Brazil: Implemented General Data Protection Law (LGPD) including cybersecurity regulation

Compare with different regulatory event:

Description

Implemented General Data Protection Law (LGPD) including cybersecurity regulation

After an initial grace period, the Brazilian data protection law (Law N° 13.709) is fully implemented and can be enforced by the Brazilian courts and responsible agencies, with the possibility to apply the penalties contained in the law. The Law unifies over 40 different statutes governing personal data protection and establishes the National Data Protection Authority as the main enforcer. Moreover, the Law introduces the rights for data subjects (users). Among others, the users have a right to transfer personal data from one controller to another (data portability). Furthermore, the Law would require entities collecting and processing personal data to implement preventive, detective and responsive security measures and notify data breaches.

Original source

Scope

Policy Area

Data governance

Policy Instrument

Cybersecurity regulation

Regulated Economic Activity

cross-cutting

Implementation Level

national

Government Branch

legislature

Government Body

parliament

Complete timeline of this policy change

Hide details

2018-05-29

under deliberation

On 29 May 2018, the comprehensive Brazilian data protection law is introduced to the parliament. Th…

2018-08-14

adopted

The Brazilian data protection law (Lei N° 13.709) is adopted by the Brazilian Parliament. The Law u…

2020-09-18

in grace period

The comprehensive Brazilian data protection law (Lei N° 13.709) enters into force with a grace peri…

2021-08-01

in force

After an initial grace period, the Brazilian data protection law (Law N° 13.709) is fully implement…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.

producer / supplier

Type Private organisation

Economic activity cross-cutting

Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): data collection

Regulatory tool

Recordkeeping requirement

Risk or other impact assessment requirement

Regulator reporting requirement

Designation of responsible employee

Workplace or process requirement

Private right of action

Technical standard adherence

Private code of conduct requirement

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data (all forms): storage (any form)

Regulatory tool

Recordkeeping requirement

Risk or other impact assessment requirement

Regulator reporting requirement

Designation of responsible employee

Workplace or process requirement

Private right of action

Preventive security requirement

Detective security requirement

Responsive security requirement

Technical standard adherence

Regulator notification requirement

User notification requirement

Private code of conduct requirement

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data (all forms): data processing

Regulatory tool

Recordkeeping requirement

Risk or other impact assessment requirement

Regulator reporting requirement

Duty of care requirement

Designation of responsible employee

Workplace or process requirement

Private right of action

Preventive security requirement

Detective security requirement

Responsive security requirement

Technical standard adherence

Private code of conduct requirement

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data (all forms): transmission

Regulatory tool

Recordkeeping requirement

Risk or other impact assessment requirement

Regulator reporting requirement

Designation of responsible employee

Workplace or process requirement

Private right of action

Technical standard adherence

Regulator notification requirement

User notification requirement

Private code of conduct requirement

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data (all forms): transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Duty of care requirement

Designation of responsible employee

Workplace or process requirement

Private right of action

Technical standard adherence

Regulator notification requirement

User notification requirement

Private code of conduct requirement

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: ethnicity: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: ethnicity: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: ethnicity: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: ethnicity: transmission

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: ethnicity: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: religious beliefs: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: religious beliefs: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: religious beliefs: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: religious beliefs: transmission

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: religious beliefs: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: political orientation: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: political orientation: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: political orientation: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: political orientation: transmission

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: political orientation: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: health: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: health: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: health: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: health: transmission

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: health: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: sexual orientation: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: sexual orientation: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: sexual orientation: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: sexual orientation: transmission

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: sexual orientation: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: genetic: data collection

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: genetic: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: genetic: data processing

Regulatory tool

Risk or other impact assessment requirement

Regulator reporting requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: genetic: transmission

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: genetic: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: biometric: data collection

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: biometric: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: biometric: data processing

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: biometric: transmission

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: biometric: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: information pertaining to minors: data collection

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: information pertaining to minors: storage (any form)

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: information pertaining to minors: data processing

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: information pertaining to minors: transmission

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects

personal data: information pertaining to minors: transfer (any destination)

Regulatory tool

Risk or other impact assessment requirement

Technical standard adherence

Sanctions

Restitution of damages

Fine

Regulated subjects