General Data Protection Law

Murray Advogados

*Isabella Silva Machado



Law No. 13,709 of August 14, 2018, better known as the General Law for the Protection of Personal Data (“LGPD”), appears in the Brazilian legal system as an innovation in the scope of operation, operation and organization of personal data, thus introducing , high standard rules, able to protect individuals from possible invasions of privacy and sharing of personal data.

The present article, therefore, presents the main points that must be observed about the referred Law.


Article 1 of the LGPD establishes, in a succinct way, that the data processing and regulation brought by the Law aims to protect the fundamental rights of freedom and privacy of individuals, as well as seeks to ensure the free development of the personality of the natural person.

In this sense, the rules now established obey the principle of transparency and standardization, so that the user / consumer has full knowledge of how their personal data will be treated, ensuring that the rules will be applied in a unique and harmonious way, by all agents and controllers that act in the treatment and data collection.

The LGPD also aims to guarantee legal certainty in relations, in order to guarantee free competition, free initiative and the defense of commercial and consumer relations.

Therefore, given the guidelines and objectives of the standard, the need for adaptation on the part of companies and service providers remains evident, since they must standardize their policies for the collection, transmission and treatment of personal data, aiming at greater protection and transparency to users.


LGPD is able to regulate any activities involving the use of personal data, including through digital means, carried out by a natural or legal person under public or private law, from the country of its headquarters or the country where the data is located.

The Law also establishes the cases in which it can be applied extraterritorially:

  • The data processing operation is carried out in the national territory;
  • The processing activity aims at offering or providing goods or services or processing data from individuals located in the national territory;
  • Personal data, object of the treatment, have been collected in the national territory.

Furthermore, it will not only be the technology companies that are affected by the LGPD, but any and all companies that deal, in any way, with personal data, whether stored digitally or physically.

In the same way, data processing outsourcing operations, such as cleaning or enriching the database with addresses or purchase profiles, will also characterize the provider as an operator.


Personal Data and Sensitive Personal Data

The LGPD brings, in its art. 5, several definitions necessary for the full understanding of data processing.

The most important definitions are “Personal Data” and “Sensitive Personal Data”, which are, respectively, information related to an identified or identifiable natural person and personal data about racial or ethnic origin, religious belief, political opinion, affiliation to union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.

Data Subjects Right

As a result of the new regulation, individuals with personal data are guaranteed the right to set limits for their data to be used. Thus, individuals will have the right to know the purpose of the treatment of their data, the form and duration and who will be the controller of their data.

Still, art. 18 of the LGPD brings other rights, namely:

  • Confirmation of the existence of treatment;
  • Access to data;
  • Correction of incomplete, inaccurate or outdated data;
  • Anonymization, blocking or elimination of unnecessary, excessive or non-compliant data as provided in this Law;
  • Data portability to another service or product supplier, upon express request, in accordance with the regulations of the national authority, subject to commercial and industrial secrets;
  • Elimination of personal data processed with the consent of the holder, except in the cases provided for in Article 16 of this Law;
  • Information from public and private entities with which the controller shared data use;
  • Information about the possibility of not giving consent and about the consequences of the refusal; and
  • Revocation of consent, pursuant to §5 of art.8 of this Law.


In case of non-compliance with the LGPD forecasts, the company will be subject to administrative penalties ranging from a warning to a fine of up to 2% (two percent) of the billing, limited to R$ 50.000.000,00 (fifty million reais) for infringement.

However, in cases where the company wishes to exempt itself from liability, they must prove that they have not carried out the processing of personal data that is attributed to them that the damage is due to the exclusive fault of the data owner or third party or that although they have carried out the processing of personal data attributed to them, there was no violation of data protection legislation.


On the subject, it is important to note that Law Project 5.762/19 extends the majority of the LDPG for two years, passing, therefore, from August 2020 to August 2022.

The Project is currently being processed in the Chamber of Deputies nd will be analyzed by the Constitution and Justice and Citizenship Commission and will later go to the Plenary.


Government wants to give power to BC to participate in leniency deals

The leniency agreement stipulated in Provisional Measure (MP) 784, which increased the punitive powers of the Central Bank (BC) and of the Securities and Exchange Commission of Brazil (CVM), exclusively reaches administrative infractions committed by agents of the financial system and of the capital markets. To encompass criminal conducts, such as money laundering and corruption, the government may submit a bill or an amendment to the provisional measure already being considered in Congress stipulating the joint action of the Federal Public Ministry (MPF, the public prosecutors’ office), the BC and the CVM. Only the MPF has the prerogative of criminal prosecution.

The prosecutor general of the Central Bank, Cristiano Cozer, explained: “The leniency agreement with the BC only covers administrative infractions, not crimes. It wouldn’t make sense an offender to sign agreement only with the BC, because it would need to confess and run the risk of responding to criminal charge filed by the Public Ministry. Much less in cases of facts prior to the issuance of MP 784, when the fine was [and continues being] of at most R$250,000.”

Issued last week, the measure has been object of criticism by the MPF and of mistaken interpretations either in relation to its content or to the timing of its publication.

The BC attributes this noise to the climate of “animosity” now sweeping the country. This would be the reason to identify the publication of MP 784 with the expected plea bargain of ex-Finance Minister Antonio Palocci, involving players of the financial system, and with the investigations of insider trading that would have produced gains for JBS on the forex and interest markets.

Yet the measure has no guarantee of retroactive effect. In reality, there are two hypotheses. In the punitive law, new rules retroact only in benefit of the defendant. In the procedural law, the new legislation will be retroactive depending on the state in which the proceeding is. In that context, there will be a discretionary analysis of each case presented to the BC.

The provisional measure innovates by typifying the administrative infractions until then addressed only by resolutions of the National Monetary Council (CMN). For not being described in law, the Superior Court of Justice (STJ) was overturning administrative penalties imposed by the BC on the financial system. The MP describes 17 illegal actions that go from posing constraints to the BC supervision to providing incorrect information and data, acting as administrator of financial institution without prior BC approval, structuring transactions without economic grounds or misappropriating funds of third parties.

This description will not solve the stock of financial-system cases that is in the judiciary, but with it the STJ may consolidate a jurisprudence, public-sector lawyers reckon.

The provisional measure, in this sense, is structural. And the introduction of the leniency agreement is, in the view of the monetary authority, only an “appendix” to the new legislation.

The discussion on the terms of MP 784, which also updates the values of fines imposed on the financial system in case of infraction, is a recommendation of the G-20 and had beginning at the Central Bank in 2010, in the preparatory evaluation of the Financial Sector Assessment Program (FSAP) of the Basel Accord. The bill was sent to the Office of the Chief of Staff in the second term of Dilma Rousseff (Workers’ Party, PT). With the change of government, it returned to the BC and was taken as part of the “BC Plus” agenda at the end of 2016 by its president, Ilan Goldfajn.

In July there will be new FSAP evaluation, made by the IMF and World Bank, with impacts on the country’s rating and risk premium. Because of that, the BC opted for issuing a provisional measure, a faster initiative, abandoning the original idea of a bill.

The country was not appearing well on the picture of the international organisms, one government official says, for having a legislation of administrative proceedings dated of 1964, when law 4,595, which created the Central Bank, was enacted. The values of the fines imposed on the financial system were frozen since the 1990s at a maximum of R$250,000, value that MP 784 raised to as much as R$2 billion.

The terms of the provisional measure were inspired in the legislation of the Administrative Council of Economic Defense (Cade), even making use of its instruments, such as the leniency agreement, the terms of commitment and the cautionary measures. BC and CVM thus start to invest more in the intelligence activity, with more investigative capacity.

Administrative wrongdoing committed before the publication of MP 784 are likely to be punished with the fines existing until then, of R$250,000, charged by the BC, and of up to R$500,000, imposed by the CVM. Because of these small sums, there is no expectation that individuals or financial institutions will approach the BC and the CVM to make leniency agreements without crime. The most probable is that whoever committed crime will directly seek an agreement with the Public Ministry and, with that done, will go to the BC or the CVM to settle the accounts of potential administrative infractions committed.

On June 12, the BC released an official note in which rebuts sharp criticism made by prosecutors in stories and articles published in the press during the weekend. The note attests that the measure “in nothing alters or interferes in the capacity of investigation and substantiation of criminal wrongdoing of the Public Ministry. Nor does it alter the legal duty of the BC and of the CVM of communicating indications of crime to the MPF.” It is common for the Central Bank to act as an assistant of the accusation in proceedings it sends to MPF investigation and to lend analysts to help clarify the nature of infractions committed. It also says that the urgency of the provisional measure comes from the evaluation of Brazil in the FSAP, which begins next month.

The proposal of updating the legislation was widely announced and released in Agenda BC+ and, therefore, “the MP has no relation with rumors of plea deals that emerged later and whose content is unknown.”

Source: Valor Econômico