General Data Protection Law

Murray Advogados

*Isabella Silva Machado



Law No. 13,709 of August 14, 2018, better known as the General Law for the Protection of Personal Data (“LGPD”), appears in the Brazilian legal system as an innovation in the scope of operation, operation and organization of personal data, thus introducing , high standard rules, able to protect individuals from possible invasions of privacy and sharing of personal data.

The present article, therefore, presents the main points that must be observed about the referred Law.


Article 1 of the LGPD establishes, in a succinct way, that the data processing and regulation brought by the Law aims to protect the fundamental rights of freedom and privacy of individuals, as well as seeks to ensure the free development of the personality of the natural person.

In this sense, the rules now established obey the principle of transparency and standardization, so that the user / consumer has full knowledge of how their personal data will be treated, ensuring that the rules will be applied in a unique and harmonious way, by all agents and controllers that act in the treatment and data collection.

The LGPD also aims to guarantee legal certainty in relations, in order to guarantee free competition, free initiative and the defense of commercial and consumer relations.

Therefore, given the guidelines and objectives of the standard, the need for adaptation on the part of companies and service providers remains evident, since they must standardize their policies for the collection, transmission and treatment of personal data, aiming at greater protection and transparency to users.


LGPD is able to regulate any activities involving the use of personal data, including through digital means, carried out by a natural or legal person under public or private law, from the country of its headquarters or the country where the data is located.

The Law also establishes the cases in which it can be applied extraterritorially:

  • The data processing operation is carried out in the national territory;
  • The processing activity aims at offering or providing goods or services or processing data from individuals located in the national territory;
  • Personal data, object of the treatment, have been collected in the national territory.

Furthermore, it will not only be the technology companies that are affected by the LGPD, but any and all companies that deal, in any way, with personal data, whether stored digitally or physically.

In the same way, data processing outsourcing operations, such as cleaning or enriching the database with addresses or purchase profiles, will also characterize the provider as an operator.


Personal Data and Sensitive Personal Data

The LGPD brings, in its art. 5, several definitions necessary for the full understanding of data processing.

The most important definitions are “Personal Data” and “Sensitive Personal Data”, which are, respectively, information related to an identified or identifiable natural person and personal data about racial or ethnic origin, religious belief, political opinion, affiliation to union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.

Data Subjects Right

As a result of the new regulation, individuals with personal data are guaranteed the right to set limits for their data to be used. Thus, individuals will have the right to know the purpose of the treatment of their data, the form and duration and who will be the controller of their data.

Still, art. 18 of the LGPD brings other rights, namely:

  • Confirmation of the existence of treatment;
  • Access to data;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymization, blocking or elimination of unnecessary, excessive or non-compliant data as provided in this Law;
  • Data portability to another service or product supplier, upon express request, in accordance with the regulations of the national authority, subject to commercial and industrial secrets;
  • Elimination of personal data processed with the consent of the holder, except in the cases provided for in Article 16 of this Law;
  • Information from public and private entities with which the controller shared data use;
  • Information about the possibility of not giving consent and about the consequences of the refusal; and
  • Revocation of consent, pursuant to §5 of art.8 of this Law.


In case of non-compliance with the LGPD forecasts, the company will be subject to administrative penalties ranging from a warning to a fine of up to 2% (two percent) of the billing, limited to R$ 50.000.000,00 (fifty million reais) for infringement.

However, in cases where the company wishes to exempt itself from liability, they must prove that they have not carried out the processing of personal data that is attributed to them that the damage is due to the exclusive fault of the data owner or third party or that although they have carried out the processing of personal data attributed to them, there was no violation of data protection legislation.


On the subject, it is important to note that Law Project 5.762/19 extends the majority of the LDPG for two years, passing, therefore, from August 2020 to August 2022.

The Project is currently being processed in the Chamber of Deputies nd will be analyzed by the Constitution and Justice and Citizenship Commission and will later go to the Plenary.