Brazil’s General Data Protection Law (LGPD)

Are your prepared for the LGPD?

Sign Up Now

The Brazilian General Data Protection Law (LGPD) was unanimously approved on July 10, 2018 and will go into effect in August 2020. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.

In terms of territorial scope, the LGPD applies to all companies offering goods or services to data subjects in Brazil, regardless of where they are located.

Sanctions under the LGPD can reach fifty million reais (roughly $12.9 million USD) or even total prohibition of processing.


Consent & Right to Opt Out

Similar to the GDPR, the LGPD qualifies consent as freely given, informed and unambiguous indication of the data subjects’ agreement for processing data as a general rule. The LGPD empowers data subjects with meaningful control and choice regarding their personal information. For example, the information should be clear, adequate, easily accessible and transparent by which data subjects should be properly informed about the processing of their personal data.

Consent must be provided by the data holder in writing or by other means that demonstrate the data holder’s will. Consent must be specific to particular purposes and can be withdrawn by the data holder at any time.

How CookiePro Helps:

  • Collect consent through any medium, including online web forms and mobile apps.
  • Track consent and allow data holders the right to opt out.
  • Develop granular collection methods to ensure that consent is specific to the purpose for which it was provided.
  • Build trust and build a preference center tailored to your brand and use case to give data holder’s control over their right to opt out.

Right of Information

If a data holder submits a request, the controller must respond with the confirmation of the existence of data processing operations. This must happen:

  1. Either immediately with a simplified format of the information, or
  2. In 15 days by means of a clear and complete declaration that includes:
    • The origin of the data
    • The criteria used for the processing
    • Purpose of processing
    • Form and duration of treatment
    • Identity of the controller
    • Controller contact information
    • Information shared with other entities and the purpose of the sharing
    • Responsibilities of the processors carrying out the processing
    • The rights of the data holder with explicit reference to Article 8 of the LGPD.

How CookiePro Helps:

  • Handle the data holder request lifecycle in an effective and compliant manner.
  • Create tailorable holder request intake forms, verify holder identity, configure deadlines, assign tasks, leverage multilingual response templates, and communicate securely with holders through an encrypted messaging portal.
  • Demonstrate compliance, maintain records of all holder requests and interactions.
  • Use organizational hierarchies and roles-based access controls to develop region-specific workflows and controls specific to the LGPD.

Right of Access

Personal data of the data holder must be stored in a format favoring the exercise of the right of access and only provided on receipt of a “verifiable consumer request.” The data holder determines whether the data will be provided electronically or in paper form. For processing based on contract or consent, a data holder may request a full electronic copy of his or her personal data in a format allowing its processing.

How CookiePro Helps

  • Capture verifiable Consumer Requests through customizable intake forms on your website using CookiePro’s Data Subject Rights tool
  • Pinpoint where an individual’s personal data resides and how it is used
  • Locate where the data is located by searching through your data inventory