by Rony Vainzof and Caio César Carvalho Lima
After more than 8 years of debates in the civil society, the Brazilian General Data Protection Law (LGPD) was sanctioned on August 14, 2018. Therefore, in view of the 18-month waiting period, the legislation will come into full effect as of February, 2020.
Due to the sanctioning, Brazil now can count on a high level legislation in terms of personal data protection – greater than the current stage of sectoral treatment based on different legal provisions. Currently, there are over 30 legal provisions addressing the data protection subject, including the Internet Civil Framework; the Consumer’s Protection Code; the Access to Information Law and the Positive Registry Law, among others).
It’s worth mentioning, as regards jurisdiction, that all companies — despite their location — that treat or aim at Brazilian data will be subject to its provisions – as further detailed below. Another important provision is granted by Article 33 (I): cross-border data transfer will be made easier among countries that meet adequate data protection standards.
In general terms, data subjects will have greater control over the processing of their personal data (thus understood as any information that directly identifies a natural legal person, or could make a natural legal person identifiable), resulting in several obligations for controllers (those in charge of data treatment) and processors (those hired by controllers).