LGPD Statement

FAQ

The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law like EU-GDPR that went into effect from September 2020, and enforcement starts from August 2021. It regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects.

The LGPD aims to strengthen the security and protection of personal data in Brazil. It is designed to furnish organizations with a consistent framework for collecting, processing, using, and sharing personal data within Brazil. The LGPD provides individuals with more control over how their personal data is being processed.

The LGPD applies to any public or private individual or business involved in personal data processing activities(collection, use, processing, storage, and transfer) carried out in Brazil, despite where the company is located.

LGPD also applies to any individual who has personal data collected while inside Brazil.

LGPD does not apply to data processing by a person who is processing data for personal purposes, for journalistic, artistic, literary, or academic purposes, or for national security, national defence, public safety, or a criminal investigation.

Despite similarities and the influence GDPR has had on Brazilian lawmakers, there are key differences between the LGPD and GDPR.

1. Appoint Data Protection Officer.

Both LGPD and GDPR require businesses and organizations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD says, "The controller shall appoint an officer to be in charge of the processing of data," which suggests that any organization that processes the data of people in Brazil will need to hire a DPO.

2. Legal basis for processing data.

The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject's information, while LGPD lists 10 under Article 7.

  1. With the consent of the data subject;
  2. To comply with a legal or regulatory obligation of the controller;
  3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
  4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
  6. To exercise rights in judicial, administrative or arbitration procedures;
  7. To protect the life or physical safety of the data subject or a third party;
  8. To protect the health, in a procedure carried out by health professionals or by health entities;
  9. To fulfil the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties, which require personal data protection, prevail; or
  10. To protect credit (referring to a credit score).

3. Reporting data breaches

Both the GDPR and the LGPD require organizations to report data breaches to the local data protection authority.

The GDPR says an organization must report a data breach within 72 hours of its discovery, while the LGPD states that organizations need to report within a reasonable timeframe defined by the national authority.

4. Fines

While GDPR violations pay up to €20 million or 4% of annual global revenue, whichever is higher, the LGPD applicable fines may reach up to 2% of the company's or economic group's revenue, up to the limit of R$50 million per violation. Despite penalties, it will be subject to warnings, prohibitions, fines, suspensions, partial or total bans of performing the organization's activities in Brazil.

1. Data subject rights

Article 18 of LGPD explains the nine fundamental rights that data subjects have under LGPD, including:

  1. The right to confirmation of the existence of the processing
  2. The right to access the data
  3. The right to correct incomplete, inaccurate, or out-of-date data
  4. The right to anonymize, block or delete unnecessary or excessive data or data not being processed in compliance with the LGPD
  5. The right to delete personal data processed with the consent of the data subject
  6. The right to the portability of data to another service or product provider, through an express request
  7. The right to information about public and private entities with which the controller has shared data
  8. The right to information about the possibility of denying consent and the consequences of such denial
  9. The right to revoke consent

Vtiger provides the following options to a Data Subject to exercise their rights:

  • Vtiger helps its data subjects access, correct the inaccurate data, import, and export their data from the Vtiger.
  • Vtiger Customers may access, import, and export their Customer Data using the CRM application.
  • Data Subjects may revoke the consent, opt-out of promotional emails, or request to delete their personal information, such as names, email addresses, and phone numbers (this request is irreversible). Vtiger may terminate one and all active services that the data subject may have subscribed to fulfil the data deletion request.

Vtiger tools help its customers respond to user requests to delete personal information.

2. Data Transfer Mechanisms

Vtiger supports appropriate international data transfer mechanisms by executing Standard Contractual Clauses. Please contact [email protected] for DPA.

3. Data Security and Compliance

  1. Vtiger Cloud leverages Amazon Web Services(AWS) infrastructure hosting to host your data. Vtiger maintains strict administrative, technical, and physical procedures to protect information stored in servers. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information.
  2. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building files. We implement various security measures to maintain the safety of your personal information and the data you store in your account. Access to your name and email address is restricted to the employees of Vtiger. Data stored in your account is only accessed by the Vtiger team when performing the migration or support services.
  3. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway providers database only to be accessible by those authorized with special access rights to such systems and are required to keep the information confidential. After a transaction, Vtiger will not store your private information (credit cards, social security numbers, financials, etc.) on our servers.
  4. At Vtiger, your data privacy and security are of prime importance to us. While we implement safeguards designed to protect your information, no security system is impenetrable, and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others. If you use our services or websites, responsibility for securing storage and access to the information you submit rests with you and not Vtiger. We strongly recommend that server or data centre users configure SSL to prevent interception of data transmitted over networks and restrict access to databases and other storage points.
  5. Vtiger uses subprocessors to process your data. Please check this Vtiger's sub-processors list.
  6. To that end, we are ISO 27001:2013 certified. If you have any concerns regarding the security of your data, please write to us at [email protected] with any questions. Visit our Security Center page to learn more about our approach to security.
  • Persistent disk-level encryption
  • Automate the request, collection, and use of consents from leads and contacts
  • Encrypt lead and contact fields at rest
  • Audit user access and modification of encrypted data
  • Double opt-in mechanisms for email marketing

Please note: some of the above features require a specific tier of the Vtiger or subscription to Vtiger's Privacy Guard.

When you use Vtiger CRM, you can trust that your data are safe and always have the tools necessary to be part of your LGPD compliance.

To that end, we recommend learning about LGPD, then updating your policies, practices, and procedures to comply with it.