Protecting customer data and privacy is a fundamental and essential requirement of running a business. In May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). Shortly thereafter, in August 2018, a similar privacy law in Brazil known as the Lei Geral de Proteção de Dados (“LGPD”) was introduced. The LGPD requires organizations to comply with requirements related to processing of personal data as well as sensitive personal data.
While the LGPD is leaner than GDPR, there are a lot of similarities. On this page, we'll walk you through the basics of the LGPD, how the law relates to HubSpot customers, and how HubSpot is helping customers prepare for the law. As further guidance to the LGPD comes into effect, we'll continue to update this page as necessary.
Feeling underprepared? Don’t worry. HubSpot has a number of features that will help customers navigate this data privacy law. The GDPR and the LGPD are similar when it comes to their requirements and obligations. As we helped our customers prepare for the GDPR, most HubSpot customers won’t need to make many changes for LGPD because of HubSpot’s GDPR efforts. However, it’s important to check the specific requirements under the LGPD noted below.
In August 2018, Brazil approved the Lei Geral de Proteção de Dados (in Portuguese), commonly known as the LGPD, Brazil’s comprehensive data protection law.
The LGPD creates new legal requirements for the use of personal data in Brazil, both online and offline, in the private and public sectors. The LGPD regulates controllers and processors of personal data. Controllers decide how and why to collect and process personal data. Processors are the entities who process the data according to the controller’s instructions.
The LGPD covers activities of data controllers and processors, and also creates requirements on organizations processing information of data subjects. Data subjects is broadly defined as a person of whom you are processing personal data. This law also includes obligations on issues such as data protection officer appointments, legal basis for processing, data protection impact assessments, data transfers, and data breaches. The law will be enforced by the Brazilian data protection authority, the National Data Protection Authority (“ANPD”). The ANPD, when guidance is published and appointments of officers are established, will be expected to provide important guidelines and clarity on certain provisions of the LGPD.
Additionally, in case of violations of the LGPD, the ANPD must notify the data processors of any violation. The ANPD must determine a deadline for adopting remediation actions, such as deleting or blocking the personal data.
When is the LGPD effective?
The LGPD is now effective.
The LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed due to COVID-19. However, the Brazilian Senate reversed it’s order on postponement. This made the LGPD immediately effective upon the Brazilian President’s signature of the amendment, which has now been signed. It is important to note, the enforcement date of the law is not until August 2021. Meaning, the data protection supervisory authority, ANPD, tasked with enforcing the law, will have no ability to bring penalties and fines under the LGPD until August 1, 2021.
As with the GDPR, the LGPD applies broadly to the processing of personal data, both online and offline. Both the LGPD and the GDPR are comprehensive in terms of personal, material, and territorial scope. The definitions of personal data are very similar in both, defined as having protection for any “information related to an identified or identifiable natural person.”
The LGPD applies across industry sectors and has an extraterritorial application. Meaning, any organization collecting or processing personal data that is subject to the LGPD would not need to have a physical presence in Brazil for the law to apply. Additionally, the LGPD’s applicability is not limited to businesses and organizations size. There are three main aspects to its application. The LGPD applies to any individual or organization, private or public, that:
While there are some exceptions to the applicability of the LGPD, for most organizations processing, selling, and/or marketing in Brazil, the law will apply.
Before being able to truly determine whether or not the LGPD applies to your organization, it is important to understand what the LGPD defines as “personal data.” As stated above, the LGPD definition of personal data is any “information related to an identified or identifiable natural person.” Therefore, if you are a HubSpot customer that meets the scope criteria, and you are processing personal data, as defined above, then the LGPD applies to you.
An example of how the LGPD may apply to your company is as follows:
Let’s say that Victor is a contact of yours and lives in Brazil. He's called the “data subject," and your company (let's call it Acme Corp.) is called the "controller" of his data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Victor's data on behalf of Acme.
Here’s how Victor might interact with your company;
Below you can find ways on how HubSpot has got you covered with respect to how Victor may interact with your company, Acme Corp. This example can be further seen in HubSpot’s GDPR playbook. HubSpot has extensive resources on GDPR, including this playbook and knowledge base article. These resources explain our product and system features and functionality used by us and by our customers to support compliance with GDPR. These product and system features can also support compliance with the LGPD.
The LGPD grants certain rights to data subjects. The LGPD seeks to protect the personal data of data subjects and does not require a citizenship or residency requirement in order for a person to qualify as a data subject under LGPD. Under the LGPD, data subjects have the right to receive adequate notice of their rights.
The LGPD allows data subjects to obtain the following from a controller with respect to their personal data:
The LGPD provides data subjects with the right to object and restrict the processing of their personal data, and allow individuals to request deletion of their personal data. Additionally, the right of access is recognized in both the GDPR and the LGPD. Therefore, organizations must provide individuals with access to their personal data when requested. Yet, there are a few differences between the GDPR and LGPD, including the time period in which an access request must be responded to. Organizations subject to the GDPR must generally respond to requests within a 30 day timeframe as of the receipt of a request. However, the LGPD is limited to a 15 day timeframe for complying with access requests, and requests for the exercise of other rights should be responded to immediately. It is important to note that the data subject requests under the LGPD are an area of the law that still needs guidance from the ANPD to further clarify.
Differences between the LGPD and GDPR
Both the GDPR and the LGPD are quite similar. However, there are a few differences between the two laws. For example, the GDPR has six lawful legal bases for processing, whereas the LGPD has ten. Additionally, the LGPD is more flexible when it comes to the legitimate interest balancing test. Moreover, the breach notification timing is different between the two laws. Under the GDPR, controllers need to notify supervisory authorities within 72 hrs versus the LGPD where controllers need to notify both the supervisory authority and data subjects within a reasonable time. Finally, one major difference between the two laws is that the LGPD has a mandatory requirement for an organization to appoint a data protection officer whereas in the GDPR it is not mandatory to all controllers.
Currently, ANPD enforcement is not set to begin until August 1, 2021, when the administrative sanctions provisions of the LGPD go into effect. For organizations that violate the LGPD, the LGPD provides penalties that may include fines of up to 2% of the organization’s revenues in Brazil for the prior financial year, up to a maximum of R 50,000,000.00 per violation.
Given that the ANPD was only just established, many questions still remain regarding how the ANPD will operate in practice and administer these sanctions.
There is a significant amount of overlap between the LGPD and the GDPR. HubSpot has extensive resources on the GDPR, including this playbook, that explains our product and system features and functionality used by us and by our customers to support compliance with the GDPR and LGPD.
A good portion of the existing product and system features, processes and policies (that are currently used for GDPR compliance) may be used in the same ways for compliance with LGPD. For example, they way you may handle lawful basis and deletion requests (these are currently requirements under both laws) by using our existing functionality. These functionalities are explained below and in the GDPR playbook and they are live to all HubSpot customers.
Consider our example above:
Let’s say that Victor is a contact of yours and lives in Brazil. He's called the “data subject," and your company (let's call it Acme Corp.) is called the "controller" of her data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Victor's data on behalf of Acme.
Here’s how Victor might interact with your business;
Here's a summary of the product functionalities:
Lawful Basis: Under the LGPD, you need to have a legal reason (called a lawful basis in the regulation) to use someone’s data. In HubSpot, we’ve broken down lawful basis into two broad categories: lawful basis both to process (i.e. store data in your CRM or provide an ebook they requested) and to communicate (i.e. send a marketing email or have a sales rep call).
You may need lawful basis to communicate with your contacts. If you don’t have it, consider creating subscription types, updating your existing database with those subscription types (with a permission pass campaign or another method), and setting up your forms to establish lawful basis moving forward.
Please see the HubSpot GDPR Playbook for further details on how to enable the setting for the LGPD obligations.
Deletion: Under the LGPD, a data subject has the right to request that you delete all the personal data you have about him.
In many cases, you’ll need to respond to her request immediately. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
Please see the HubSpot GDPR Playbook and GDPR knowledge base article for further details on how to enable the setting for the LGPD obligations.
Cookies: The LGPD is based on the risk-based approach, which is similar to what is required for organizations to be GDPR compliant. Organizations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore you can give visitors to your website notice of the use of cookies.
In HubSpot, you can capture a visitor’s consent for cookie tracking. And we’ve launched the ability to show different versions of the consent banner on different website pages.
Please see the HubSpot GDPR Playbook for further details on whether to consider to update your cookie settings and how to enable the setting for the LGPD obligations
**Disclaimer: This website is neither an exhaustive summary of Brazil's Lei Geral de Proteção de Dados (“LGPD”) nor legal advice for your organization to use in complying with it. Instead, it provides background information to help you better understand the LGPD and how it can apply to your organization. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so you should consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this paper as legal advice, nor as an endorsement of any particular legal understanding. Further, while the LGPD is influenced by the GDPR, a organizations already in compliance with the GDPR may not automatically guarantee compliance with the LGPD. Additionally, the LGPD enforcement and guidance has not been finalized, therefore, HubSpot will continue to monitor the development of both LGPD and any guidance to the law. HubSpot will continue to update this page as necessary.