LGPD – Brasil‘s version of GDPR

Similarities and differences between the GDPR and the LGPD

Impacted from the EU’s General Data Protection Regulation, the Brazil’s Lei Geral de Proteção de Dados (or LGPD) attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others.

Very important aspect of the LGPD is that it applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, before the law comes into effect, you should begin preparing for LGPD compliance, if your company has any customers or clients in Brazil. Related to this topic, our GDPR extension is currently being prepared and will go online in a short time.

What is similar between the GDPR and the LGPD?

The LGPD and the GDPR have two main basic similarities according to the data protection: personal data and data subject rights, which are in addition to the extraterritorial application.

GDPR Article 4, the GDPR gives the following exact definition for “personal data”:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Compared with that, the LGPD does not have a single definition, but states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.

Another similarity that the LGPD has with the GDPR is the explanation of the fundamental rights that data subject have.

Nine data subject rights

  • The right to confirmation of the existence of the processing;
  • The right to access the data;
  • The right to correct incomplete, inaccurate or out-of-date data;
  • The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
  • The right to the portability of data to another service or product provider, by means of an express request
  • The right to delete personal data processed with the consent of the data subject;
  • The right to information about public and private entities with which the controller has shared data;
  • The right to information about the possibility of denying consent and the consequences of such denial; and
  • The right to revoke consent. 

It seems that this section of LGPD (Article 18) is based very closely on the eight fundamental rights of the GDPR, but it splits “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.