Click here for the Portuguese version 🇧🇷
Two years after its enactment and several debates about a possible postponement, the General Personal Data Protection Act (Lei Geral de Proteção de Dados - LGPD) was approved on September 18th, 2020. Like the General Data Protection Regulation (GDPR) of the European Union, LGPD aims to strengthen the fundamental right of privacy in the digital age by regulating the treatment of personal data in both Brazil’s private and public sectors.
The regulatory agency (ANPD - National Data Protection Authority), established by LGPD, has yet to be created and administrative sanctions outlined in the law will only be applied after August 1st, 2021.
It is essential that companies that are, or wish to be, part of the Brazilian data processing market understand exactly how LGPD will affect their operational course. Emptor has been monitoring these changes very closely, insofar as the implications for our product, clients, and continued operations in Brazil.
This piece aims to give you a brief overview of some of the major components of the law and its impact on business operations in Brazil, as well as what Emptor is doing to stay on top of the changing regulatory environment.
I. Territorial scope of the law
LGPD covers all companies that are involved with any of the following activities:
1. Processing of personal data that occurs in the Brazilian territory
2. Processing of data related to individuals located in Brazil
3. Collection of personal data occurring in Brazil
In the case that the company is based in a different country, or the jurisdiction chosen to resolve conflicts is not Brazil, LGPD will always be applied when organizations fall in any of the categories above. In other words, there is no way out of compliance with the law when one wishes to enter the data market in Brazil; however, the law follows many of the same data privacy principles as GDPR which eases compliance across regions.
II. Legal Hypotheses: Compliance on data processing
Legal hypotheses are situations outlined by the law in which data processing is allowed. This means that data subjects must have informed consent when getting data. In addition, companies must disclose information on how the data will be processed. Onboarding new users now has a greater degree of complexity. Companies need to develop a transparent entry process that ensures that consent is given by the user and is in accordance with the law.
III. Essential Figures in Data Processing
To understand how data processing works in Brazil, it is necessary to identify the central figures of a typical data processing operation. These include:
Data HolderThe individual (i.e. anyone who provides his/her data to offices, health plans, pharmacies, banks or any establishment to be able to make a purchase). LGPD was enacted with the purpose of protecting those who need to make their personally identifiable information available for any reason.
ControllerThe natural or legal person who collects the data of the individual and who is responsible for making decisions regarding the treatment of this information.
OperatorThe legal person who carries out the processing of personal data on behalf of the controller. The Operator is directly responsible for the processing of personal data and has the obligation to follow the decisions made by the controller and observe LGPD.
Data Protection Officer (“DPO”)The DPO is appointed by the controller and operator to act as a liaison between the controller, data holders, and the National Data Protection Authority (ANPD). The DPO is responsible for monitoring the rules and procedures within a company, in order to ensure compliance with the law and resolve major crises and/or incidents.
IV. How Emptor is staying ahead of LGPD
With the aim of protecting our clients’ personal data, our team has put a series of measures into effect. Our team of legal experts and engineers is working to stay up to date to implement the necessary revisions and updates to ensure we are in full compliance.
Emptor is a company that provides security verification services to other companies (B2B) utilizing its own technology solutions developed so they can operate in a scalable and personalized way, in response to the requests of each of our customers.
Due to our main activity, we process daily the personal data of people who utilize our clients' platforms and who need to be verified. Therefore, we are attentive to the many legal changes and innovations that involve our area of expertise.