Companies that collect or process personal data in Brazil — or from consumers in the country — should be familiar with the Brazilian General Data Protection Law (LGPD), which has been the country’s main legislation on the matter since 2020. Specifically, you should note that the law could have international reach, even if your company was not established in Brazil and does not directly operate in the country. Although the applicability is analyzed on a case-by-case bases, we have drafted a Q&A to help gauge your compliance obligations. Here is some background information on the law, as well as six key scenarios to review.
The Basics for Foreign Businesses
The LGPD applies to personal data, which is defined as “information regarding an identified or identifiable natural person.” It lays out the rules on data processing, ensuring appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss.
Moreover, the LGPD establishes the principles and legal grounds for data processing in Brazil, the data subjects’ rights, the processing agents’ obligations, and the sanctions and fines for noncompliance. It also creates the National Data Protection Authority, which is responsible for providing additional rules on the law.
According to the LGPD, companies need to comply if they conduct the following activities:
• Personal data processing operations in Brazil;
• Processing personal data collected in Brazil; or
• Personal data processing activities aimed at offering or providing goods or services to individuals in a Brazilian territory or processing personal data of individuals in a Brazilian territory.
So, what does this mean for your business? Read on for some examples of when you may have compliance obligations under the LGPD.
Does the Brazilian Data Privacy Law Apply to You? 6 Scenarios to Consider
1. My company hires a small number of employees in Brazil through a PEO/EOR to perform services for our clients outside Brazil. We do not otherwise have business operations in Brazil.
If your company has at least one employee working in Brazil, even remotely, it will be included in the scope of the LGPD because the company is processing personal data of an individual located in a Brazilian territory.
2. My company has several independent contractors in Brazil who serve our clients outside Brazil.
The LGPD will probably be applicable in this case. If your company has at least one individual working as an independent contractor from Brazil, even remotely, it will be included in the scope of the LGPD for the same reason explained above.
Even if all your independent contractors in Brazil are business entities, your company will still likely process some personal data provided by these contractors regarding their own employees or subcontractors, for example, such as full names, phone numbers, and email addresses. Hence, your company would still need to comply with the LGPD.
3. My company hires employees or independent contractors who are originally from Brazil, but they do not live in Brazil anymore. We do not otherwise have employees or contractors in Brazil, and we do not do business in the country.
The LGPD may still apply to your company. If at least one of these employees or independent contractors was in Brazil when you collected their data, your company may be included in the scope of the LGPD because you are processing personal data that was collected in a Brazilian territory.
4. My company does not have any employees or contractors in Brazil, but we market our products/services to Brazilian customers.
If a company sells its goods or provides its services to individuals in Brazil it will be included in the scope of the LGPD because the company is processing personal data aimed at offering or providing goods or services and processing data of individuals in Brazilian territories.
5. My company provides its products/services only online, through its website, a marketplace and/or an app store. We do not have an establishment in Brazil.
If a company sells its goods or provides its services to individuals in Brazil, it will be included in the scope of the LGPD regardless of how these services or goods are being sold or provided.
6. My company provides products/services only to businesses in Brazil (meaning we are a B2B operation).
The LGPD will probably be applicable to your business. Even if your company is B2B, it will likely come across and process some personal data provided by its clients regarding their own employees or contractors, for example, such as a person’s full name, phone number, and email address. Hence, your company would need to comply with the LGPD, even if it may be deemed a “processor” while the Brazilian business is considered the “controller”.
Beware of Penalties
After an initial period of developing its own structure and personnel, the National Data Protection Authority started enforcing fines and penalties in 2023. The administrative sanctions that might be applied range from a simple warning to the partial or full suspension or prohibition of the activities related to the noncompliant data processing.
The Authority can also enforce simple fines of up to 2% of a company’s revenue in Brazil for the prior financial year, up to a total maximum of $50 million Brazilian Reais (approximately $10 million USD) per infraction, as well as daily fines, limited to the same maximum as the simple fines.
What Should You Do If the LGPD Applies to Your Business?
Understanding and adhering to the Brazilian General Data Protection Law is crucial for foreign companies engaging in any form of business activity that touches upon Brazilian territory, be it through employees, contractors, or online commerce. With the global digital economy’s interconnectedness, it’s essential for foreign businesses to recognize the extraterritorial reach of laws like the LGPD.
Ensuring compliance not only mitigates legal risks but also enhances your company’s reputation for respecting data privacy, which is a growing concern for consumers and business partners worldwide.
If you think the LGPD may apply to your business, you should work with experienced counsel to create a compliance plan and consider taking the following actions:
• Develop and implement applicable policies, including a data privacy policy;
• Review and update your agreements with clients, contractors, and employees to ensure compliance with the LGPD;
• Map and register the personal data that is being processed; and
• Assess the need to hire a Data Protection Officer.
Conclusion
If you require any assistance related to LGPD compliance in Brazil, our team is available for further clarification, as well as to advise on the procedures for complying with the regulatory obligations of the LGPD before the Brazilian DPA.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br
Special thanks to Nan Sato of Fisher & Phillips for co-authoring this article.