The General Personal Data Protection Law (Lei Geral de Proteção de Dados), is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data, both online and offline.
This convergence of previously separate and sometimes conflicting regulations is just one similarity which it shares with the General Data Protection Regulation of the EU, a document which clearly draws its inspiration from it.
LGPD enforcement was scheduled for August 2021. Legal proceedings can still be initiated against companies required to comply in Brazil or abroad, despite the sanctions' delays due to government speedbumps.
Personal data under LGPD and general requirements
LGPD defines personal data similarly to GDPR as "information about an identified or identifiable individual". The term excludes anonymized data in which the data subject can no longer be identified.
Both data controllers and data processors must keep records of the processing operations and both can be held liable for damages suffered by data subjects. However, the LGPD does not detail the type of information controllers and processors need to record.
Any company processing data collected in Brazil or belonging to a data subject present in Brazil at the time of the data collection will be obliged to comply with the LGPD — even without a physical presence in the country.
Additionally, the LGDP will apply if the business offers or provides goods and services to Brazilian data subjects. Also included in the territorial scope of the law are all e-commerce companies that offer shipping to Brazil. Any data originating outside of Brazil and not shared with agents in Brazil nor third-parties will be exempt, provided local law offers adequate protection.