Knowledge Hub

EU GDPR vs. Brazil LGPD

Knowledge Hub Knowledge EU GDPR vs. Brazil LGPD

General Requirements similarities and differences 

 

GDPR LGPD 
Who does it apply to? = Extraterritorial application/effectThe whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not (Art. 3). Any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens. 
Personal data Any piece of information that relates to an identifiable person.According to Art. 5 Personal Data is any information of an identified or identifiable natural person 
Data subject rightsIn chapter 3 the GDPR grants data subjects the following eight fundamental rights:

  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to be forgotten;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object to processing and 
  8. the rights in relation to automated decision-making and profiling
Article 18 explains the nine fundamental rights, which are essentially the same rights as the GDPR but LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit

The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.

They are found in Article 18 and empower individuals with the rights to:

  1. confirmation of the existence of the processing of their data,
  2. access their data,
  3. correct incomplete, inaccurate or out-of-date data,
  4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD,
  5. have their data be portable, i.e. handed over to another service or processor if requested,
  6. have their data deleted,
  7. information about public and private entities with which the controller has shared data,
  8. information about the possibility of denying consent and the consequences,
  9. revoke consent.
Data protection officers GDPR outlines when a DPO is required (Art. 37).Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO.
Legal basis for processing data In the GDPR there are 6 legal bases for processing personal data. They are listed in Article 6 para. 1 of the GDPR and are the following:

  1. Consent (lit. a)
  2. Contractual performance (lit. b)
  3. Compliance with a legal obligation (lit. c)
  4. Vital interests (lit. d)
  5. Public interest (lit. e)
  6. Legitimate interests (lit. f)
Article 7, the LGPD lists 10 legal bases. Also, the protection of credit (referring to a credit score) is a legal basis for the processing of data which is a real difference from the GDPR. LGPD’s legal bases for processing

The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are: 

  1. With the consent of the data subject,
  2. To comply with a legal or regulatory obligation of the controller,
  3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
  4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
  6. To exercise rights judicial, administrative or arbitration procedures,
  7. To protect the life or physical safety of the data subject or a third party,’
  8. To protect health, in a procedure carried out by health professionals or by health entities,
  9. To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail,
  10. To protect credit.
Reporting data breachesReport a data breach within 72 hoursNo guidance for what constitutes a “reasonable time period” as the national data protection agency has not yet been established.
Fines Pay to up to €20 million or 4% of annual global revenue, whichever is higher. 2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million)

Would you like to learn more about Consent Management
and all the  possibilities our CMP offers for a data privacy compliance implementation? 

We would be happy to advise you.