LGPD: what companies need to know to ensure compliance

The General Data Protection LawLGPD) is a Brazilian law that regulates the collection, storage, use, and sharing of personal data. The law was approved in 2018 and came into effect in September 2020, aiming to protect fundamental rights of privacy and freedom of choice regarding individuals' personal data.

. LGPD applies to all companies and organizations, including public and private entities, that process personal data of individuals within Brazilian territory. This includes personal data of customers, employees, business partners, and other individuals.

. LGPD establishes several principles to ensure the protection of personal data, including:

• Purpose: Companies may only collect, store, and use personal data for specific, legitimate, and explicit purposes, and must inform individuals about these purposes before collecting their data.

• Free and Specific Consent: Individuals must give their free and specific consent for the collection, storage, and use of their personal data.

• Transparency: Companies must provide clear and accurate information about how personal data will be processed and what security measures will be adopted to protect it.

• Data Minimization: Companies must only collect the personal data necessary to fulfill specific purposes and must delete personal data that is no longer necessary.

• Integrity and Confidentiality: Companies must adopt security measures to ensure the integrity and confidentiality of personal data and protect it against unauthorized access or leaks.

• Right to Information: Individuals have the right to request information about the personal data that companies hold about them and to demand the correction or deletion of incorrect data.

• Accountability: Companies are responsible for ensuring that their data processing practices comply with the LGPD and can be held accountable for violations of the law. LGPD e podem ser responsabilizadas por violações da lei.

 

In addition to the principles mentioned above, the LGPD also establishes other obligations for companies, including:

• Appointment of a Data Protection Officer (DPO): Companies must appoint a DPO to serve as the point of contact with the regulatory authority and individuals regarding data protection issues.

• Record of Data Processing Activities: Companies must maintain detailed records of their data processing activities, including information about the purposes of processing, the data collected, and the security measures adopted.

• Security Breach Notification: Companies must immediately notify the regulatory authority and affected individuals in the event of security breaches that could pose risks to individuals' rights and freedoms.

• Data Protection Impact Assessments (DPIA): Companies must conduct DPIAs to identify risks to data protection and adopt measures to mitigate them before starting data processing activities that may pose a high risk to individuals.

• Cooperation with the Regulatory Authority: Companies must cooperate with the regulatory authority and provide requested information and documentation to ensure compliance with the LGPD.

 

It is important to note that companies that do not comply with the obligations established by the LGPD are subject to administrative sanctions, such as fines and cessation orders, as well as civil and criminal liability. The LGPD also provides for the creation of a regulatory authority, the National Data Protection Authority (ANPD), which will be responsible for overseeing compliance with the law and taking measures to ensure the protection of individuals' rights.