On 14 August 2018, the General Data Protection Law was passed in Brazil. It is the first comprehensive data protection legislation in the country, and is largely modelled on the European Union’s General Data Protection Regulation.
The General Data Protection Law provides for, amongst other things:
- An 18-month grace period before it will become effective on 14 February 2020.
- The establishment of a data protection authority to be known as the Autoridade Nacional de Proteção de Dados (APND).
- The legal bases on which personal data may be processed, such as where the data subject has consented to the processing or the processing is necessary for the performance of a contract.
- Data subject rights, including the right to obtain information regarding the processing of personal data, the right to access, rectify or delete your personal data, the right to data portability, and the right to review automated decisions involving personal data.
- Restrictions on international data transfers, namely that international data transfers are permitted only if the transfer is to countries providing an adequate level of protection for personal data or if standard contractual clauses, global corporate standards, seals, certificates, or codes of conduct approved by the ANPD have been used.
Once the General Data Protection Law becomes effective in February 2020, non-compliance may result in Brazilian entities being fined up to 2% of their turnover for the preceding fiscal year, with a maximum cap of R$50 million (reias) per violation.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].