Brazilian General Data Protection Law
(Translation for general reference only)
CHAPTER I
PRELIMINARY PROVISIONS
Art. 1
This Law provides for the processing of personal data, including by
digital means, by a natural person or a legal entity of either public or private
law, with the purpose of protecting the fundamental rights of freedom and
privacy and the free development of the personality of the natural person.
Sole paragraph. The general provisions of this Law are of national interest and
must be observed by the Federal Union, States, Federal District and
Municipalities. (by Law No. 13,853/2019)
Art. 2
The discipline of personal data protection is grounded on the following:
I – respect for privacy;
II – informational self-determination;
III – freedom of expression, information, communication and opinion;
IV – inviolability of intimacy, honor and image;
V – economic and technological development and innovation;
VI – free enterprise, free competition and consumer defense;
VII – human rights, free development of personality, dignity and exercise of citizenship by natural persons.
Art. 3
This Law applies to any processing operation carried out by a natural
person or a legal entity of either public or private law, irrespective of the
means, the country in which its headquarter is located or the country where the
data are located, provided that:
I – the processing operation is carried out in the national territory;
II – the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or (New Wording Given by Law No. 13,853/2019)
III – the personal data being processed were collected in the national territory.
§1 Data collected in the national territory are considered to be those whose data subject is in the national territory at the time of collection.
§2 Data processing as provided in item IV of the lead sentence of Art. 4 of this Law is exempted from the provisions of item I of this article.
Art. 4
This Law does not apply to the processing of personal data that:
I – is done by a natural person exclusively for private and non-economic purposes;
II – is done exclusively:
a) for journalistic and artistic purposes; or
b) academic purposes, with Arts. 7 and 11 of this Law being applicable in these cases;
III – is done exclusively for purposes of:
a) public safety;
b) national defense;
c) state security; or
d) activities of investigation and prosecution of criminal offenses; or
IV– have their origin outside the national territory and are not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, since the country of origin provides a level of personal data protection adequate to that established in this Law.
§1 Processing of personal data as provided in item III shall be governed by specific legislation, which shall provide proportional and strictly necessary measures for fulfilling the public interest, subject to due legal process, the general principles of protection and the rights of the data subjects as provided in this Law.
§2 Processing of the data referred to in item III of the lead sentence of this article is forbidden for legal entity of private law, except in procedures under the authority of legal entity of public law, of which the national authority shall be specifically informed and which shall observe the limitation imposed in §4 of this article.
§3 The national authority shall issue technical opinions or recommendations regarding the exceptions provided in item III of the lead sentence of this article, and shall request of the responsible parties a data protection impact assessment.
§4 §4 Under no circumstances the entirety of the personal data in a database, as provided in Item III of the lead sentence of this article, may be processed by a legal entity of private law, unless its capital is integrally held by public entities. (New Wording Given by Law No. 13,853/2019)
Art. 5
For purposes of this Law, the following definitions apply:
I – personal data: information regarding an identified or identifiable natural person;
II – sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
III – anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing;
IV – database: a structured set of personal data, kept in one or several locations, in electronic or physical support;
V – data subject: a natural person to whom the personal data that are the object of processing refer to;
VI – controller: natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data;
VII – processor: natural person or legal entity of either public or private law that processes personal data in the name of the controller;
VIII - data protection officer: person named by the controller and processor to act as a channel of communication between the controller, the subjects of such data and the National Data Protection Authority (ANPD); (New Wording Given by Law No. 13,853/2019)
IX – processing agents: the controller and the processor;
X – processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;
XI – anonymization: use of reasonable and available technical means at the time of the processing, through which data loss the possibility of direct or indirect association with an individual;
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
XIII – blocking: temporary suspension of any processing operation, by means of
retention of the personal data or the database;
XIV – deletion: exclusion of data or a set of data stored in a database, irrespective of the procedure used;
XV – international data transfer: transfer of personal data to a foreign country or to an international entity of which the country is a member;
XVI – shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities;
XVII – data protection impact assessment1 : documentation from the controller that contains the description concerning the proceedings of the personal data processing that could pose risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate said risk;
XVIII - research body: body or entity from the direct or indirect public administration or nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019)
XIX - national authority: body of the public administration responsible for supervising, implementing and monitoring the compliance with this Law in all national
1 The LGPD uses the expression “relatório de impacto” (impact report) instead of “impact assessment”. However, considering that Data Protection Impact Assessment is the regular expression in laws of data protection, we chose to translate “relatório de impacto à proteção de dados pessoais” as “data protection impact assessment” (Translator’s Note).
territory.” (New Wording Given by Law No. 13,853/2019).
Art. 6
Activities of processing of personal data shall be done in good faith and
be subject to the following principles:
I – purpose: processing done for legitimate, specific and explicit purposes of which the data subject is informed, with no possibility of subsequent processing that is incompatible with these purposes;
II – adequacy: compatibility of the processing with the purposes communicated to the data subject, in accordance with the context of the processing;
III - necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing;
IV – free access: guarantee to the data subjects of facilitated and free of charge consultation about the form and duration of the processing, as well as about the integrity of their personal data;
V – quality of the data: guarantee to the data subjects of the accuracy, clarity, relevancy and updating of the data, in accordance with the need and for achieving the purpose of the processing;
VI – transparency: guarantee to the data subjects of clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy;
VII – security: use of technical and administrative measures which are able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
VIII – prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data;
IX – nondiscrimination: impossibility of carrying out the processing for unlawful or abusive discriminatory purposes; and
X – accountability: demonstration, by the data processing agent, of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.