Data Protected - Brazil

Contributed by Mattos Filho

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Brazilian General Data Protection Law No. 13,709/18 (Lei Geral de Proteção de Dados or “LGPD”).

Entry into force

In September 2020, the LGPD became effective with a retroactive applicable date of 16 August 2020. The National Data Protection Authority (“ANPD”) can apply the sanctions since August 1, 2021.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The National Data Protection Authority
Autoridade Nacional de Proteção de Dados (“ANPD”).
Shopping ID - Setor Comercial Norte, Quadra 06, Conjunto A, Bloco A, 9º Andar,
CEP 70297-400 - Brasília – DF

Notification or registration scheme and timing

There is no general obligation to make a prior notification to the ANPD about details of regular processing activities. However, there are obligations to notify specific events, such as data breaches, which are addressed below.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The LGPD has an extraterritorial reach. It applies to any processing activity, regardless of where the organisation collecting the data is established, if: (i) the processing is carried out in Brazil; (ii) the data has been collected in Brazil; and (iii) the processing is related to individuals in Brazilian territory or to the supply of goods or services in Brazil.

Is there a concept of a controller and a processor?

Yes. The LGPD establishes a concept for both. The controller is the person who can make decisions related to the processing of personal data. This person may be an individual or entity, whether public or private.

The processor is the individual or entity, whether public or private, that conducts the processing of personal data on behalf of the controller.

Are both manual and electronic records subject to data protection legislation?

Yes. The LGPD is applicable regardless of the means that the data is processed.

Are there any national derogations?

The LGPD is not applicable to data processing: (i) carried out by a natural person for exclusively private and non-economic purposes; (ii) carried out exclusively for journalistic, artistic or academic ends so long as, whenever possible, the personal data is anonymised; (iii) carried out for the exclusive purposes of public security, national defence, state security or investigation and prosecution of criminal offences; or (iv) relating to personal data that originated in other countries and only passed through Brazil in transit.

In May 3, 2022, the ANPD released a technical study titled The LGPD and personal data processing for academic purposes and studies by research organizations. The ANPD’s study has established that the LGPD section that provides for partial derogation when data processing is carried out exclusively for academic purposes should be subject to restrictive interpretation, limited to situations where personal data processing is strictly linked to exercising academic freedom. However, even in this scenario, data processing activities must be supported by one of the legal bases provided for in the LGPD. 

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data is information related to an identified or identifiable individual. Thus, it includes any information that identifies or can identify a person, such as names, numbers, identification codes, or addresses.

Is information about legal entities personal data?

No. The LGPD only applies to personal data about individuals. It does not regulate data about companies or any other legal entities. However, information about one-person companies may constitute personal data where it allows the identification of a natural person.

What are the rules for processing personal data?

The LGPD establishes ten principles for the processing of personal data. These are that personal data must be: (i) processed for legitimate, specific and explicit purposes of which the data subject is informed (purpose); (ii) processed in a manner compatible with the purposes communicated to the data subject (suitability); (iii) the minimum necessary to achieve those purposes (necessity); (iv) available for consultation by data subjects free of charge (free access); (v) accurate, clear, relevant and kept up to date (data quality); (vi) accompanied by clear, precise and easily accessible information about the processing (transparency); (vii) subject to technical and organisational security measures (security); (viii) subject to measures to prevent damage (prevention); (ix) not processed for unlawful or abusive discriminatory purposes (non-discrimination); and (x) processed in a manner that allows demonstration of measures to prove compliance (accountability).

In addition, the processing can only take place where one of the follow legal bases apply to the processing: (i) the data subject consents; (ii) it is for compliance with a legal or regulatory obligation; (iii) it is by the public administration; (iv) it research, ensuring anonymisation where possible; (v) it is necessary for the performance of a contract; (vi) it is for judicial or arbitral purposes; (vii) it is for the protection of life or physical safety; (viii) it is for the protection of health and carried out by a health professional; (ix) it is necessary to fulfil the legitimate interests of the controller or third party, and is not overridden by the data subjects’ rights; and (x) it is for the protection of credit.

Are there any formalities to obtain consent to process personal data?

The LGPD establishes that consent is a free, informed and unequivocal manifestation of the data subject that authorises the processing of personal data for a certain purpose. Generic authorisations, that is, authorisations that do not have a specific, explicit and informed purpose, are not effective.

Consent must be in writing or another means that demonstrates the manifestation of the will of the data subject.

Data subjects must be told of their right not to provide consent and the consequences of such refusal. Data subjects can also withdraw consent, which must be possible through a free and easy procedure.

Are there any special rules when processing personal data about children?

The processing of personal data of minors (which is any person under the age of eighteen) must be conducted in their best interest.

The processing of personal data of minors requires specific and conspicuous consent by at least one of the parents or legal guardian. Controllers must use every reasonable effort to verify that the consent was provided by the person responsible for the minor. The LGPD, however, allows the collection of personal data without the consent of parents or legal guardians in order to contact the parent or legal guardian. In this case, the personal data collected without consent may only be used once and it may not be stored under any circumstance, considering that its only purpose is to contact the parents or legal guardian.

On May 24, 2023, the ANPD published Declarative Statement No. 1/2023, which establishes that the personal data of children and adolescents may be processed on the basis of the legal grounds set out in Article 7 or, in the case of sensitive data, Article 11 of the LGPD, provided that the processing is carried out in their best interests. This is to be assessed on a case-by-case basis, in accordance with Article 14 of the LGPD. The statement aims to standardise the interpretation of the legal grounds for processing children’s and adolescents’ data.

Are there any special rules when processing personal data about employees?

There are no additional rules when processing personal data about employees.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is any personal data related to the racial or ethnic origin of an individual, religious belief, public opinion, membership in a union or religion, philosophical, or political organisation, data related to the health, sex life, genetics or biometrics, when linked to an individual.

Are there additional rules for processing sensitive personal data?

The restrictions in the LGPD are strict for processing sensitive personal data.

It can only be processed where: (i) the data subject specifically and distinctly consents for a specific purpose; (ii) it is for compliance with a legal or regulatory obligation; (iii) it is by the public administration; (iv) it is for research, ensuring anonymisation where possible; (v) it is for judicial or arbitral purposes; (vi) it is for the protection of life or physical safety; (vii) it is for the protection of health and carried out by a health professional; and (viii) it is for fraud prevention.

The LGPD does not allow processing sensitive personal data to fulfil the legitimate interest of the controller or third parties or for credit protection.

Are there additional rules for processing information about criminal offences?

No. The LGPD is also not applicable to data processing carried out for the exclusive purposes of investigating and prosecuting criminal offences.

Are there any formalities to obtain consent to process sensitive personal data?

Consent for processing sensitive personal data must be given specifically and distinctly and must be for a specific purpose.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

A data protection officer must be appointed by the controller in all cases that involve the processing of personal data, including processing activities carried out by public entities.

On January 27 2022, the ANPD approved the Regulation of Application of the LGPD for Small Processing Agents, which established that companies that do not process a large amount of data  are not required to appoint a data protection officer. However, they must provide a channel for communication with the data subject.

The appointment of a data protection officer is considered best practice for these small companies.

What are the duties of a data protection officer?

The activities of a data protection officer include: (i) accepting complaints and notifications from data subjects, providing clarifications and adopting necessary measures; (ii) receiving notifications from the ANPD; (iii) informing employees and contracted parties within the organisation about the practices to be taken in relation to the protection of personal data; and (iv) executing other activities determined by the controller or established in supplementary regulations issued by the ANPD.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Yes. The LGPD has as one of its principles a general accountability obligation. This requires the demonstration and adoption of effective measures capable of proving compliance with data protection law and demonstrating the effectiveness of these measures. Moreover, the adoption of these measures is a mitigating factor if sanctions are imposed.

Are privacy impact assessments mandatory?

Privacy impact assessments must be provided to the ANPD, upon request. Therefore, even though they are not initially mandatory, it is highly recommended to have them already developed.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Data subjects have the right to have easy access to information relating to the processing of their personal data. This includes, but is not limited to: (i) the specific purpose of processing; (ii) the form and duration of the processing; (iii) the identification and contact details of the controller; (iv) details of any shared use of data; (v) the responsibility of processing agents; (vi) the processing of personal data as a condition for providing the product or service, or for exercising a right, if applicable; and (vii) the rights of the data subject.

Such information should be provided in a clear, appropriate and prominent manner.

Rights to access information

Data subjects have the right to access their personal data.

Rights to data portability

The LGPD created the right to portability, through which the data subjects may request the transfer of their personal data to another service provider or product supplier.

Right to be forgotten

The LGPD itself does not refer to the right to be forgotten. However, based on the Brazilian Federal Constitution principle of human dignity, the Brazilian Federal Supreme Court has recognised the applicability of the right to be forgotten in the civil sphere when invoked by a data subject.

Objection to direct marketing

The LGPD makes no reference to the right of objection to direct marketing and profiling. Notwithstanding, such right may be considered an extension of the data subject’s right to withdraw consent or object to processing based on the legitimate Interests condition.

Other rights

The data subject has the right to: (i) correction of incomplete, inaccurate, or outdated data; (ii) anonymisation, blocking, or elimination of data that is unnecessary, excessive, or processed in noncompliance with the provisions in the LGPD; and (iii) deletion of personal data that is processed with the data subject’s consent on withdrawal of that consent, except if the data is processed to fulfil any legal or regulatory obligation.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Controllers and processors must protect personal data against unauthorised access and accidental or illicit situations such as destruction, loss, change, communication or any form of improper or illicit handling of personal data.

Technical and administrative security measures must be adopted for this purpose. The ANPD is responsible for determining the minimum technical standards for the protection of personal data, especially for sensitive personal data. Regulators, such as health and financial sectors, may also establish such minimum security requirements.

Specific rules governing processing by third party agents (processors)

There is no express requirement for a controller to enter into a contract with a processor. However, documenting this relationship by contract is strongly recommended.

Notice of breach laws

Security incidents that may entail significant risk or damage to data subjects must be communicated to the ANPD and the data subjects within a reasonable period.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The cross-border transfer of personal data is permitted where it is to a country with an adequate level of protection, which will be evaluated by the ANPD. This will involve an assessment of, among other things, the adoption of security measures, the nature of data and the general standards in effect in the country of destination or in the international body.

Cross-border transfers are also permitted where the controller guarantees the protection of personal data through: (i) contractual clauses specific to the transfer; (ii) standard contractual clauses; (iii) global corporate rules; or (iv) certificates or codes of conduct.

In addition, cross-border transfer is permitted when: (i) it is necessary for international legal cooperation between government intelligence, investigations, and prosecution authorities; (ii) it is authorised by the ANPD; (iii) it is necessary for public policies or public service activities; (iv) data subjects have provided specific and conspicuous consent for the transfer upon prior information; (v) it is necessary for the fulfilment of a legal or regulatory obligation on the part of the controller; (vi) it is for a contract or procedures related to a contract in which the data subject is a party, as required by the data subject himself; and (vii) it is for the regular exercise of rights, including contractual performance and in court, administrative, or arbitration proceedings.

On August 15, 2023, the ANPD published the draft regulation on international data transfer and proposed the model of Brazilian standard contractual clauses to be included in agreements between data importers and exporters, in accordance with Brazilian legislation. The draft regulation was subject to public consultation and a public hearing. The definitive version of the regulation is yet to be made public.

Notification and approval of national regulator (including notification of use of Model Contracts)

As set out above, one situation in which transfers are permitted is where authorised by the ANPD. Similarly, the use of specific clauses, global corporate rules or certificates and codes of conduct require authorisation from the ANPD.

Use of binding corporate rules

The LGPD contains the concept of global corporate rules, which are analogous to binding corporate rules. These must be approved by the ANPD.

_____________________________________________________________________ Top

Enforcement

According to the regulatory agenda, in 2024 the ANPD intends to: (i) conclude the process of regulating international transfer of data; (ii) introduce complementary rules on the definition and duties of the Data Protection Officer, according to the nature and size of the entity or the volume of data processing operations; and (iii) introduce criteria for data anonymisation, among others.

The ANPD has also been involved in discussions on regulating Artificial Intelligence. In 2024, the ANPD is expected to follow up the matter of creating a regulatory sandbox to test AI, having opened a public consultation on the matter in 2023.

Fines

Controllers and processors that breach the LGPD can be subject to the following administrative sanctions: (i) a fine of up to two percent (2%) of a private legal entity’s, group’s or conglomerate’s revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL $50 million (approximately EUR 9 million) per infraction; and (ii) daily fines.

Imprisonment

The LGPD does not allow imprisonment for breach of the LGPD.

Compensation

Controllers or processors that breach the law and cause material or moral damage are liable to compensate data subjects.

Other powers

The ANPD may issue a warning, with an indication of the time period for adopting corrective measures. It may also: (i) publicise a breach; (ii) block the processing of personal data to which the breach relates until the breach is remedied; and (iii) order the deletion of the personal data to which the breach relates.

The ANPD can audit processing carried out in violation of the LGPD and request information at any time from controllers and processors.

Practice

Please note sanctions under the LGPD are applicable since August 2021.

In October 2021, the ANPD approved the Regulation on Supervision and Sanctioning Procedures, which covers how the administrative sanctions provided for in LGPD are applied.

On February 27, 2023, the ANPD published Resolution No. 4/2023, approving the Regulation for Calculating and Applying Administrative Sanctions. The Regulation defines the criteria and parameters which the ANPD must follow when administering monetary and non-monetary sanctions under Articles 52 and 53 of the LGPD.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Self-Regulation Code for Email Marketing Practice 2009 (Email Code) regulates electronic marketing.

There are a number of other ePrivacy laws such as the Law No. 12,737/2012, which amends the legal provisions on the Brazilian Criminal Code (Federal Decree-Law No. 2,848) regarding privacy invasion on digital devices and the interruption of telecommunication services. The Brazilian Internet Act (Law No. 12,965/2014) regulates the use of connection and access logs, as well as the contents of private communications. The Wiretrap Act (Law No. 9,296/96) provides that the access to and interception of communications may only occur under the authority of a valid court order in criminal investigations proceedings. The Telecommunications Act provides that clients’ information can only be used for delivering services, and that telecom bills can only be revealed upon the express consent of the user or by valid court order.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

The LGPD does not specifically regulate the use of cookies.

However, if the data subjects do not agree to the usage of cookies, it should be possible to disable this function. This is based on the need to show a lawful basis, such as consent or legitimate interests.

Regulatory guidance on the use of cookies

In October 2022, the ANPD published Guidance on the Use of Cookies. The ANPD highlights, for example, that the principles of legality, necessity and adequacy must be observed when using cookies. Processing agents must also provide clear and appropriate information to data subjects about such use. Regarding the rights of data subjects, the ANPD gives special importance to observing the rights of access, revocation of consent (where applicable), opposition to data processing and data deletion. However, the Guidance is not binding in nature, rather it aims to assist processing agents in the development of their online activities, including managing websites and applications, and offering products and services through these means, but does not have normative force.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The LGPD does not cover regulatory conditions for direct marketing by e-mail to individual or corporate subscribers. However, under the general provisions of the LGPD, particularly the need for a lawful basis for processing, the direct marketing must provide an opt-out tool for individual subscribers.

In addition, the Self-Regulation Code for Email Marketing Practice 2009 recommends getting consent before sending direct marketing emails. Where there is an existing relationship, marketing may be possible to send marketing emails on an opt-out basis.

Conditions for direct marketing by e-mail to corporate subscribers

Not applicable.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The LGPD does not regulate direct marketing by telephone to individual and corporate subscribers. However, some Brazilian states have introduced “do not call” lists.

In November 24, 2021, the Brazilian National Telecommunications Agency ("ANATEL") issued the Act 10,413 (Operating Procedure for the Use of Numbering Resources), which established the exclusive and compulsory use of prefix “0303” for active telemarketing service.

The telecommunications networks must allow the clear identification of this number on the user's handset display and must preventively block calls originating from active telemarketing at the request of the consumer.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The LGPD does not regulate direct marketing by telephone to individual and corporate subscribers. However, some Brazilian states have introduced “do not call” lists.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top