Primer on the LGPD:  the Brazilian Data Protection Law (Part II)

Following a period of uncertainty regarding its effective date, Brazil’s General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), originally passed in Augusts of 2018, took effect on September 18, 2020.

With approximately a third of the Latin America’s population, Brazil is the region’s largest telecom market, the largest regional market for software outsourcing, and has had a growing IT market even through the COVID pandemic.  As the two largest economies in the Western Hemisphere, the United States and Brazil have enjoyed a robust trade relationship with the American companies expanding their footprint in Brazil and vice versa.

The LGPD creates a new legal framework for the use of personal data in Brazil, replacing and/or supplementing a sectoral regulatory framework. The law, largely modeled on the European Union’s GDPR, deals with the concept of personal data, lists the legal bases that authorize its use, and provides various rights to data subjects. Given the LGPD’s broad jurisdictional scope and applicability, it will likely affect most U.S. companies doing business with the Latin American market.

In this Part II of the Primer on the LGPD, we’ll discuss data subject rights and requests under the new Brazilian law.

Overview of Data Subject Rights under the LGPD

Under the LGPD, data subjects have the following rights: (1) confirmation of the existence of processing; (2) access to the data; (3) correction of incomplete, inaccurate, or out-of-date data; (5) anonymization, blocking, or deletion of unnecessary or excessive data or data processed in noncompliance with the law; (5) portability; (6) deletion of data processed with the consent of the data subject; (7) information about public and private entities with which the controller shared data; (8) information about the possibility of denying consent and consequences of such denial; and (9) revocation of consent.

In addition, the data subjects have a right to request review of decisions made solely based on automated processing of personal data affecting his/her interests, including decisions intended to define his/her personal, professional, consumer, and credit profile, or aspects of his/her personality.

Furthermore, individuals have a right to know information concerning processing of their data,  which must be disclosed in the organization’s privacy notice in a “clear, adequate, and ostensible manner,” including the specific purpose of the processing, the type and duration of processing, identification of a controller, the controller’s contact information, information regarding the shared use of data by the controller and the purpose for sharing, the responsibilities of the agents that will carry out the processing, and the data subject rights.

Data Subject Requests

Under the LGPD, data subjects can exercise their rights by making an express request – directly or through a legally authorized representative – to a data controller or processor.

The LGPD provides two ways for organizations to fulfill data subject requests for confirmation of existence of or access to personal data: (1) immediately, in a simplified format or (2) within 15 days from the request, with a clear and complete declaration that indicates the origin of the data, the nonexistence of record, and the criteria used and the purpose of the processing.

Notably, the LGPD requires the fastest turnaround for responses to data subject access requests among the major privacy regulations – 15 days with no extensions of time allowed.  By comparison, the GDPR allows for up to a two-month extension of the initial one-month response period, while the California Consumer Privacy Act permits businesses to extend the response period up to 90 days when necessary.  Time periods for responding to other LGPD requests will be specified in the future regulations.

The controllers would need to immediately inform their processors of correction, deletion, anonymization or blocking of personal data, so that they can perform the identical action on the personal data on their end.

In the next article in the Primer on the LGPD series, we’ll discuss the obligations of data controllers and processors under the new Brazilian law.

Take a tour of Clarip’s patented data privacy technology and learn how Clarip can help your enterprise comply with emerging data subject rights regulations. Call Clarip today at 1-888-252-5653 or schedule a Demo Online!