Digital Policy Alert logo

Brazil: Adopted General Data Protection Law (LGPD), including data protection regulation

Go to policy change overview
Share

Compare with different regulatory event:

Description

Adopted General Data Protection Law (LGPD), including data protection regulation

The Brazilian data protection law (Lei N° 13.709) is adopted by the Brazilian Parliament. The Law unifies over 40 different statutes governing personal data protection and establishes the National Data Protection Authority as the main enforcer. The Law exposes the definitions of data controllers, processors and subjects and distinguishes between different types of personal data. Moreover, the Law introduces the rights for data subjects (users) to: know whether a controller is processing personal data, access or erase such data, rectify incorrect data, transfer personal data from one controller to another (data portability), opt-out from processing of personal data. Further, the transfer of personal data shall be made only to countries ensuring a level of data protection adequate to the law's standards. Finally, the Law requires data controllers to disclose data breaches within a reasonable time.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2018-05-29
under deliberation

On 29 May 2018, the comprehensive Brazilian data protection law is introduced to the parliament. Th…

2018-08-14
adopted

The Brazilian data protection law (Lei N° 13.709) is adopted by the Brazilian Parliament. The Law u…

2020-09-18
in grace period

The comprehensive Brazilian data protection law (Lei N° 13.709) enters into force with a grace peri…

2021-08-01
in force

After an initial grace period, the Brazilian data protection law (Lei N° 13.709) is fully implement…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All
2
Type Governmental organisation
Economic activity cross-cutting
Category All
3
Type Public-Private Partnership
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): data collection
Regulatory tool
Purpose/processing limitation
Data minimisation obligation
User consent: Opt-in requirement
User consent: Permit user opt-out
User right to withdraw consent
User right to information about third-parties, with which data has been shared
User notification requirement
User consent: Other requirement
User right to rectification of personal data
User right to deletion of personal data
User right to portability of personal data
Prohibition of discrimination on the basis of exercised user rights
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Restitution of damages
Fine
Regulated subjects
1 2 3
personal data (all forms): storage (any form)
Regulatory tool
Purpose/processing limitation
Data minimisation obligation
User right to access personal data
Preventive security requirement
Detective security requirement
User consent: Opt-in requirement
User consent: Permit user opt-out
User right to withdraw consent
User right to information about third-parties, with which data has been shared
User notification requirement
User consent: Other requirement
User right to rectification of personal data
User right to deletion of personal data
User right to portability of personal data
User right against automated decision making
Prohibition of discrimination on the basis of exercised user rights
Sanctions
Regulated subjects
1
Regulatory tool
Sanctions
Restitution of damages
Fine
Regulated subjects
1 2 3
personal data (all forms): data processing
Regulatory tool
Purpose/processing limitation
Data minimisation obligation
User right to access personal data
User consent: Opt-in requirement
User consent: Permit user opt-out
User right to withdraw consent
User right to information about third-parties, with which data has been shared
User notification requirement
User consent: Other requirement
User right to rectification of personal data
User right to deletion of personal data
User right to portability of personal data
User right against automated decision making
Prohibition of discrimination on the basis of exercised user rights
Sanctions
Regulated subjects
1
personal data (all forms): transmission
Regulatory tool
Purpose/processing limitation
Data minimisation obligation
User right to access personal data
User consent: Opt-in requirement
User consent: Permit user opt-out
User right to withdraw consent
User right to information about third-parties, with which data has been shared
User notification requirement
User consent: Other requirement
User right to rectification of personal data
User right to deletion of personal data
User right to portability of personal data
Prohibition of discrimination on the basis of exercised user rights
Sanctions
Regulated subjects
1
personal data (all forms): transfer (any destination)
Regulatory tool
Purpose/processing limitation
Data minimisation obligation
User right to access personal data
User consent: Opt-in requirement
User consent: Permit user opt-out
User right to withdraw consent
User right to information about third-parties, with which data has been shared
User notification requirement
User consent: Other requirement
User right to rectification of personal data
User right to deletion of personal data
User right to portability of personal data
Prohibition of discrimination on the basis of exercised user rights
Sanctions
Regulated subjects
1
personal data: ethnicity: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: ethnicity: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: ethnicity: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: ethnicity: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: ethnicity: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: religious beliefs: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: religious beliefs: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: religious beliefs: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: religious beliefs: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: religious beliefs: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: political orientation: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: political orientation: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: political orientation: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: political orientation: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: political orientation: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: health: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: health: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: health: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: health: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: health: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: sexual orientation: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: sexual orientation: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: sexual orientation: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: sexual orientation: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: sexual orientation: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: genetic: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: genetic: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: genetic: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: genetic: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: genetic: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: biometric: data collection
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: biometric: storage (any form)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: biometric: data processing
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: biometric: transmission
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: biometric: transfer (any destination)
Regulatory tool
User consent: Opt-in requirement
User right to restriction of personal data processing
Sanctions
Regulated subjects
1
personal data: information pertaining to minors: data collection
Regulatory tool
User or public reporting requirement
Duty of care requirement
Sanctions
Regulated subjects
1
personal data: information pertaining to minors: storage (any form)
Regulatory tool
User or public reporting requirement
Duty of care requirement
Sanctions
Regulated subjects
1
personal data: information pertaining to minors: data processing
Regulatory tool
User or public reporting requirement
Duty of care requirement
Sanctions
Regulated subjects
1
personal data: information pertaining to minors: transmission
Regulatory tool
User or public reporting requirement
Duty of care requirement
Sanctions
Regulated subjects
1
personal data: information pertaining to minors: transfer (any destination)
Regulatory tool
User or public reporting requirement
Duty of care requirement
Sanctions
Regulated subjects
1
algorithm: automated decision system: data processing

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): data collection

personal data (all forms): storage (any form)

personal data (all forms): data processing

personal data (all forms): transmission

personal data (all forms): transfer (any destination)

personal data: ethnicity: data collection

personal data: ethnicity: storage (any form)

personal data: ethnicity: data processing

personal data: ethnicity: transmission

personal data: ethnicity: transfer (any destination)

personal data: religious beliefs: data collection

personal data: religious beliefs: storage (any form)

personal data: religious beliefs: data processing

personal data: religious beliefs: transmission

personal data: religious beliefs: transfer (any destination)

personal data: political orientation: data collection

personal data: political orientation: storage (any form)

personal data: political orientation: data processing

personal data: political orientation: transmission

personal data: political orientation: transfer (any destination)

personal data: health: data collection

personal data: health: storage (any form)

personal data: health: data processing

personal data: health: transmission

personal data: health: transfer (any destination)

personal data: sexual orientation: data collection

personal data: sexual orientation: storage (any form)

personal data: sexual orientation: data processing

personal data: sexual orientation: transmission

personal data: sexual orientation: transfer (any destination)

personal data: genetic: data collection

personal data: genetic: storage (any form)

personal data: genetic: data processing

personal data: genetic: transmission

personal data: genetic: transfer (any destination)

personal data: biometric: data collection

personal data: biometric: storage (any form)

personal data: biometric: data processing

personal data: biometric: transmission

personal data: biometric: transfer (any destination)

personal data: information pertaining to minors: data collection

personal data: information pertaining to minors: storage (any form)

personal data: information pertaining to minors: data processing

personal data: information pertaining to minors: transmission

personal data: information pertaining to minors: transfer (any destination)

algorithm: automated decision system: data processing