brazilian Internet Act shall be complied with by Internet connection providers and Internet applications providers and (ii) the *LGPD* shall be complied basically, by the data controllers (i.e. persons empowered to make decisions on the processing of personal data) and data operators (i.e. persons who process personal data on behalf of controllers). Note: The Brazilian Internet Act shall be complied with by Internet connection providers and Internet applications providers in any operation of collection, storage, retention and handling of personal data or communications data where, at least, one of these acts takes place within Brazil, provided that (i) at least one of the terminals gathering, storing, retaining or treating the personal data or communications data is placed within Brazilian territory; and (ii) the services are offered to the Brazilian public, in case the services are rendered by a legal entity located abroad, or at least that one member of the same economic group of the service provider is established in Brazil.
What are the principles applicable to personal data processing?	The LGPD sets forth the principles applicable to processing on its Art. 6 of the LGPD. In this sense, personal data processing activities must observe good faith and the following: (i) purpose; (ii) adequacy; (iii) necessity; (iv) free access; (v) data quality; (vi) transparency; (vii) security; (viii) prevention; (ix) non-discrimination; (x) accountability and responsibility. In any case, processing must also be conducted in accordance with a valid legal basis, legitimate and specific purposes and the preservation of the data subject's rights,
How is the processing of personal data regulated?	The LGPD provides that, processing of personal data will be permitted under a number of circumstances (grounds), such as (i) by consent of the data subject; (ii) for compliance with law or regulation by the controller; (iii) for the execution of contracts with the data subject or preliminary proceedings related thereto; (iv) to guarantee legitimate interests of the controller or third parties; (v) to comply with judicial, administrative or arbitration process, etc. The LGPD ensures the transparency principle that guarantees the data subjects accurate and easily accessible information about the processing of their personal data by the controllers. Under the *LGPD*, consent (when this is the grounds for processing) shall: be written (in a prominent way of the other clauses) or by another means that demonstrates the manifestation of the will of the data subject, in a free, informed and unequivocal way; specify the purpose of the processing of personal data (or any change of purpose); specify whether there will be sharing with others responsible; and contain information, in a prominent way, if the processing of personal data is a condition for the provision of product/service or exercise of any right by the data subject. It is also important to note that: consent should relate to specific purposes and, therefore, generic authorizations for the processing of personal data will be void; consent may be revoked at any time by means of an express expression by the data subject, through a free and facilitated procedure offered by the controller; in cases where the processing of personal data is based on consent, it shall be null and void if the information provided to the data subject is misleading or abusive or has not previously been presented transparently, clearly and unequivocally; and when the data subject has provided his/her specific and prominent consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing this from other purposes. Note: There are also some other specific rules for handling sensitive personal data, children and teenagers’ personal data, etc., which shall be observed separately from the situation described above.
How are storage, security and retention of personal data regulated?	Under the LGPD the main duties in handling personal data are as follows: keep records of personal data processing operations; prepare a data protection impact assessment ("DPIA") on the protection of personal data, if it is determined by the competent authority; adopt technical, security and administrative measures to protect personal data; and designate a Data Protection Officer ("DPO"). Also, the LGPD determines that personal data must be eliminated when the processing of personal data ends, within the scope and technical limits of the activities. However, data retention is authorized for the following purposes: compliance with the legal or regulatory obligation by the controller; study by a research body, guaranteeing, whenever possible, the anonymization of personal data; transfer to a third party, provided that the data processing requirements provided by the LGPD are respected; exclusive use of the controller, being forbidden its access by a third party and provided the data is anonymized. Moreover, the controllers shall: adopt security, technical and administrative measures capable of protecting personal data from accidental or illicit situations of destruction, loss, alteration, communication or any form of inappropriate or illicit processing of personal data; communicate to the National Data Protection Authority ("ANPD") as well as to the data subject, within a reasonable time, the occurrence of any security incident which could lead to significant risk or damage to the data subjects; adopt any measures determined by the national authority to reverse or mitigate the effects of the incident. As a general rule, the storage and retention of personal data on the Internet shall follow the same principles described in item 5 (please refer to specific procedures herein below). In addition, the following security standards must be observed, according to the Brazilian Internet Act: strict control over access to data by defining the responsibilities of persons who will have access possibilities and privileges of exclusive access for certain users; authentication mechanisms for accessing records, using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records; a detailed inventory of access to connection and application access records, containing the moment, duration, identity of the employee or the designated accessor by the company and the file accessed; and use records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures. Note: In addition to our comments in the overview answer in item 6 above, it is worth underlining that: As a general rule access records for internet applications must be kept by the application provider in a confidential, controlled and secure environment, for six months, or longer upon request of competent authorities (the custody of these records by the connection providers is prohibited). It is prohibited the storage of (i) access records to other Internet applications without the data owner having previously consented; and (ii) personal data that are excessive in relation to the purpose for which consent has been given by its owner. Connection records must be stored in a controlled and secure environment for a period of one year (this responsibility cannot be transferred to third parties). The application and connection records may be supplied to interested parties upon court order. Competent authorities may request access to the user's registration data (i.e the user's name, address, name and surname, marital status and profession), but providers are not obliged to not collect registration data and shall report such circumstances to the requesting authorities.
What are the data subjects' rights?	The Federal Constitution provides the right of access and rectification of personal data. In addition, other laws and regulations that address particular types of relationships (e.g. the Consumer Protection Code) also, foresee such rights under the perspective of such specific regulations. Furthermore, the *LGPD* specifically establishes that the data subject, upon request, at any time, has the right to: (i) confirmation of the existence of processing; (ii) access to data held by the controller; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking or deletion of data, provided that they are considered unnecessary, excessive or processed in non-conformity; (v) portability of your personal data to another service provider; (vi) exclusion of personal data processed with data subject’s consent, except in the cases of art. 16; (vii) information about public and private entities with which the controller has shared data; (viii) information that you may deny consent to and what its consequences; (ix) revocation of consent; (x) petition to the ANPD and; (xi) request a review of decisions taken solely on the basis of automated processing.
Are there restrictions on cross-border data transfers?	The LGPD regulates the international transfer of data (i.e. international data transfer: transfer of personal data to a foreign country or international organization of which the country is a member), requiring, for example: that the recipient country or international organization provide an adequate level of protection as the one provided in the LGPD; that the controller complies with the principles, the rights of the data subjects and the data protection regime provided in the LGPD through specific contractual clauses, standard contractual clauses, global corporate standards, as well as through the adoption of codes of conduct and certifications; or it is also possible to internationally transfer data in case of specific consent and highlighted by the data subject, with prior information on the international nature of the operation and in cases of compliance with a legal obligation, contract execution or in judicial or administrative proceedings, for example. Note: The ANPD is responsible for analyzing the level of data protection of the recipient country or international body mentioned above, taking into account: that the recipient country or international organization provide an adequate level of protection as the one provided in the LGPD; that the controller complies with the principles, the rights of the data subjects and the data protection regime provided in the LGPD through specific contractual clauses, standard contractual clauses, global corporate standards, as well as through the adoption of codes of conduct and certifications; and it is also possible to internationally transfer data in case of specific consent and highlighted by the data subject, with prior information on the international nature of the operation and in cases of compliance with a legal obligation, contract execution or in judicial or administrative proceedings, for example. The ANPD is also responsible for defining the content of standard contractual clauses and checking specific contractual clauses for a given transfer, global corporate norms, certificates and codes of conduct elaborated by the controllers.
Are there any notification requirements for data breaches?	While the ANPD is yet to provide specific regulations, the authority has recommended that the notification must be sent within 2 business days. The controller should provide to the ANPD the following information about the incident, according to the guide published by the ANPD on Incident reporting; (i) identification and contact information of (ii) entity or person responsible for the processing; (iii) DPO or other contact person; and (iv) Indication whether the notification is complete or partial. In the case of partial communication, indicate that it is a preliminary communication or a complementary communication. Information about the Incident to the ANPD; (i) date and time of detection; (ii) date and time of the incident and its duration; (iii) circumstances under which the security breach occurred, such as loss, theft, copying, leakage; (iv) description of the Personal Data and information affected and amount of Personal Data and Data Subjects affected (v) summary of the security incident involving Personal Data, indicating physical location and storage medium; (vi) possible consequences and negative effects on Data Subjects; (vii) preventive security, technical and administrative measures taken by the Controller, in accordance with the LGPD; (viii) summary of measures implemented so far to control the possible damage; (ix) possible problems of a cross-border nature; and (x) other information useful to affected Data Subjects to protect their Personal Data or prevent possible damage. In addition, the ANPD has made available a form that the Controller must complete with answers to questions related to the Incident. Also, it is recommended the following minimum Information for data subjects: (i) description of the nature of the Personal Data affected (§ 1, I, art. 48 of the LGPD); (ii) technical and security measures used, observing commercial and industrial secrets (§ 1, III, art. 48 of LGPD); (iii) risks related to the Incident (§ 1, IV, art. 48 of LGPD); (iv) reasons for the delay, in case the communication was not immediate (§ 1, V, art. 48 of LGPD); (v) measures that have been or will be adopted to reverse or mitigate the effects of the harm (§ 1, VI, art. 48 of the LGPD); (vi) date and description of the nature of the breach; (vii) contact information for the person in charge or responsible for the protection of Personal Data and the best communication channel to answer questions (Custumer Service); (viii) possible measures to be taken by the Data Subject to mitigate risks, damages and adverse effects (such as changing his/her password). Regarding the notification to the data subjects, the ANPD is yet to provide further guidance but that does not exclude the possibility of complaining before the National Authority and/or filing a lawsuit in the Judiciary system.
Who is the privacy regulator?	The LGPD created a privacy regulator, the National Data Protection Authority ("National Authority"). The ANPD is a federal public administration body, member of the Presidency of the Republic, responsible for overseeing, implementing and monitoring compliance with the LGPD. The LGPD foresees the possibility of transforming the legal nature of the ANPD into an autonomous body two years after the enactment of the law. In general aspects, the ANPD is responsible for: ensuring the protection of personal data; issuing rules and procedures on the protection of personal data and establish norms that simplify procedures for micro-and small-sized businesses as well as for startups engaged in disruptive initiatives; requesting information at any time from the controllers and processors of personal data; implementing simplified mechanisms for recording complaints about the processing of personal data not in accordance with the LGPD; supervising and applying sanctions in cases of non-compliance; promoting cooperation actions with data protection authorities of other countries; and preparing annual management reports on its activities. Note: In addition to our comments on the previous overview answer to "Who is the privacy regulator?", we underline that: the National Consumer Secretariat will act in the monitoring and investigation of infringements related to consumer rights; the determination of infractions to the economic order will be in charge of the Brazilian System of Defense of the Competition; and other authorities may act in a collaborative manner, taking into account CGIbr Guidelines, and shall ensure compliance with Brazilian law, including the application of applicable sanctions, even if the activities are performed by a legal entity headquartered abroad.
What are the consequences of a privacy breach?	In addition to the applicable civil and criminal lawsuits, the *LGPD* establishes certain administrative sanctions in case of breach of privacy on the Internet. In the case of a privacy breach, the LGPD establishes the following obligations: Controllers will have to communicate to the national authority as well as to the data subject any security incident which could lead to significant risk or damage to the data subjects. Controllers shall adopt any measures determined by the national authority to reverse or mitigate the effects of the incident. The LGPD foresees the adoption of administrative sanctions, such as (i) fine of up to two percent of the billing of the legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to 50 million reais); (ii) daily fine, with due regard for the total limit referred in the previous item; (iii) disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed; (iv) blockage of the personal data to which the infraction relates; (v) elimination of the personal data to which the infraction relates; (vi) partial or total suspension of the operation of the database to which the infraction relates for a maximum period of six months; (vii) suspension of performance of the personal data processing activity to which the infraction relates, for a maximum term of six months, and; (viii) partial or total prohibition of the performance of any activities relating to data processing. These administrative sanctions became applicable as of August 1, 2021. Furthermore, on October 28, 2021, the ANPD approved the Regulation of the Supervision Process and the Sanctioning Administrative Process which aims to establish the procedures for surveillance, monitoring activities, guidance and preventive action, as well as to determine the rules to be observed on sanctions’ application. It is worth noting that the ANPD has yet to determine the dosimetry of the sanctions and may still issue other directives. The Regulation stated that the ANPD plans to use an educational approach through corrective and compliance measures, before adopting more strict sanctions. However, depending on the conduct of the Controller, the gravity of the incident and the measures taken, the ANPD has the liberty to forego the educational steps and directly apply the sanctions. Note: Not only the LGPD provides sanctions, but the Brazilian Internet Act also sets out the following sanctions in case of breach of privacy in the Internet environment: warning, indicating the deadline for corrective measures; fine of up to ten percent of the income of the economic group in Brazil in its last fiscal year, excluding taxes, considered the economic condition of the offender and the principle of proportionality between the severity of the fault and the intensity of the sanction; temporary suspension of activities; or prohibition to perform its business activities.
How is electronic marketing regulated?	Decree no. 7,962/2013 regulates the Consumer Defense Code concerning e-commerce transactions, but it does not govern e-marketing practices, such as spam e-mails and Brazil does not have specific legislation in force governing anti-spam e-mails. Please refer to certain comments on the detailed answer in item 12 below. According to the LGPD processing of personal data will be permitted under a number of circumstances (grounds), such as (i) by consent of the data subject; (ii) for compliance with the law by the controller; (iii) for the execution of contracts with the data subject or preliminary proceedings related thereto; and (iv) to guarantee legitimate interests of the controller or third parties; etc.), etc. The LGPD does not govern any specific ground for processing with the purpose of e-mail marketing. Therefore, two main grounds will possibly be acceptable (it will depend on the National Authority discretion, future case laws and interpretation case-by-case): consent from the data subject, which shall meet the following requirements: be written (in a prominent way of the other clauses) or by another means that demonstrates the manifestation of the will of the holder of the data, in a free, informed and unequivocal way; specify the purpose of the treatment (or any change of purpose); specify whether there will be sharing with others responsible; and contain information, in a prominent way, if the processing is a condition for the provision of product/service or exercise of any right by the data subject. Please refer to our response to “How are the use and disclosure of personal data regulated?” legitimate interest of controller or third party. In such case, legitimate purposes may include (i) support and promotion of controller’s activities; and (ii) protection, in relation to the data subjects, of the regular exercise of their rights or provision of services that benefit them, observing their legitimate expectations and the fundamental rights and liberties, pursuant to the provisions of the law. In any case, the controller shall adopt measures to guarantee the transparency of the processing of personal data based on its legitimate interest. Note: In short, Decree No. 7,962/2013 has formalized principles and case laws that are already applicable to the commercial relationship between consumers and providers of services and goods in online transactions, as a result of the general rules set forth in the Consumer Defense Code. Such decree has mainly regulated the rights foreseen in the Consumer Defense Code (e.g. specific procedure so that consumers may exercise their rights to repent from the online purchase) and established some specific provisions for electronic sites or other electronic media used for collective purchasing sites. In relation to spam e-mails, in general, if necessary, injured addressees may allege a violation of Article 65 of Law of Criminal Misdemeanors, which sets forth as a crime the act of harassing someone or disturbing his/her tranquility, by defiant or reprehensible cause.
Are there any recent developments or expected reforms?	The *LGPD* came into force on September 18, 2020, and the administrative sanctions provisions have only entered into force later August 1, 2021. In August 2020, the Brazilian National Data Supervisory Authority was officially and formally constituted by Decree no. 10,474/2020, which appointed the members of the Directing Council of the National Authority. As of now, the National Authority is formally constituted and able to exercise its functions and issue guidelines on the protection of personal data in Brazil. Likewise, in 2021 and already in 2022, the ANPD issued multiple guidelines such as on processing agents and DPO, on the electoral context, for the public administration besides issuing the regulation of the LGPD application for small processing agents and for the inspection and sanctioning administrative process. Besides this, the ANPD has established cooperation agreements with different public entities such as Superior Electoral Court, CADE, the National Consumer Secretariat and NIC.Br also with international bodies, for example, with the Ibero-American Data Protection Network, Spanish Authority and the Global Privacy Assembly. We still expect the National Authority to bring other clarifications to normative gaps left by the LGPD, such as the processing of personal data of children and teenagers, the requirements and ways of preparing data protection impact assessments and specific procedures for international data transfers. For further information about the LGPD and Data Privacy in Brazil, please check Demarest’s materials; “General Data Protection Law in Brazil”; “ANPD ACT’S Timeline”, “Regulation of the Oversight and Sanctioning Process within the ANPD Sanctioning Process” and our “Guide on Good Practices in Artificial Intelligence”.

Global Data Privacy Guide

Back XLS

What is the key legislation?

Brazil approved the Brazilian General Personal Data Protection Law ("Law No. 13,709/2018") published on August 15, 2018, (“LGPD”), which came into force on September 18, 2020, the administrative sanctions provisions have only been in force since August 1, 2021.

It is worth mentioning that besides the provisions in the LGPD, general principles and provisions on data protection and privacy are provided in the Federal Constitution, Civil Code and other laws and regulations that address particular types of relationships, such as Law No. 12,965/14 and its Regulation on Decree No. 8,771/2016 (collectively referred to as the "Brazilian Internet Act"), the Consumer Protection Code and labor laws.

Note: The LGPD regulates the processing of personal data, including in digital media, by a natural or legal person, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person. It applies to the processing of personal data in the following situations (i) processing that takes place in Brazil; (ii) when products or services are offered in Brazil or when processing involves individuals located in Brazil; and (iii) when the data is collected in Brazil. The LGPD determines some exceptions of applicability. For the purpose of the LGPD “processing”, means any operation of collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation or control of information, modification, communication, transfer, diffusion or extraction of personal data.

For reference and knowledge, the Brazilian Internet Act establishes principles, guarantees, rights and duties for the use of the Internet (in any operation of collection, storage, retention and handling of personal data or communications data by Internet connection providers and Internet applications providers, where, at least, one of these acts takes place in Brazil), including general principles for the protection of privacy and personal data on the Internet.

What data is protected?

Personal data and sensitive personal data, as detailed below.

Note: The LGPD defines “personal data” as any data related to an identified or identifiable natural person, including identification numbers, location data or electronic identifiers, when these are related to a person. Moreover, sensitive personal data is defined as data concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person.

Personal data is defined by the Brazilian Internet Act regulation as data related to the natural person identified or identifiable, including identification numbers, locational data or electronic identifiers (such as IP protocol), when these are related to an individual. In addition to the definition of personal data, there are some rights protected under the aforementioned legal framework such as private communications and individuals' intimacy, privacy, and image rights.

In general aspects, both definitions above mentioned, by the Brazilian Internet Act and the LGPD are in conformity.

Who is subject to privacy obligations?

In general aspects, any legal entity or individual is subject to privacy obligations. In addition, (i) the Brazilian Internet Act shall be complied with by Internet connection providers and Internet applications providers and (ii) the LGPD shall be complied basically, by the data controllers (i.e. persons empowered to make decisions on the processing of personal data) and data operators (i.e. persons who process personal data on behalf of controllers).

Note: The Brazilian Internet Act shall be complied with by Internet connection providers and Internet applications providers in any operation of collection, storage, retention and handling of personal data or communications data where, at least, one of these acts takes place within Brazil, provided that (i) at least one of the terminals gathering, storing, retaining or treating the personal data or communications data is placed within Brazilian territory; and (ii) the services are offered to the Brazilian public, in case the services are rendered by a legal entity located abroad, or at least that one member of the same economic group of the service provider is established in Brazil.

What are the principles applicable to personal data processing?

The LGPD sets forth the principles applicable to processing on its Art. 6 of the LGPD. In this sense, personal data processing activities must observe good faith and the following: (i) purpose; (ii) adequacy; (iii) necessity; (iv) free access; (v) data quality; (vi) transparency; (vii) security; (viii) prevention; (ix) non-discrimination; (x) accountability and responsibility. In any case, processing must also be conducted in accordance with a valid legal basis, legitimate and specific purposes and the preservation of the data subject's rights,

How is the processing of personal data regulated?

The LGPD provides that, processing of personal data will be permitted under a number of circumstances (grounds), such as (i) by consent of the data subject; (ii) for compliance with law or regulation by the controller; (iii) for the execution of contracts with the data subject or preliminary proceedings related thereto; (iv) to guarantee legitimate interests of the controller or third parties; (v) to comply with judicial, administrative or arbitration process, etc.

The LGPD ensures the transparency principle that guarantees the data subjects accurate and easily accessible information about the processing of their personal data by the controllers.

Under the LGPD, consent (when this is the grounds for processing) shall:

be written (in a prominent way of the other clauses) or by another means that demonstrates the manifestation of the will of the data subject, in a free, informed and unequivocal way;
specify the purpose of the processing of personal data (or any change of purpose);
specify whether there will be sharing with others responsible; and
contain information, in a prominent way, if the processing of personal data is a condition for the provision of product/service or exercise of any right by the data subject.
It is also important to note that:
consent should relate to specific purposes and, therefore, generic authorizations for the processing of personal data will be void;
consent may be revoked at any time by means of an express expression by the data subject, through a free and facilitated procedure offered by the controller;
in cases where the processing of personal data is based on consent, it shall be null and void if the information provided to the data subject is misleading or abusive or has not previously been presented transparently, clearly and unequivocally; and
when the data subject has provided his/her specific and prominent consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing this from other purposes.

Note: There are also some other specific rules for handling sensitive personal data, children and teenagers’ personal data, etc., which shall be observed separately from the situation described above.

How are storage, security and retention of personal data regulated?

Under the LGPD the main duties in handling personal data are as follows:

keep records of personal data processing operations;
prepare a data protection impact assessment ("DPIA") on the protection of personal data, if it is determined by the competent authority;
adopt technical, security and administrative measures to protect personal data; and
designate a Data Protection Officer ("DPO").

Also, the LGPD determines that personal data must be eliminated when the processing of personal data ends, within the scope and technical limits of the activities. However, data retention is authorized for the following purposes:

compliance with the legal or regulatory obligation by the controller;
study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
transfer to a third party, provided that the data processing requirements provided by the LGPD are respected;
exclusive use of the controller, being forbidden its access by a third party and provided the data is anonymized.

Moreover, the controllers shall:

adopt security, technical and administrative measures capable of protecting personal data from accidental or illicit situations of destruction, loss, alteration, communication or any form of inappropriate or illicit processing of personal data;
communicate to the National Data Protection Authority ("ANPD") as well as to the data subject, within a reasonable time, the occurrence of any security incident which could lead to significant risk or damage to the data subjects;
adopt any measures determined by the national authority to reverse or mitigate the effects of the incident.

As a general rule, the storage and retention of personal data on the Internet shall follow the same principles described in item 5 (please refer to specific procedures herein below). In addition, the following security standards must be observed, according to the Brazilian Internet Act:

strict control over access to data by defining the responsibilities of persons who will have access possibilities and privileges of exclusive access for certain users;
authentication mechanisms for accessing records, using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records;
a detailed inventory of access to connection and application access records, containing the moment, duration, identity of the employee or the designated accessor by the company and the file accessed; and
use records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures.

Note: In addition to our comments in the overview answer in item 6 above, it is worth underlining that:

As a general rule access records for internet applications must be kept by the application provider in a confidential, controlled and secure environment, for six months, or longer upon request of competent authorities (the custody of these records by the connection providers is prohibited).
It is prohibited the storage of (i) access records to other Internet applications without the data owner having previously consented; and (ii) personal data that are excessive in relation to the purpose for which consent has been given by its owner.
Connection records must be stored in a controlled and secure environment for a period of one year (this responsibility cannot be transferred to third parties).
The application and connection records may be supplied to interested parties upon court order.
Competent authorities may request access to the user's registration data (i.e the user's name, address, name and surname, marital status and profession), but providers are not obliged to not collect registration data and shall report such circumstances to the requesting authorities.

What are the data subjects' rights?

The Federal Constitution provides the right of access and rectification of personal data. In addition, other laws and regulations that address particular types of relationships (e.g. the Consumer Protection Code) also, foresee such rights under the perspective of such specific regulations.

Furthermore, the LGPD specifically establishes that the data subject, upon request, at any time, has the right to: (i) confirmation of the existence of processing; (ii) access to data held by the controller; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking or deletion of data, provided that they are considered unnecessary, excessive or processed in non-conformity; (v) portability of your personal data to another service provider; (vi) exclusion of personal data processed with data subject’s consent, except in the cases of art. 16; (vii) information about public and private entities with which the controller has shared data; (viii) information that you may deny consent to and what its consequences; (ix) revocation of consent; (x) petition to the ANPD and; (xi) request a review of decisions taken solely on the basis of automated processing.

Are there restrictions on cross-border data transfers?

The LGPD regulates the international transfer of data (i.e. international data transfer: transfer of personal data to a foreign country or international organization of which the country is a member), requiring, for example:

that the recipient country or international organization provide an adequate level of protection as the one provided in the LGPD;
that the controller complies with the principles, the rights of the data subjects and the data protection regime provided in the LGPD through specific contractual clauses, standard contractual clauses, global corporate standards, as well as through the adoption of codes of conduct and certifications; or
it is also possible to internationally transfer data in case of specific consent and highlighted by the data subject, with prior information on the international nature of the operation and in cases of compliance with a legal obligation, contract execution or in judicial or administrative proceedings, for example.

Note: The ANPD is responsible for analyzing the level of data protection of the recipient country or international body mentioned above, taking into account:

that the recipient country or international organization provide an adequate level of protection as the one provided in the LGPD;
that the controller complies with the principles, the rights of the data subjects and the data protection regime provided in the LGPD through specific contractual clauses, standard contractual clauses, global corporate standards, as well as through the adoption of codes of conduct and certifications; and
it is also possible to internationally transfer data in case of specific consent and highlighted by the data subject, with prior information on the international nature of the operation and in cases of compliance with a legal obligation, contract execution or in judicial or administrative proceedings, for example.

The ANPD is also responsible for defining the content of standard contractual clauses and checking specific contractual clauses for a given transfer, global corporate norms, certificates and codes of conduct elaborated by the controllers.

Are there any notification requirements for data breaches?

While the ANPD is yet to provide specific regulations, the authority has recommended that the notification must be sent within 2 business days.

The controller should provide to the ANPD the following information about the incident, according to the guide published by the ANPD on Incident reporting; (i) identification and contact information of (ii) entity or person responsible for the processing; (iii) DPO or other contact person; and (iv) Indication whether the notification is complete or partial. In the case of partial communication, indicate that it is a preliminary communication or a complementary communication.

Information about the Incident to the ANPD; (i) date and time of detection; (ii) date and time of the incident and its duration; (iii) circumstances under which the security breach occurred, such as loss, theft, copying, leakage; (iv) description of the Personal Data and information affected and amount of Personal Data and Data Subjects affected (v) summary of the security incident involving Personal Data, indicating physical location and storage medium; (vi) possible consequences and negative effects on Data Subjects; (vii) preventive security, technical and administrative measures taken by the Controller, in accordance with the LGPD; (viii) summary of measures implemented so far to control the possible damage; (ix) possible problems of a cross-border nature; and (x) other information useful to affected Data Subjects to protect their Personal Data or prevent possible damage.

In addition, the ANPD has made available a form that the Controller must complete with answers to questions related to the Incident.

Also, it is recommended the following minimum Information for data subjects: (i) description of the nature of the Personal Data affected (§ 1, I, art. 48 of the LGPD); (ii) technical and security measures used, observing commercial and industrial secrets (§ 1, III, art. 48 of LGPD); (iii) risks related to the Incident (§ 1, IV, art. 48 of LGPD); (iv) reasons for the delay, in case the communication was not immediate (§ 1, V, art. 48 of LGPD); (v) measures that have been or will be adopted to reverse or mitigate the effects of the harm (§ 1, VI, art. 48 of the LGPD); (vi) date and description of the nature of the breach; (vii) contact information for the person in charge or responsible for the protection of Personal Data and the best communication channel to answer questions (Custumer Service); (viii) possible measures to be taken by the Data Subject to mitigate risks, damages and adverse effects (such as changing his/her password).

Regarding the notification to the data subjects, the ANPD is yet to provide further guidance but that does not exclude the possibility of complaining before the National Authority and/or filing a lawsuit in the Judiciary system.

Who is the privacy regulator?

The LGPD created a privacy regulator, the National Data Protection Authority ("National Authority"). The ANPD is a federal public administration body, member of the Presidency of the Republic, responsible for overseeing, implementing and monitoring compliance with the LGPD. The LGPD foresees the possibility of transforming the legal nature of the ANPD into an autonomous body two years after the enactment of the law.

In general aspects, the ANPD is responsible for:

ensuring the protection of personal data;
issuing rules and procedures on the protection of personal data and establish norms that simplify procedures for micro-and small-sized businesses as well as for startups engaged in disruptive initiatives;
requesting information at any time from the controllers and processors of personal data;
implementing simplified mechanisms for recording complaints about the processing of personal data not in accordance with the LGPD;
supervising and applying sanctions in cases of non-compliance;
promoting cooperation actions with data protection authorities of other countries; and
preparing annual management reports on its activities.

Note: In addition to our comments on the previous overview answer to "Who is the privacy regulator?", we underline that:

the National Consumer Secretariat will act in the monitoring and investigation of infringements related to consumer rights;
the determination of infractions to the economic order will be in charge of the Brazilian System of Defense of the Competition; and
other authorities may act in a collaborative manner, taking into account CGIbr Guidelines, and shall ensure compliance with Brazilian law, including the application of applicable sanctions, even if the activities are performed by a legal entity headquartered abroad.

What are the consequences of a privacy breach?

In addition to the applicable civil and criminal lawsuits, the LGPD establishes certain administrative sanctions in case of breach of privacy on the Internet.

In the case of a privacy breach, the LGPD establishes the following obligations:

Controllers will have to communicate to the national authority as well as to the data subject any security incident which could lead to significant risk or damage to the data subjects.
Controllers shall adopt any measures determined by the national authority to reverse or mitigate the effects of the incident.

The LGPD foresees the adoption of administrative sanctions, such as (i) fine of up to two percent of the billing of the legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to 50 million reais); (ii) daily fine, with due regard for the total limit referred in the previous item; (iii) disclosure of the infraction after it has been duly investigated and its occurrence has been confirmed; (iv) blockage of the personal data to which the infraction relates; (v) elimination of the personal data to which the infraction relates; (vi) partial or total suspension of the operation of the database to which the infraction relates for a maximum period of six months; (vii) suspension of performance of the personal data processing activity to which the infraction relates, for a maximum term of six months, and; (viii) partial or total prohibition of the performance of any activities relating to data processing. These administrative sanctions became applicable as of August 1, 2021.

Furthermore, on October 28, 2021, the ANPD approved the Regulation of the Supervision Process and the Sanctioning Administrative Process which aims to establish the procedures for surveillance, monitoring activities, guidance and preventive action, as well as to determine the rules to be observed on sanctions’ application. It is worth noting that the ANPD has yet to determine the dosimetry of the sanctions and may still issue other directives.

The Regulation stated that the ANPD plans to use an educational approach through corrective and compliance measures, before adopting more strict sanctions. However, depending on the conduct of the Controller, the gravity of the incident and the measures taken, the ANPD has the liberty to forego the educational steps and directly apply the sanctions.

Note: Not only the LGPD provides sanctions, but the Brazilian Internet Act also sets out the following sanctions in case of breach of privacy in the Internet environment:

warning, indicating the deadline for corrective measures;
fine of up to ten percent of the income of the economic group in Brazil in its last fiscal year, excluding taxes, considered the economic condition of the offender and the principle of proportionality between the severity of the fault and the intensity of the sanction;
temporary suspension of activities; or
prohibition to perform its business activities.

How is electronic marketing regulated?

Decree no. 7,962/2013 regulates the Consumer Defense Code concerning e-commerce transactions, but it does not govern e-marketing practices, such as spam e-mails and Brazil does not have specific legislation in force governing anti-spam e-mails. Please refer to certain comments on the detailed answer in item 12 below.

According to the LGPD processing of personal data will be permitted under a number of circumstances (grounds), such as (i) by consent of the data subject; (ii) for compliance with the law by the controller; (iii) for the execution of contracts with the data subject or preliminary proceedings related thereto; and (iv) to guarantee legitimate interests of the controller or third parties; etc.), etc.

The LGPD does not govern any specific ground for processing with the purpose of e-mail marketing. Therefore, two main grounds will possibly be acceptable (it will depend on the National Authority discretion, future case laws and interpretation case-by-case):

consent from the data subject, which shall meet the following requirements:
- be written (in a prominent way of the other clauses) or by another means that demonstrates the manifestation of the will of the holder of the data, in a free, informed and unequivocal way;
- specify the purpose of the treatment (or any change of purpose);
- specify whether there will be sharing with others responsible; and
- contain information, in a prominent way, if the processing is a condition for the provision of product/service or exercise of any right by the data subject. Please refer to our response to “How are the use and disclosure of personal data regulated?”
legitimate interest of controller or third party. In such case, legitimate purposes may include (i) support and promotion of controller’s activities; and (ii) protection, in relation to the data subjects, of the regular exercise of their rights or provision of services that benefit them, observing their legitimate expectations and the fundamental rights and liberties, pursuant to the provisions of the law.

In any case, the controller shall adopt measures to guarantee the transparency of the processing of personal data based on its legitimate interest.

Note: In short, Decree No. 7,962/2013 has formalized principles and case laws that are already applicable to the commercial relationship between consumers and providers of services and goods in online transactions, as a result of the general rules set forth in the Consumer Defense Code. Such decree has mainly regulated the rights foreseen in the Consumer Defense Code (e.g. specific procedure so that consumers may exercise their rights to repent from the online purchase) and established some specific provisions for electronic sites or other electronic media used for collective purchasing sites.

In relation to spam e-mails, in general, if necessary, injured addressees may allege a violation of Article 65 of Law of Criminal Misdemeanors, which sets forth as a crime the act of harassing someone or disturbing his/her tranquility, by defiant or reprehensible cause.

Are there any recent developments or expected reforms?

The LGPD came into force on September 18, 2020, and the administrative sanctions provisions have only entered into force later August 1, 2021.

In August 2020, the Brazilian National Data Supervisory Authority was officially and formally constituted by Decree no. 10,474/2020, which appointed the members of the Directing Council of the National Authority. As of now, the National Authority is formally constituted and able to exercise its functions and issue guidelines on the protection of personal data in Brazil.

Likewise, in 2021 and already in 2022, the ANPD issued multiple guidelines such as on processing agents and DPO, on the electoral context, for the public administration besides issuing the regulation of the LGPD application for small processing agents and for the inspection and sanctioning administrative process.

Besides this, the ANPD has established cooperation agreements with different public entities such as Superior Electoral Court, CADE, the National Consumer Secretariat and NIC.Br also with international bodies, for example, with the Ibero-American Data Protection Network, Spanish Authority and the Global Privacy Assembly.

We still expect the National Authority to bring other clarifications to normative gaps left by the LGPD, such as the processing of personal data of children and teenagers, the requirements and ways of preparing data protection impact assessments and specific procedures for international data transfers.

For further information about the LGPD and Data Privacy in Brazil, please check Demarest’s materials; “General Data Protection Law in Brazil”; “ANPD ACT’S Timeline”, “Regulation of the Oversight and Sanctioning Process within the ANPD Sanctioning Process” and our “Guide on Good Practices in Artificial Intelligence”.

Global Data Privacy Guide

Brazil

Global Data Privacy Guide

Brazil

Members