October 23, 2020

Volume X, Number 297


October 23, 2020

Subscribe to Latest Legal News and Analysis

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?

In August 2018, Brazil took a significant step by passing comprehensive data protection legislation: the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - Law No. 13,709/2018, as amended) (LGPD). The substantive part of the legislation takes effect August 16, 2020, leaving fewer than six short months for companies to prepare.

While the LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in many respects, there are key differences that companies must consider when building their compliance program, to be in line with the LGPD.


The LGPD takes a broad, multi-sectoral approach, applying to both public and private organizations and businesses operating online and offline. The LGPD applies to any legal entity, regardless of their location in the world, that:

  • processes personal data in Brazil;

  • processes personal data that was collected in Brazil; or

  • processes personal data to offer or provide goods or services in Brazil.

Thus, like the GDPR, the LGPD has an extraterritorial impact. A business collecting or processing personal data need not be headquartered, or even have a physical presence, in Brazil for the LGPD to apply.

Enforcement and Penalties

After many debates and delays, the Brazilian Congress approved the creation of the National Data Protection Authority (ANPD), an entity linked to the executive branch of the Brazilian government, which will be tasked with LGPD enforcement and issuing guidance.

Violations of the LGPD may result in fines and other sanctions; however, the fine structure is more lenient than the GDPR’s. Under the LGPD, fines may be levied up to 2% of the Brazil-sourced income of the organization (which is considered any legal entity, its group or conglomerate), net of taxes, for the preceding fiscal year, limited to R$ 50,000,000.00 (app. $11 million), per infraction. There is also the possibility of a daily fine to compel the entity to cease violations. The LGPD assigns to ANPD the authority to apply sanctions and determine how the fines shall be calculated.

Legal Basis for Processing

Similar to the GDPR, an organization must have a valid basis for processing personal data. Personal data can only be processed if it meets one of the 10 requirements below:

  • with an individual’s consent;

  • when necessary to fulfill the legitimate interests of the organization or a third party, except when the individual’s fundamental rights and liberties outweigh the organization’s interest;

  • based on a contract with the individual;

  • to comply with a legal or regulatory obligation;

  • public administration and for judicial purposes;

  • for studies by research entities;

  • for the protection of life or physical safety of the individual or a third party;

  • by health professionals or by health entities for health care purposes; or

  • to protect an individual’s credit.

Sensitive personal information (race, ethnicity, health data, etc.) and children’s information may only be processed with the individual or a parent or legal guardian’s consent, as applicable, or as required by law or public administration.

Individual Rights

Brazilian residents have a number of rights over their personal data. Many of these rights are similar to those found in the GDPR, but the LGPD also introduces additional rights not included in the GDPR.

Established privacy rights, materially included in the GDPR

  • access to personal data

  • deletion of personal data processed with the consent of the individual

  • correction of incomplete, inaccurate, or out-of-date personal data

  • anonymization, blocking, or deletion of unnecessary or excessive data or personal data not processed in compliance with the LGPD

  • portability of personal data to another service or product provider

  • information about the possibility of denying consent and revoking consent

Additional rights provided by the LGPD

  • access to information about entities with whom the organization has shared the individual’s personal data

  • access to information on whether or not the organization holds particular data

Transferring Data Out of Brazil

Organizations may transfer personal data to other countries that provide an adequate level of data protection, although Brazil has not yet identified which countries it considers as providing an adequate level of protection. For all other transfers, organizations may not transfer personal data collected in Brazil out of the country unless the organization has a valid legal method for such transfers. There are two main ways organizations can transfer data internationally:

  • with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent;

  • through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime.

Governance & Oversight

In addition to the requirements above, under the LGPD, organizations must, in most circumstances:

  • Appoint an officer to “be in charge of the processing of data,” who, together with the organization, shall be jointly liable for remedying any damage, whether individually or collectively, in violation of the personal data protection legislation, caused by them (there is little specificity around the role or responsibility of the data processing officer; however, it is not mandatory for the officer to be located in Brazil);

  • Maintain a record of their processing activities;

  • Perform data protection impact assessments;

  • Design their products and services with privacy as a default;

  • Adopt security, technical, and administrative measures able to protect personal data from unauthorized access, as well as accidental or unlawful destruction, loss, alteration, communication (likely similar standards to those established under the Brazilian Internet Act); and

  • Notify government authorities and individuals in the case of a data breach.

Meeting these requirements will likely be a significant administrative burden for organizations, especially as they work to meet varying documentation and governance requirements between the GDPR, CCPA, and LGPD. This effort is made more complicated by the lack of clarity in some of the LGPD administrative requirements. For example, while the LGPD requires a record of processing, it does not delineate what should be included in the document, and while it establishes that privacy impact assessments should be carried out, it does not indicate when such assessments are required.

Final Thoughts

Given August 2020 is right around the corner, global organizations processing personal data from or in Brazil should consider immediately moving forward with a review of their current data protection program to identify and address any LPGD compliance gaps that exist. As privacy law changes and global compliance requirements are top of mind for many clients operating global operations, we will be sure to provide timely informational updates on the LGPD, and any ANPD guidance issued.

Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 65



About this Author

Kate Black Shareholder GT Law Miami SF Data, Privacy & Cybersecurity Life Sciences & Medical Technology IP Technology Licensing & Transactions

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and...

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Gretchen works closely with her clients to manage data and leverage its value in ways to meet compliance obligations as well as deliver value to the business and instill consumer trust. Her experience working with various industries allows her to quickly assess options and risks, and guide clients, including numerous genomic data companies, in resolving complicated privacy issues.

Gretchen has litigated, mediated, and arbitrated commercial disputes, including class actions, at state and federal courts nationwide, and has tried numerous cases to verdict. Her wide-ranging litigation background allows her to advise clients on the litigation risks they face in determining how to handle data privacy issues. In addition to providing compliance advice, Gretchen defends companies facing FTC and other regulatory investigations, and individual and class action claims involving privacy, information security, and consumer protection.


  • EU GDPR compliance

  • Cross-border transfer mechanisms (Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules), and data processing agreements

  • FTC CIDs, State Attorney General investigations

  • Behavioral advertising, automated processing and profiling

  • Security breach response and notification

  • DPIAs and addressing complicated privacy issues relating to product development


  • Privacy and security gap assessments

Giovanni Biscardi  SHAREHOLDER Corporate Latin America Practice

Giovanni Biscardi focuses his practice on mergers and acquisitions, and corporate matters, including commercial and financing agreements. He assists U.S. clients in structuring their investments throughout Latin America and has a long track record of handling complex cross-border transactions for Fortune 500 companies and private equity funds. He also assists foreign individuals and entities with their investments in the United States.

Giovanni has deep experience handling legal work related to business transactions in numerous international jurisdictions, including Argentina,...