GPDR

The General Data Protection Regulation (GDPR) is a legal framework that came into effect in May 2018 to enhance data privacy and security in the European Union (EU) and the European Economic Area (EEA). The GDPR sets out strict rules for how organizations collect, process, store, and share personal data of EU/EEA residents, including explicit consent requirements, data subject rights, data breach notification obligations, and significant penalties for non-compliance.

The importance of GDPR lies in its objective to protect the fundamental rights and freedoms of individuals concerning their personal data, as recognized in the EU Charter of Fundamental Rights. GDPR ensures that individuals have control over their personal data and can exercise their rights to access, rectify, erase, restrict processing, and object to the processing of their data. It also imposes accountability and transparency obligations on data controllers and processors, meaning that they must demonstrate compliance with GDPR and be transparent about their data processing activities.

In Brazil, the General Data Protection Law (LGPD) was enacted in August 2018 and came into effect in September 2020, based on the GDPR principles. The LGPD regulates the processing of personal data of Brazilian citizens, regardless of the location of the organization processing the data. The LGPD aims to promote data protection and privacy while fostering innovation and economic development in Brazil. Like GDPR, the LGPD establishes data subject rights, data protection officer requirements, and severe penalties for non-compliance.

The relation between GDPR and LGPD is that they share similar objectives, principles, and requirements regarding data protection and privacy. Organizations that comply with GDPR can facilitate compliance with LGPD and vice versa. However, there are some differences between the two regulations, such as the age of consent for children (16 years in GDPR, 12 years in LGPD), the legal basis for data processing, and some specific requirements for data processing in certain sectors or situations.

The penalties for non-compliance with GDPR and LGPD can be severe, including fines up to 4% of the global annual revenue or €20 million, whichever is greater. In addition to financial penalties, non-compliant organizations may face reputational damage, loss of customer trust, and legal actions from affected data subjects. Therefore, it is crucial for organizations to prioritize data protection and privacy and ensure compliance with GDPR, LGPD, and any other relevant data protection regulation.

The General Law for the Protection of Personal Data (LGPD) sets forth compulsory and significant guidelines for personal data collection, processing, and storage. Inspired by the General Data Protection Regulation (GDPR) implemented in the European Union in 2018, LGPD has had substantial impacts on companies and consumers.

LGPD

In Brazil, LGPD (Law No. 13,709, of 8/14/2018) came into effect on September 18, 2020, signifying a crucial step for the country. Consequently, Brazil joined a group of nations with specific regulations to protect their citizens' data. With cases of misuse, commercialization, and data breaches on the rise, the new regulations ensure Brazilian citizens' privacy and prevent trade barriers with other countries.

The legislation is built on several principles and aims to:

1. Uphold users' right to privacy and protect their personal data through transparent and secure practices, guaranteeing fundamental rights.
2. Define explicit regulations for processing personal data.
3. Enhance the security of legal relationships and the trust of data subjects in the processing of their personal data, promoting free initiative, free competition, and the protection of commercial and consumer relationships.
4. Encourage competition and free economic activity, including data portability.

DPO – What is it?

The DPO (Data Protection Officer) can be a natural or legal person, he is responsible for complying with the LGPD within the organization and is also the one who mediates communication with the regulatory body, ANPD.

Along with the new body, which will form part of the federal public administration, integrating the Presidency of the Republic, a representative position was also created, the Data Protection Officer. In free translation, it would be a kind of Data Protection Officer, that is, a figure to be recruited internally to act as a liaison between the ANPD and the companies.

In this regard, legal entities have a relatively long way to go. This is because the government has not defined what type of training or skills the DPO will need to gather to hold the position. So far, what exists is a general and consensual recommendation that this professional will need to be aware of laws and the LGPD itself in order to act.

Who should suit?

Whether or not a business must comply with the law depends on its usage of personal data. If a company has Brazilian employees or conducts business in Brazil, it possesses data and therefore must be aware of the legal requirements. Additionally, companies that provide data processing services should also be prepared to comply with the law.

What happens to those who break the law?

Starting from Sunday (01/08/2021), penalties for noncompliance with the provisions of the LGPD (General Data Protection Act) are now enforceable. The act has been in effect since September of last year, providing companies with nearly a year to adjust to the new regulations. The potential penalties for violations include warnings, blockages, and fines of up to R$50 million per infraction or 2% of revenue.