The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law like EU-GDPR that went into effect from September 2020, and enforcement starts from August 2021. It regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects.
The LGPD aims to strengthen the security and protection of personal data in Brazil. It is designed to furnish organizations with a consistent framework for collecting, processing, using, and sharing personal data within Brazil. The LGPD provides individuals with more control over how their personal data is being processed.
The LGPD applies to any public or private individual or business involved in personal data processing activities(collection, use, processing, storage, and transfer) carried out in Brazil, despite where the company is located.
LGPD also applies to any individual who has personal data collected while inside Brazil.
LGPD does not apply to data processing by a person who is processing data for personal purposes, for journalistic, artistic, literary, or academic purposes, or for national security, national defence, public safety, or a criminal investigation.
Despite similarities and the influence GDPR has had on Brazilian lawmakers, there are key differences between the LGPD and GDPR.
Both LGPD and GDPR require businesses and organizations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD says, "The controller shall appoint an officer to be in charge of the processing of data," which suggests that any organization that processes the data of people in Brazil will need to hire a DPO.
The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject's information, while LGPD lists 10 under Article 7.
Both the GDPR and the LGPD require organizations to report data breaches to the local data protection authority.
The GDPR says an organization must report a data breach within 72 hours of its discovery, while the LGPD states that organizations need to report within a reasonable timeframe defined by the national authority.
While GDPR violations pay up to €20 million or 4% of annual global revenue, whichever is higher, the LGPD applicable fines may reach up to 2% of the company's or economic group's revenue, up to the limit of R$50 million per violation. Despite penalties, it will be subject to warnings, prohibitions, fines, suspensions, partial or total bans of performing the organization's activities in Brazil.
Article 18 of LGPD explains the nine fundamental rights that data subjects have under LGPD, including:
Vtiger provides the following options to a Data Subject to exercise their rights:
Vtiger tools help its customers respond to user requests to delete personal information.
Vtiger supports appropriate international data transfer mechanisms by executing Standard Contractual Clauses. Please contact [email protected] for DPA.
Please note: some of the above features require a specific tier of the Vtiger or subscription to Vtiger's Privacy Guard.
When you use Vtiger CRM, you can trust that your data are safe and always have the tools necessary to be part of your LGPD compliance.
To that end, we recommend learning about LGPD, then updating your policies, practices, and procedures to comply with it.