The General Data Protection Law (LGPD), established in Brazil in 2018 and effective from September 2020, marks a significant advancement in the regulation of privacy and personal data protection. Modeled after the European Union’s General Data Protection Regulation (GDPR), LGPD imposes strict guidelines on the collection, storage, processing, and sharing of personal data. For American companies operating in Brazil or handling the data of Brazilian citizens, adhering to LGPD is crucial to avoid substantial fines and reputational harm. This article outlines the key steps these companies should take to comply with LGPD requirements.

Understanding LGPD

The first step toward compliance is understanding LGPD and its implications. The law covers all aspects of personal data management, including its collection, storage, use, and sharing. Companies must familiarize themselves with LGPD’s core principles, which include transparency, purpose limitation, data adequacy, necessity, access rights, data quality, security, prevention, non-discrimination, and accountability.

LGPD Legal Bases: Ensuring Compliance in Data Processing

To comply with LGPD, American companies must correctly apply the legal bases that justify the processing of personal data. LGPD specifies seven legal bases for data processing, each with its own requirements:

Consent: Must be clear, specific, and informed, reflecting the data subject’s agreement for a defined purpose. Consent forms should be easy to understand and accessible.

Compliance with Legal or Regulatory Obligations: Allows data processing to meet legal or regulatory requirements, such as those related to tax and labor laws.

Contract Execution: Data can be processed to fulfill contracts or for preliminary steps related to a contract requested by the data subject.

Protection of Life or Physical Integrity: Permits data processing to safeguard the life and physical integrity of the data subject or others.

Health Protection: Covers data processing by health professionals or services necessary for medical procedures.

Legitimate Interest: Data processing based on the company’s legitimate interests is allowed, as long as these interests do not override the rights of the data subjects. This requires a thorough impact assessment.

Credit Protection: Authorizes data processing to protect the financial and credit situation of the data subject.

Companies need to identify which of these legal bases apply to their data processing activities and ensure their practices align with LGPD guidelines. Proper documentation of these bases is essential for demonstrating compliance and addressing inquiries from the National Data Protection Authority (ANPD) or data subjects. Companies should also be ready to adapt their practices in response to new regulations and guidelines from the ANPD.

Appointment of a Data Protection Officer (DPO)

LGPD mandates the appointment of a Data Protection Officer (DPO). The DPO is responsible for ensuring the company’s compliance with LGPD and acts as a liaison between the organization and the National Data Protection Authority (ANPD). American companies should consider appointing a DPO based in Brazil who has a strong understanding of both Brazilian laws and U.S. business practices.

Conclusion

For American companies looking to enter the Brazilian market, understanding and complying with LGPD guidelines is essential for operational success and integrity. Adhering to key legal bases like consent, legal obligations, and legitimate interest is crucial for avoiding penalties and safeguarding corporate reputation. Additionally, appointing a DPO based in Brazil, who is well-versed in both Brazilian regulations and American business practices, is a strategic move to ensure ongoing compliance and facilitate effective communication with the ANPD. This preparation not only eases market entry and operations in Brazil but also demonstrates a firm commitment to data protection and corporate responsibility, strengthening the company’s credibility and presence in the country.

Contact our experts today to learn how we can help your company enter the Brazilian market in full compliance with privacy regulations, with DPOs based locally.