LGPD Newsletter

Important requirements under the LGPD

The LGPD imposes obligations on controllers and operators. It also imposes certain requirements on organizations so that individuals can claim their rights under the law.

Individual Rights

The LGPD grants certain rights to data subjects. The intention is to protect their personal data, without requiring citizenship or residence in Brazil for a person to qualify as a data subject under the LGPD. Under the law, data subjects have the right to receive adequate notice of the rights they have.

The LGPD allows data subjects to receive the following from a controller with respect to their personal data:

  • Confirmation as to the existence of personal data processing;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking or deletion of unnecessary, excessive data or data processed in violation of the provisions of the LGPD;
  • Data portability;
  • Deletion of personal data processed with the consent of the data subject (subject to certain exceptions);
  • Information from public and private entities with which the controller has shared data use;
  • Information about the possibility of not providing consent and the consequences of refusal;

Revocation of consent

The LGPD gives data subjects the right to object to and restrict the processing of their personal data, and allows individuals to request the deletion of their personal data. In addition, the right of access is recognized by both the GDPR and the LGPD. Therefore, organizations must grant data subjects access to their own personal data when required. Still, there are some differences between the GDPR and the LGPD, including the time frame for responding to an access request. In general, organizations subject to the GDPR must respond to access requests within 30 days of receiving the request. However, the LGPD sets a time limit of 15 days, while requests relating to the exercise of other rights must be responded to immediately. It is important to note that data subject requests under the LGPD are a topic of the law that still requires regulation by the ANPD.

Internal expectations for your organization

Mandatory communications: as in the GDPR, organizations need to communicate to the data subject about their rights under the LGPD, and this includes all of the above rights. These mandatory communications must either be in the privacy policy or presented at the time of collection of the personal data.

  • Meeting the rights of data subjects: as mentioned above, the LGPD requires organizations to assimilate the rights of data subjects. In addition, organizations need to have a process in place to serve data subjects who claim their rights.
  • Opt-out: The right to opt-out is not limited to any specific processing activity, but applies to any activity.
  • Legal grounds for data processing: the LGPD requires organizations to have a valid legal ground for processing personal data.
  • Data Protection Officer ("DPO"): The LGPD requires organizations to appoint a data protection officer.
  • Data transfer: under the LGPD, personal data may only be transferred to other countries that guarantee an adequate degree of protection (a list of such countries is yet to be published by the ANPD) or where there are relevant compliance guarantees (i.e., standard contractual clauses, specific contractual clauses, global corporate standards, codes of conduct and certification mechanisms). The LGPD is silent on compliance assurance mechanisms and requirements.
  • Cookie requirements: the LGPD is based on the risk model, similar to what is required of organizations for GDPR compliance. Organizations handling personal data are encouraged to implement security measures corresponding to the level of risk of their data processing activities.

Differences between LGPD and GDPR

The GDPR and the LGPD are very similar pieces of legislation. However, there are some differences between them. For example, the GDPR recognizes six lawful purposes for processing, while the LGPD has ten. On the other hand, the LGPD is more flexible on the assessment of balancing legitimate interest. What's more, the deadline for reporting security incident occurrences is different between the two legislations. Under the GDPR, controllers need to report them to the supervisory authorities within 72 hours, while the LGPD provides that such reporting must be done to the supervisory authority and the data subjects within a reasonable period of time. Finally, a major difference between the two legislations is that the LGPD obliges organizations to appoint a data protection officer, while the GDPR does not impose this obligation on all controllers.

What will happen if I fail to comply with LGPD?

At the moment, ANPD enforcement will only begin as of August 1, 2021, when the provisions on administrative sanctions of the LGPD come into force. For organizations that violate the LGPD, there is provision for sanctions that may include fines of up to 2% of the legal entity's turnover in Brazil in the previous fiscal year, limited in total to R$50,000,000.00 per violation.

Considering that the ANPD has just been established, there are still many questions about how the authority will work in practice administering these sanctions.

Laerte Jr. Paludetto, DPO

Disclaimer

**Disclaimer: This website is neither a comprehensive summary of the General Law on Data Protection ("LGPD") nor legal advice for your organization to comply with it. It only presents basic information to help you better understand the LGPD and how it may apply to your organization. This legal information is not equivalent to legal advice, where a lawyer applies the law to your specific circumstances. Therefore, you should consult a lawyer if you would like advice on your interpretation of this information or its accuracy. We do not recommend that you rely on this page as legal advice or as an endorsement of any legal understandings. While the LGPD has influences from the GDPR, organizations that already comply with the GDPR are not necessarily compliant with the LGPD. In addition, LGPD enforcement and regulations have not yet been finalized; therefore, TalkAll will continue to monitor the evolution of both LGPD and its regulations. TalkAll will continue to update this page as necessary.

Blog

Attendance

TalkAll grows and opens an office in São Paulo.

The city of Barueri was chosen because it is one of the main financial centers of the state of São Paulo, and one of the most famous business centers in the country.
How the opt-in and opt-out works on the TalkAll platform.
Communication

How the opt-in and opt-out works in TalkAll's service channels

Simplified opt-in is a one-time, simple form of authorization given by users who wish to receive messages from your company.
Attendance

Tips to promote your TalkAll Attendance and Communication channels.

It is important to integrate WhatsApp digital actions into the planning, so that they complement the actions that are already being carried out in the company by the Marketing sector.
Communication
What can and cannot be traded via WhatsApp.
Chatbot
Chatbot TalkAll 2023, a great ally in the relationship with the customer.
Attendance
Quality customer service is the first step to great results.
Communication
Let's talk about the digital ambition of your business!
Attendance
TalkAll: a great ally in managing customer service and support teams.
Attendance
WhatsApp-Meta updates as of June 1st