A new data privacy law in Brazil
Protecting customer data and privacy is a fundamental and essential requirement of running a business. In May 2018, we saw the introduction of the European data privacy law known as the General Data Protection Regulation (GDPR). Shortly thereafter, in August 2018, a similar privacy law in Brazil known as the Lei Geral de Proteção de Dados (“LGPD”) was introduced. The LGPD requires organizations to comply with requirements related to processing of personal data as well as sensitive personal data.
While the LGPD is leaner than GDPR, there are a lot of similarities. On this page, we'll walk you through the basics of the LGPD, how the law relates to HubSpot customers, and how HubSpot is helping customers prepare for the law. As further guidance to the LGPD comes into effect, we'll continue to update this page as necessary.
Feeling underprepared? Don’t worry. HubSpot has a number of features that will help customers navigate this data privacy law. The GDPR and the LGPD are similar when it comes to their requirements and obligations. As we helped our customers prepare for the GDPR, most HubSpot customers won’t need to make many changes for LGPD because of HubSpot’s GDPR efforts. However, it’s important to check the specific requirements under the LGPD noted below.
What is the LGPD?
In August 2018, Brazil approved the Lei Geral de Proteção de Dados (in Portuguese), commonly known as the LGPD, Brazil’s comprehensive data protection law.
The LGPD creates new legal requirements for the use of personal data in Brazil, both online and offline, in the private and public sectors. The LGPD regulates controllers and processors of personal data. Controllers decide how and why to collect and process personal data. Processors are the entities who process the data according to the controller’s instructions.
The LGPD covers activities of data controllers and processors, and also creates requirements on organizations processing information of data subjects. Data subjects is broadly defined as a person of whom you are processing personal data. This law also includes obligations on issues such as data protection officer appointments, legal basis for processing, data protection impact assessments, data transfers, and data breaches. The law will be enforced by the Brazilian data protection authority, the National Data Protection Authority (“ANPD”). The ANPD, when guidance is published and appointments of officers are established, will be expected to provide important guidelines and clarity on certain provisions of the LGPD.
Additionally, in case of violations of the LGPD, the ANPD must notify the data processors of any violation. The ANPD must determine a deadline for adopting remediation actions, such as deleting or blocking the personal data.
When is the LGPD effective?
The LGPD is now effective.
The LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed due to COVID-19. However, the Brazilian Senate reversed it’s order on postponement. This made the LGPD immediately effective upon the Brazilian President’s signature of the amendment, which has now been signed. It is important to note, the enforcement date of the law is not until August 2021. Meaning, the data protection supervisory authority, ANPD, tasked with enforcing the law, will have no ability to bring penalties and fines under the LGPD until August 1, 2021.
Who does the LGPD apply to?
As with the GDPR, the LGPD applies broadly to the processing of personal data, both online and offline. Both the LGPD and the GDPR are comprehensive in terms of personal, material, and territorial scope. The definitions of personal data are very similar in both, defined as having protection for any “information related to an identified or identifiable natural person.”
The LGPD applies across industry sectors and has an extraterritorial application. Meaning, any organization collecting or processing personal data that is subject to the LGPD would not need to have a physical presence in Brazil for the law to apply. Additionally, the LGPD’s applicability is not limited to businesses and organizations size. There are three main aspects to its application. The LGPD applies to any individual or organization, private or public, that:
- processes personal data in Brazil;
- processes personal data that was collected in Brazil; or
- processes personal data to offer or provide goods or services in Brazil.
While there are some exceptions to the applicability of the LGPD, for most organizations processing, selling, and/or marketing in Brazil, the law will apply.
Does the LGPD apply to my organization?
Before being able to truly determine whether or not the LGPD applies to your organization, it is important to understand what the LGPD defines as “personal data.” As stated above, the LGPD definition of personal data is any “information related to an identified or identifiable natural person.” Therefore, if you are a HubSpot customer that meets the scope criteria, and you are processing personal data, as defined above, then the LGPD applies to you.
An example of how the LGPD may apply to your company is as follows:
Let’s say that Victor is a contact of yours and lives in Brazil. He's called the “data subject," and your company (let's call it Acme Corp.) is called the "controller" of his data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Victor's data on behalf of Acme.
Here’s how Victor might interact with your company;
- Victor comes to Acme’s website for the first time
- Victor fills out a form (or gets created in Acme’s database manually / via API)
- Acme sends Victor an email
- Victor requests to see, modify, or delete the information Acme has about him
Below you can find ways on how HubSpot has got you covered with respect to how Victor may interact with your company, Acme Corp. This example can be further seen in HubSpot’s GDPR playbook. HubSpot has extensive resources on GDPR, including this playbook and knowledge base article. These resources explain our product and system features and functionality used by us and by our customers to support compliance with GDPR. These product and system features can also support compliance with the LGPD.