The General Data Protection Law will take effect after review by Brazil’s President. Here’s what you need to know.
Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we recommend that you consult independent legal counsel to understand how your organization needs to comply with the LGPD.
What is LGPD?
The General Data Protection Law (LGPD) is Brazil's first comprehensive data protection law and is designed to enhance the privacy and protection of personal data of individuals in Brazil.
When did the LGPD take effect?
After a long period of uncertainty regarding LGPD’s implementation, the Brazilian Senate issued an amendment which accelerated the LGPD’s effective date, setting an immediate effective date upon enactment of the amendment on August 27, 2020. According to Art. 62 of the Brazilian Federal Constitution, the amendment is now under review by the President for approval or potential veto. If the President either approves or does not veto the bill by September 16, 2020, the bill will become law and will take immediate effect.
While the LGPD’s implementing regulations have yet to be released, and administrative enforcement has been delayed until August 2021, private lawsuits and public prosecutor actions based on the LGPD’s main provisions may be possible as soon as the law takes effect.
Who does the LGPD apply to?
Subject to certain exceptions, the LGPD has extraterritorial reach, and applies to any organization that processes personal data of individuals in Brazil regardless of where the organization is located, and irrespective of where the data is stored or otherwise processed, if:
- the processing is carried out in Brazil,
- the purpose of the processing is to offer or provide goods or services to individuals in Brazil,
- the purpose of the processing is to process personal data of individuals in Brazil; or
- the personal data was collected in Brazil.
What did the LGPD change?
Note: This section covers many of the changes to existing law made by the LGPD, but it is not intended to be exhaustive. We recommend that you consult independent legal counsel to determine how LGPD affects your business.
Before the LGPD, Brazil’s data protection legal framework was a patchwork of laws, consisting of a federal constitutional right to privacy and several different sectoral laws and regulations. The LGPD streamlines the legal framework by replacing certain regulations and supplementing others, and sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability, and data transfers. The most significant requirements of the LGPD include:
Legal Bases for Processing
Organizations must have one of the following legal bases to process personal data:
- With the data subject’s consent;
- To comply with a legal or regulatory obligation;
- By the public administration, for the processing and shared use of data when necessary for the execution of public policies;
- To carry out studies by research entities;
- Where necessary for the execution of a contract with the data subject;
- For the regular exercise of rights in judicial, administrative or arbitration procedures;
- For the protection of life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by a health professional or health entity;
- When necessary to fulfill the legitimate interests of the organization or a third party, except when the data subject’s fundamental rights and liberties outweigh the organization’s interest; or
- To protect an individual’s credit.
Data subjects in Brazil have a number of rights over their personal data, including the rights to:
- confirm the existence of processing, including whether the organization holds particular data;
- access the data subject’s personal data;
- access information about entities with whom the organization has shared the data subject’s personal data;
- correct incomplete, inaccurate, or out-of-date personal data;
- anonymize, block or delete unnecessary or excessive personal data or personal data processed out of compliance with the LGPD;
- port or transfer their personal data to another service or product provider;
- delete personal data processed on the basis of consent; and
- request information about the possibility of denying consent and the consequences of such denial and the right to revoke consent.
Governance & Accountability
Generally speaking, organizations subject to the LGPD must:
- appoint a data protection officer (controllers only);
- maintain records of processing activities;
- implement and maintain privacy notices;
- report security incidents to the National Data Protection Authority (ANPD) and to data subjects within a “reasonable” time period, if the security incident may create risk or relevant damage to the data subjects;
- perform data protection impact assessments;
- develop products and services using the principle of privacy-by-design; and
- adopt security, technical and administrative measures to safeguard personal data from authorized access and accidental or unlawful destruction, loss, alteration, communication or any type of improper or unlawful processing.
Organizations subject to LGPD may export data internationally if:
- the data protection authority issues an adequacy finding for the recipient jurisdiction; or
- the controller is able to guarantee compliance with the principles and rights of the data subject, in the form of:
- Specific contractual clauses for a given transfer;
- Standard contractual clauses;
- Binding corporate rules;
- Regularly issued stamps, certificates or codes of conduct; or
- the organization has obtained the data subject’s specific and express consent, distinct for the transfer.
How does ActiveCampaign fit into all of this?
Similar to our role under other data protection frameworks, when ActiveCampaign provides the ActiveCampaign platform and its services to you, we act as what is called a “processor” with respect to our clients who are considered “controllers” under the LGPD. This means that you remain in control of your customers’ personal data and we only process that personal data to provide our services to you or on your instructions.
What is ActiveCampaign doing?
ActiveCampaign is enhancing our suite of products and services to meet applicable requirements under the LGPD. Given the many similarities between the LGPD and existing data protection laws and regulations, we are leveraging our GDPR and CCPA implementation efforts so that we can efficiently update our existing processes, features and functionality as required by the LGPD.
The LGPD still has a number of significant uncertainties, including whether the President will sanction or veto the bill, when the ANPD’s director and members will be appointed, and the timing and content of implementation regulations, which have yet to be issued. We are monitoring the situation closely, and will announce LGPD-related changes on a rolling basis, so check back here for updates.