Comprehensive and strict data protection: the Brazilian LGPD

by Martha Wanat
21 min read
9/5/24 8:43 AM

The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's General Data Protection Law, which aims to create a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors, regardless of the location of the organization processing the information. Its contents serve to protect privacy, ensure openness, promote progress and development, harmonize standards, provide legal certainty and promote market competitiveness.

It was adopted on September 18, 2020 and came into force retroactively on August 16, 2020. Sanctions became enforceable from August 1, 2021, and affected individuals and authorities were able to assert their rights from September 18, 2020. It is intended to replace or supplement the current inconsistent legal landscape (with over 40 federal, sector-based standards) with a central legal framework. A national data protection authority, the Autoridad Nacional de Protección de Datos (ANPD), was initially established for this purpose, which passed the law and has been enforcing it ever since.

The LGPD is also referred to by some sources as the “Brazilian GDPR” (General Data Protection Regulation) or as a “response to the GDPR” and was in fact also designed to achieve “conformity” with the European General Data Protection Regulation in order to be able to exchange data with the EU. However, it must be added that the Brazilian law is in line with the European requirements in many respects, but differs in others and goes beyond those of the GDPR.

As the LGPD is a long and detailed law that has a significant impact on day-to-day business in Brazil, it is essential to familiarize yourself with it when doing business with Brazilian customers and partners.

In this article, we will discuss how the LGPD prevents the misuse of personal data and regulates how companies and organizations may collect, use and process this data and what consequences this may have for your business. If you would like a free initial consultation, please click here. 

I. What does the LGPD contain? The legal basis

The LGPD consists of 65 articles. We will now take a closer look at some of them.

1. Legal basis for the protection of personal data

Articles 17-22 provide consumers with new rights, i.e. those whose data is collected and/or processed, mainly individuals or natural persons.

Article 2 sets out the legal basis for the protection of personal data:

  1. Respect for privacy
  2. Informational self-determination
  3. Right to freedom of expression, information, communication and opinion
  4. Inviolability of privacy, honor and reputation
  5. Economic and technological development and innovation
  6. Free enterprise, free competition and consumer protection
  7. Human rights, free development of personality, dignity and exercise of citizenship by natural persons

2. Legal bases of the Brazilian Data Protection Act

Article 7 covers the legal bases or occasions under which data processing can take place. According to the LGPD, data may only be processed if there is at least one legal basis for it. The 10 legal bases are:

  1. Consent of the user
  2. The fulfillment of a legal or regulatory requirement that applies to the data controller
  3. The execution of public documents (if these documents are supported by laws, regulations or contractual agreements)
  4. The execution of studies by research institutions - where possible, ensuring anonymization of the personal data used*
  5. The fulfillment of a contractual agreement to which the user is a party (or its preliminary stages)
  6. The proper exercise of rights in judicial, administrative or arbitration proceedings *
  7. The protection of the life or physical safety of the user or a third party
  8. The protection of health - in a procedure carried out by health professionals, health services or the health authority*
  9. The legitimate interests of the controller or third parties, except where such interests are overridden by the interests, rights and freedoms of the user
  10. Credit protection, including the requirements of the relevant legislation*

It should be noted that this is not a hierarchical list and that the most appropriate basis will be chosen based on the specific circumstances.

 

3. “Legitimate interest” as a legal basis

a. Definition

We would like to take a closer look at one of the legal bases, as it is very popular - also in other data protection laws - because it causes less work for the controller and others: legitimate interest. But what does “legitimate interest” mean?
Generally speaking, “legitimate interest” refers to the use of personal data in a way that consumers can reasonably expect. However, “interest” is a very broad term and can include commercial interests as well as the common good.
A “legitimate interest” within the meaning of the LGPD (Article 10) would apply under several broad conditions:

  • the data processing has a clear benefit but is not required by law
  • there is a low risk that the processing violates the privacy of the data subjects
  • the data subjects can reasonably assume that their data will be used

b. Usage

However, you cannot simply rely on a “legitimate interest” as a legal basis for convenience. The processing must be necessary for a specific purpose and additional transparency is required. The application of “legitimate interest” requires a balance between the rights of data subjects and the interests of controllers (and potential third parties). Since the drafting of the law, there have been concerns that the “legitimate interest” is a carte blanche for data controllers.

For this reason, a three-stage test has been devised, which is considered best practice:

  • Purpose test (what is the “legitimate interest”?)
  • Necessity test (is the processing necessary for the specified purpose?)
  • Balancing test (what are the interests of the data subject?)

c. Legitimate interest and data protection impact assessments (DPIA)

The LGPD gives the ANPD the option (Article 38) to require data controllers to prepare a data protection impact assessment or report if the legal basis chosen by the controller is a “legitimate interest”. This is intended to identify and mitigate the risks of processing. The processing must not be more risky than that for which consent is required. However, if there is no need to inform users in order to obtain their consent, the same level of transparency for users is not required. There is currently a debate about whether a data protection impact assessment is the right procedure in such cases or whether a “legitimate interest” assessment would be more appropriate.

 

4. Basics of data processing

The LGPD requires that you only process personal data for legitimate, specific, explicit and clearly communicated purposes. The principles for data processing are broadly similar to those of the GDPR:

  • There must be a purpose for the processing. This means that any data processing activity must be carried out for legitimate, specific, explicit and clearly communicated purposes - you must not carry out additional processing that is not consistent with the communicated original purposes.
  • Adequacy. Both the way in which the data is processed and the processed data itself must be proportionate to the purposes of the processing.
  • Limitation of the purpose. This is similar to the concept of data minimization under the GDPR and simply means that you may only process data that is necessary to fulfill the processing purposes you have specified.
  • Freedom to exercise rights and free access to information. Users must be able to freely exercise their rights under the LGPD and have unhindered, easy access to all information about the processing of their personal data - free of charge.
  • Data integrity/quality. You, the data controller, must ensure the accuracy of the processed data and keep it up to date and relevant in accordance with the purpose of the processing.
  • Transparency. Information about your data processing must be clear, accurate and easily accessible to users. Users must also be able to obtain information about the third parties with whom the data is shared.
  • Security. Both the data controller and any processors (operators) must ensure that technical and organizational measures are in place to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration and unauthorized disclosure or dissemination.
  • Prevention. It is the responsibility of the controller and the processor to take technical and organizational measures to prevent the processing of personal data from causing damage.
  • Avoidance of discrimination. No data processing may be carried out on discriminatory grounds.
  • Sense of responsibility. As a data controller, you must comply with the applicable law and be able to prove this.

 

II. Core definitions and terminology of the LGPD 

We would now like to introduce the most relevant terms of the LGPD (Article 5):

1. Personal data

Analogous to the GDPR, personal data in the context of the LGPD is all data that can be associated with an identified or identifiable person. Overall, all data relating to an identified or identifiable person is considered personal data. This also includes data that can be combined with other information to identify any person.
Non-personal data includes, for example, company registration numbers, generic company email addresses and anonymized data.

2. Sensitive personal data

The LGPD distinguishes “sensitive” data from “normal” personal data and applies separate regulations to this category of personal data. Sensitive data is any data relating to racial or ethnic origin, religious beliefs, political opinions, health or sex life; or data that allows the user to be uniquely and permanently identified, such as genetic or biometric data.
As the processing of sensitive data is more likely to expose the user to the risk of discrimination, sensitive data must be processed with additional security measures, with very specific legal bases for processing.
In general, you can only process sensitive data if the user (or their parent/legal guardian if the person is a minor) has given their consent for the processing in question.
The following exceptions apply to the processing of sensitive data so that consent can be bypassed

  • Fulfillment of a legal obligation incumbent on the data controller;
  • joint processing necessary for the public administration to execute legal or regulatory public documents;
  • conducting studies by a research organization - ensuring, whenever possible, that sensitive personal data is anonymized;
  • the protection of the life or physical safety of the user or a third party;
  • health protection, exclusively, in procedures carried out by health professionals, health services or a health authority;
  • health surveillance in a procedure carried out by health professionals or health institutions;
  • the regular exercise of rights - including contractual, judicial, administrative and arbitration rights; or
  • fraud prevention and user security (e.g. for identification and authentication of registration in electronic systems) - insofar as the rights of users are protected and do not outweigh the rights and freedoms of the user.

3. Anonymized data

Completely anonymized data (data that cannot lead to the identification of a person either directly or indirectly with reasonable effort) does not fall within the scope of the LGPD. However, if the anonymization process is reversible or if the data is used for behavioral profiling, the LGPD still applies.

The process of anonymization refers to “appropriate and available technical means at the time of processing” to remove identifiable markers from the data so that they “lose the possibility of direct or indirect association with an individual”. In the context of data protection laws, the requirement for possible de-anonymization of data, i.e. restoration of identifiability, is also common.

4. Processing

Any operation performed on personal data, such as “collection, production, receipt, classification, use, access, copying, transmission, dissemination, processing, archiving, storage, erasure, evaluation or control of data, alteration, communication, transfer, dissemination or extraction”.

5. Person concerned

A natural person or individual whose data is processed.

6. Person responsible

A natural or legal person, whether public or private (i.e. may refer to a company or other organization), who makes decisions about the processing of personal data.

7. Processor

A natural or legal person governed by public or private law (i.e. may refer to a company or other organization) that processes personal data on behalf of the controller. Referred to as a “processor” in some other laws.

8. Sharing data

The “communication, dissemination, international transfer, interconnection of personal data or joint processing of personal databases by public sector bodies and entities in accordance with their statutory powers or between them and private sector entities on the basis of a specific authorization for one or more processing modalities authorized by those public sector entities or between private sector entities”.

International transfers are an important issue where countries do not have adequate data protection arrangements in place. Sharing is also important for companies that make their money by selling data, as data subjects usually have to consent before their data can be sold to third parties.

 

III. What consumer rights does the LGPD define?

Article 18 sets out the rights of the data subject vis-à-vis the controller:

  • Confirmation. Users have the right to obtain confirmation that processing has taken place.
  • Access. Users have the right of access to their data processed by the data controller.
  • Data portability. Users have the right to portability of their data to another service or product provider, at their express request, in accordance with the requirements of the national authority and in compliance with commercial and industrial confidentiality.
  • Rectification. Users have the right to rectify their personal data if it is inaccurate or incomplete.
  • Anonymization. The user has the right to anonymization, blocking or elimination of unnecessary or excessive personal data or data that is not processed in accordance with the LGPD.
  • Erasure. Users have the right to have their personal data erased when the processing of this data was based on consent.
  • Information. Users have the right to be informed about sub-processors and other third parties who access or process their personal data. Users also have the right to be informed about their choices regarding consent and the consequences of refusing consent.
  • Withdrawal. Users have the right to withdraw or revoke their consent.
  • Lodge a complaint. Users have the right to lodge a complaint with the Data Protection Authority (DPA).
  • Objection. Users have the right to object to the processing of their personal data if the legal requirements are not met.
  • Request a review. Users have the right to request a review of decisions made solely on the basis of automated processing of personal data relating to their interests. This includes decisions that are used to determine their personal, professional, consumer and credit profile or aspects of their personality.

 

IV. Consent through opt-in

1. Definition

Consent (Article 5) is defined as the “freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement, signifies agreement to the processing of his or her personal data for a specific purpose”. The terms “freely given, informed and unambiguous” are also fundamental to the definition of effective consent in other data protection laws.

2. Requirements and conditions for consent under the LGPD

Article 8 sets out the conditions for obtaining, re-obtaining and demonstrating consent, as well as the conditions for withdrawing consent. According to the LGPD, the user must be able to withdraw or revoke consent at any time.

For this purpose, an opt-in model is used for consent management, which means that companies can only collect or process data if the user agrees to this. This requirement applies both to personal data such as names and email addresses and to detailed data such as that collected by website cookies. Internationally, other laws such as the European Union's General Data Protection Regulation (GDPR) and POPIA in South Africa also use this model of consent.

The LGPD, like many other data protection laws, contains specific provisions for children and their data (Article 14). In relation to the consent of children under the age of 18, you must obtain the explicit and unambiguous consent of a parent or guardian. You must make all reasonable efforts (using available technology) to verify that the person giving consent actually has parental responsibility for the child.

3. Exceptions in relation to consent

a. Publicly available data

Before the LGPD legislation, companies were allowed to collect and process personal data published via the internet or any other public source for any reason; however, under the LGPD, this is no longer permitted.
According to the LGPD guidelines, public personal data may only be collected and used in two ways:

  • for the same purpose for which the data was originally processed - in which case the user's consent is not required; or
  • for a different purpose, and only if you, the data controller, can legitimately apply a valid legal basis for the processing (more on this below).

Note: Based on the above, “scraping” or the collection of publicly available data for marketing purposes etc. is likely to be restricted by the LGPD.

b. Sensitive data

When it comes to the processing of sensitive data, consent can only be bypassed if this processing is absolutely necessary for

  • Fulfillment of a legal obligation incumbent on the data controller;
  • joint processing necessary for the public administration to execute legal or regulatory public documents;
  • conducting studies by a research organization - ensuring, whenever possible, that the sensitive personal data is anonymized;
  • the protection of the life or physical safety of the user or a third party;
  • health protection, exclusively, in procedures carried out by health professionals, health services or a health authority;
  • health surveillance in a procedure carried out by health professionals or health institutions;
  • the regular exercise of rights - including contractual, judicial, administrative and arbitration rights; or
  • fraud prevention and user security (e.g. for identification and authentication of registration in electronic systems) - insofar as the rights of users are protected and do not outweigh the rights and freedoms of the user.

c. Children's data

According to the LGPD, exceptions to the requirement for consent to process the data of children under the age of 12 apply if the processing is necessary to contact the parents or legal guardians or to protect the child. The data may only be used once and may not be stored or passed on to third parties without the relevant consent.

 

V. Who is affected by the LGPD? Territorial scope of the LGPD

As mentioned above, the LGPD applies to Brazilian residents. Thus, any company that interacts with Brazilian customers, employees, service providers, business partners or contractors and collects data from them directly or indirectly must ensure that the processing of their data fully complies with the law. This also applies to companies or websites operating anywhere in the world, as the location of your company is not relevant (Article 3). This provision of extraterritoriality is also common in other international data protection laws (e.g. GDPR or CCPA).

Specifically, this means that the LGPD applies to you if:

  • Your data processing activities are carried out in Brazil (e.g. you use servers located in Brazil);
  • you provide or supply goods or services to persons located in Brazil, regardless of their nationality; or
  • you process data relating to individuals located in Brazil (even if the individual was only located in Brazil at the time the data was collected and has since relocated).
Unlike other international data protection laws, the LGPD is not limited to companies of a certain size or turnover.

 

VI. What are the requirements and obligations for companies?

1. Introduction of a data protection officer

According to the LGPD, you as the controller must appoint a DPO who is responsible for ensuring compliance with the company's obligations. There are no exceptions to this rule.
DPOs are individuals who are responsible for the following:

  • Receiving complaints and notifications from users, providing clarifications and taking appropriate action;
  • Training and advising the data controller's employees and contractors on the measures to be taken to protect the personal data processed;
  • Receiving notifications from the ANPD and adopting appropriate measures; and
  • fulfilling other obligations “determined by the data controller or laid down in supplementary regulations”.

Article 40 regulates the requirements for a data protection officer. It is not necessary for the data protection officer to be a natural person, so this task can also be performed by a committee or group or outsourced by the company. The law does not specify the size of a company or the nature of its business activities or data processing with regard to the obligation to appoint a DPO. However, it is possible that the ANPD will adapt these requirements over time. 

According to Article 41, the identity and data of the DPO must be publicly available. The DPO is not required to have specific qualifications or experience, although this may change in the future and certain qualifications or experience may facilitate the performance of his or her tasks.

 

2. Transparency

Similar to the GDPR, transparency is a core principle of the LGPD; thus, users have the right to easier access to information about the processing of their personal data - which must be provided in a clear, adequate and conspicuous manner.
These disclosures include:

  • The specific purpose of the processing;
  • the nature of the processing and the duration of the processing;
  • the identifying details of the data controller;
  • the contact details of the data controller;
  • information about who the data is shared with and why;
  • the responsibilities of any processors or agents who will carry out the processing;
  • the rights of the user (data subject), with explicit mention of user rights under Art. 18 of the LGPD (mentioned above), how these rights can be exercised and whether personal data will be processed to respond to a request to exercise these rights.

3. (Cross-border) data transfers

Article 33 specifies when data may be transferred internationally. As already mentioned, the LGPD applies extraterritorially, i.e. if data subjects are in Brazil at the time of data processing, the LGPD applies, even if the processing takes place outside Brazil. The data transfer is then deemed to have taken place.
The LGPD permits the cross-border transfer of personal data if there is an adequate level of protection for this data. In practice, this means that the transfer is permitted if it is assumed that the receiving country has legislation that provides an adequate level of protection. The Data Protection Authority (DPA) assesses the adequacy level of the receiving country or international organization.
If the adequacy level is not met, it may still be possible to transfer the data abroad. For example, companies may transfer personal data outside Brazil (e.g. for processing) under the following conditions:

  • The controller provides and ensures compliance with the principles of the LGPD and the rights of data subjects, including contractual clauses
  • if the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial authorities in accordance with international law
  • if the transfer is necessary to protect the life or physical integrity of the data subject or a third party
  • if the ANPD has authorized the transfer
  • if there is an international cooperation agreement that allows the transfer
  • if the transfer is necessary for the implementation of public policy or for the legal assignment of the public service
  • if the data subject has previously given their informed consent to the transfer and its purpose(s)
  • if this is necessary to fulfill the conditions of points II, V and VI of Article 7
  • when the data controller receives the informed, explicit, prior consent of the user, which must be separate from the other processing purposes and requests

Until the ANPD is fully operational and has reviewed many of the LGPD's conditions, companies may be limited to certain conditions for data transfers (or to the use of only two recommended conditions): explicit informed consent or the need to carry out a transfer. The LGPD provides for other transfer mechanisms, but the above are the relevant ones for companies in the context of their business activities.

 

4. Records of data processing activities

According to the LGPD, both data controllers and processors must keep records of their personal data processing activities - especially if the processing is based on a “legitimate interest”, as we explained above. All controllers and processors - regardless of size, frequency of processing or type of data processed - must comply with this record-keeping obligation. However, exceptions may be granted by the data protection authority. 

 

5. Notification of data breaches

According to the LGPD, data controllers or processors must take security, technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, disclosure or any kind of unlawful processing.
If a data breach occurs (Article 48), the controller must report it to the ANPD within a “reasonable” period of time if it is likely to result or has resulted in a risk of harm or damage to data subjects. The 2021 ANPD requirements state that this information must be communicated within two working days of becoming aware of the incident. The data controller or company must assess the incident and determine the type, category and number of data subjects affected. 

The notification must contain at least the following

  • A description of the type of personal data affected;
  • Details of the affected users;
  • information on the technical and security measures used to protect the data - while maintaining business and trade secrecy
  • the risks associated with the incident;
  • the reasons for any delay in reporting the incident to the DPA (in cases where notification was not immediate); and
  • the measures that have been or will be taken to remedy or mitigate the effects of the damage.

The ANPD will consider the severity of the incidents and may instruct the controller to take measures to safeguard the rights of data subjects where necessary, including full disclosure of the incident to the media or measures to mitigate or reverse the effects of the incident.

The ANPD may issue special rules and exemptions to the LGPD for small business owners, start-ups and similar entities, which would provide flexibility for some aspects such as communication of security incidents to the ANPD and affected individuals or deadlines for responding to requests from affected individuals or the ANPD.

 

6. Data protection impact assessment (DPIA)

A Data Protection Impact Assessment is a process that helps the data controller comply with data protection requirements - and ensures that key principles are effectively adhered to.
According to the LGPD, DPIA documentation generally includes the description of personal data processing activities that could create risks to civil rights and freedoms, as well as measures, safeguards and mechanisms to mitigate that risk.

The DPIA document must contain at least the following:

  • A description of the categories of data processed;
  • the methods used to collect the data
  • the security measures used; and
  • a description of the measures used to mitigate the risks associated with the processing of the personal data.
The law does not explicitly state when a data protection impact assessment is required, but the data protection authority may at any time require that a data protection impact assessment be carried out and submitted by the data controller.

 

7. Data protection management program for compliance with the LGPD

The LGPD stipulates that both data controllers and processors must set up internal processes and documents to ensure compliance with the law. This includes a data protection monitoring program and measures that demonstrate its effectiveness.
The monitoring program should include at least the following:

  • demonstrate the controller's commitment to ensuring compliance with rules and best practices;
  • be applicable to the entire scope of personal data under the control of the respective processor - regardless of the means used to collect the data;
  • be adapted to the particular structure, scope and volume of the operations and the sensitivity of the data processed
  • implement appropriate documents and safeguards based on a process of systematic privacy impact and risk assessment;
  • have the purpose of creating a relationship of trust with the user;
  • Ensure that user engagement mechanisms are integrated into the overall governance structure of the program and establish and apply internal and external monitoring mechanisms;
  • have plans and solutions in place to respond to incidents; and
  • be constantly updated based on information obtained from continuous monitoring and regular assessments.

The data controller must be able to demonstrate the effectiveness of its data protection program when required - especially when requested to do so by the national authority.

 

8. Post-processing activities in accordance with the Brazilian Data Protection Act

Termination of data processing

Article 15 specifies when the processing of personal data must be terminated. This applies, among other things, when:

  • the specific purpose of the processing has been achieved or the data are no longer needed to fulfill that purpose
  • the period of processing ends
  • the data subject exercises their right to withdraw their consent to processing
  • the ANPD determines that there has been a breach of the provisions of the LGPD

Deletion of personal data

The deletion of the personal data collected is regulated in accordance with the termination of processing in Article 16. In general, personal data must be deleted after processing has ended. Exceptions to this, if the data is not deleted immediately, are

  • for compliance with a legal or regulatory obligation to which the controller is subject
  • for research purposes, whereby anonymization must be ensured wherever possible
  • transfer to third parties, provided that the legal provisions for this are complied with
  • exclusive use by the controller, provided that the data is anonymized and not accessed by third parties

 

VII. Exceptions to the scope of the Brazilian Data Protection Act

Article 4 specifies when the LGPD is not applicable. This is the case, for example, if the processing of personal data

  • is carried out exclusively for private, non-profit purposes
  • is carried out exclusively for journalistic, artistic and/or academic purposes
  • is carried out exclusively for the purposes of public and state security, national defense or the investigation and prosecution of criminal offenses
  • is carried out from outside Brazil and is not the subject of communication or exchange with Brazilian data processors or the subject of an international transfer to a country other than the country of origin (provided that the country of origin offers an adequate level of data protection)

 

IX. What are the consequences for companies that fail to comply with the LGPD?

If the LGPD applies, the risks of non-compliance are considerable. As explained above, the national data protection authority ANPD is responsible for assessing violations and imposing sanctions if the provisions of the LGPD have not been complied with.
These sanctions can include fines of up to 2 percent of the company's annual turnover in Brazil or up to a maximum of BRL 50 million per violation (approx. EUR 8-9 million or approx. USD 9-10 million). Most companies cannot afford these high penalties.

However, the non-monetary sanctions are also severe:

  • Publication of the breach
  • Blocking or erasure of the processing activities or personal data to which the breach relates (example: If the breach occurred in relation to the collection of email addresses, this may mean the loss of the entire associated email list).
  • Blocking of the database (for up to 6 months) related to the incident, which may pause all other activities that could use mentioned database

In addition, the LGPD (like the GDPR) provides consumers with a private right of action; the right to claim civil damages (pecuniary or moral) for the violation of the Data Protection Act. According to Article 42, a controller who violates the LGPD (“pecuniary, moral, individual or collective damage”) is thus obliged to remedy the damage.

 

X. How do I achieve LGPD compliance?

To summarize, here's what you should do to be LGPD compliant:

  1. Appoint a Data Protection Officer to oversee data processing and security and clearly publish their name and contact details on your website.
  2. Set up an opt-in model and ask for consent. Be clear, actively communicate and transparent about how and why customer data is processed and make it easy to consent or opt-out.
  3. Only store data for as long as it is needed to process a transaction and no longer.
  4. Document your entire processing procedure and how you collect, store, use and share personal data. The ANPD may ask you to provide this documentation.
  5. Prevent potential breaches preventively to avoid the blocking or loss of data (databases) and costly legal proceedings.

 

XI. LGPD compliance through a Consent Management Platform (CMP)

The LGDP is already an effective law that prevents the misuse of personal data by regulating how companies and organizations may collect, use and process personal data. It is crucial that you assess the processing of personal data in your organization and know how the requirements of the LGPD apply to you.
At DWC, we will be happy to help you find out which of the LGPD's provisions apply to your business - even before possible changes to the law in the future, which are common in data protection. Make an appointment now for a free initial consultation!

 

Request a non-binding initial consultation

 

Source of the law: https://lgpd-brazil.info/chapter_01/article_02