The General Data Protection Act of Brazil (known as “LGPD”) was published in August 2018 and substantially alters the way data collection and treatment are performed in Brazil.
Inspired by the European regulation (General Data Protection Regulation – GDPR), the LGPD, with few exceptions, will apply to any practice that processes personal data in Brazil and will have extraterritorial application. Any foreign company that has at least a branch in Brazil, or offers services to the Brazilian market, and collects and treats personal data of data subjects located in the country, will be subject to the law.
Although the LGPD is still not in force, since its publication one year ago, several changes were proposed and some changes were recently approved by the Law No. 13,853/2019. One of the main changes brought by such Law enacted in July 2019 was the creation of the National Data Protection Authority (“ANPD”), a public administration body responsible for overseeing, implementing and enforcing sanctions, as well as for the compliance with matters related to the personal data protection throughout the national territory.
The LGPD will become effective in August 2020, thus companies have only 12 months to adjust their internal structure to ensure compliance with the Law, which includes adjusting their HR procedures related to data collection and treatment.