top of page

What is the General Personal Data Protection Act?

Take a “spin” by the law and find out now the main changes it brings to the country

From online shopping to social networks, from hospitals to banks, from schools to theaters, from hotels to public agencies, from advertising to technology: you can be sure, the General Law on the Protection of Personal Data (LGPD) affects different sectors and services , and to all of us Brazilians, whether in the role of individual, company or government. Here, we help you understand your rights as a citizen, or your obligations, if you are responsible for databases of people. And, of course, we welcome you who want to understand LGPD more, contribute to it, and seek support. Here we go?

To get started Since you agreed, then let's take a “spin” on the LGPD and get to know the main points of the law

To continue:

Now that you have taken a spin, read on for more details on the main points presented in the image above.

The LGPD is law No. 13,709, approved in August 2018 and effective from August 2020. To understand the importance of the matter, it is necessary to know that the new law wants to create a legal security scenario, with the standardization of rules and practices, to promote the protection, on an equal basis and within the country and in the world, to the personal data of every citizen who is in Brazil. And, so that there is no confusion, the law brings right away what personal data is, defines that there are some of these data subject to even more specific care, such as sensitive and those about children and adolescents, and that data treated both in the media physical and digital are subject to regulation.

The LGPD further establishes that it does not matter whether the headquarters of an organization or its data center are located in Brazil or abroad: if there is the processing of content from people, Brazilian or not, who are in the national territory, the LGPD must be fulfilled. It also determines that it is allowed to share data with international organizations and with other countries, as long as this occurs from secure protocols and / or to comply with legal requirements.


Another essential element of the LGPD is consent. In other words, citizen's consent is the basis for personal data to be processed. But there are some exceptions to this. It is possible to process data without consent if this is indispensable for: fulfilling a legal obligation; execute public policy provided for by law; conduct studies via the research body; execute contracts; defend rights in process; preserve a person's life and physical integrity; guardianship. Actions taken by health or sanitary professionals; prevent fraud against the holder; protect credit; or attend to a legitimate interest that does not harm the citizen's fundamental rights.

Automation with authorization

Speaking of rights, it is essential to know that the law provides several guarantees to the citizen, who can request that data be deleted, revoke a consent, transfer data to another service provider, among other actions. And the treatment of the data must be done taking into account some questions, such as purpose and necessity, that must be previously agreed and informed to the citizen. For example, if the purpose of a treatment, done exclusively in an automated way, is to build a profile (personal, professional, consumer, credit), the individual must be informed that he can intervene, asking for a review of this procedure done by machines.

ANPD and treatment agents

And there's more. For the law to "catch", the country will have the National Authority for the Protection of Personal Data, the ANPD. The institution will inspect and, if the LGPD is not complied with, penalize. In addition, the ANPD will, of course, have the tasks of regulating and providing preventive guidance on how to apply the law. Citizens and organizations will be able to collaborate with the authority.

But the ANPD - which is in training - is not enough, and that is why the General Law for the Protection of Personal Data also stipulates data processing agents and their functions in organizations: there is the controller, who makes the decisions about the treatment ; the operator, who performs the processing, on behalf of the controller; and the person in charge, who interacts with citizens and national authority (and may or may not be required, depending on the type or size of the organization and the volume of data processed).

Management in focus

There is another item that could not be left out: the management of risks and failures. This means that whoever manages the personal database will have to write governance rules; adopt preventive safety measures; replicate good practices and certifications existing in the market. You will also have to prepare contingency plans; do audits; resolve incidents with agility. If, for example, a data leak occurs, the ANPD and affected individuals should be notified immediately. It is worth remembering that all treatment agents are subject to the law. This means that organizations and subcontractors to handle data jointly account for the damage caused. And security breaches can generate fines of up to 2% of the organization's annual revenue in Brazil - and the limit of R $ 50 million per infraction. The national authority will set penalty levels depending on the severity of the failure. And it will, of course, send alerts and guidance before applying sanctions to organizations.


Contact us >


Post: Blog2_Post
bottom of page