What is the LGPD? Brazil’s General Data Protection Law

Table of contents

  1. What is the essence of the LGPD?
  2. Who does the LGPD apply to?
  3. Who is exempt from the LGPD?
  4. What are the nine rights for data subjects under the LGPD?
  5. What are the 19 definitions in the LGPD?
  6. What are the ten legal bases for lawful processing of personal data under the LGPD?
  7. What is the Autoridade Nacional de Proteção de Dados (ANPD)?
  8. Why is the LGPD important?
  9. Why was the LGPD created?
  10. How does the LGPD impact cybersecurity?
  11. How is the LGPD similar to GDPR?
  12. What are the differences between the LGPD and GDPR?
  13. How UpGuard can prevent personal data breaches

1. What is the essence of the LGPD?

2. Who does the LGPD apply to?

  • Data processing within the territory of Brazil
  • Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
  • Data processing of data collected in Brazil

3. Who is exempt from the LGPD?

  • Data processed by a person for strictly personal purposes
  • Data exclusively for journalistic, artistic, literary or academic purposes
  • Data exclusively for national security, national defense, public safety, criminal investigations or punishment activities

4. What are the nine rights for data subjects under the LGPD?

  1. Confirm the existence of the processing of their data
  2. Access their data
  3. Correct incomplete, inaccurate or out-of-date data
  4. Anonymize, block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
  5. Portability of data, i.e. handed over to another service or processor if requested
  6. Have their data deleted
  7. Information about public and private entities with which the controller has shared data
  8. Information about the possibility of denying consent and the consequences
  9. Revoke consent

5. What are the 19 definitions in the LGPD?

  1. Personal data: Information regarding an identified or identifiable natural person akin to personally identifiable information (PII)
  2. Sensitive personal data: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life (PHI),genetic or biometric data, when related to a natural person.
  3. Anonymized data: Data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing
  4. Database: Structured set of personal data, kept in one or several locations, in electronic or physical support
  5. Data subject: A natural person to whom the personal data that are the object of processing refer to
  6. Controller: Natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data
  7. Processor: Natural person or legal entity, of public or private law, that processes personal data in the name of the controller
  8. Officer: Natural personal, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority
  9. Processing agents: The controller and the processor
  10. Processing: Any operation carried out with personal data, such as collection,production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information,modification, communication, transfer, dissemination or extraction
  11. Anonymization: Use of reasonable and available technical means at the time of the processing, through which data loss the possibility of direct or indirect association with an individual
  12. Consent: Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose
  13. Blocking: Temporary suspension of any processing operation, by means of retention of the personal data or the database
  14. Deletion: Exclusion of data or a set of data stored in a database, irrespective of the procedure used
  15. International data transfer: Transfer of personal data to a foreign country orto an international entity of which the country is a member
  16. Shared use of data: Communication, dissemination, international transfer,interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities
  17. Impact report on protection of personal data: Documentation from the controller that contains the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures,safeguards and mechanisms to mitigate the risk
  18. Research body: Body or entity of the direct or indirect publicadministration or a nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarter and jurisdiction in Brazil, that includes in its institutional mission or in its corporate or statutory purposes basic or applied research of historic,scientific, technological or statistical nature
  19. National authority: Body of the indirect public administration responsible for supervising, implementing and monitoring the compliance with the LGPD.

6. What are the ten legal bases for lawful processing of personal data under the LGPD?

  1. With consent of the data subject
  2. For compliance with a legal or regulatory obligation by the controller
  3. By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to Chapter IV of the LGPD
  4. For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
  5. When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
  6. For the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to the Brazilian Arbitration Law
  7. For the protection of life or physical safety of the data subject or a third party
  8. To protect health, in a procedure carried out by health professionals or by health entities
  9. When necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail
  10. For the protection of credit

7. What is the Autoridade Nacional de Proteção de Dados (ANPD)?

  1. Board of Directors: Five members with expertise in data privacy and data protection
  2. National Council: A 23 member advisory board with representation from government, civil society, research institutions and the private sector

8. Why is the LGPD important?

9. Why was the LGPD created?

10. How does the LGPD impact cybersecurity?

11. How is the LGPD similar to GDPR?

12. What are the differences between the LGPD and GDPR?

13. How UpGuard can prevent personal data breaches

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.