By adopting of the GDPR and the systematic design of personal data protection issues, we can say that the EU has encouraged the trend to update this issue and has affected the revision and supplements of legislation across the world. Thus, the recently and Brazilian version of the data protection law (LGPD) entered into force and can generally say that all those entities that have previously coordinated their business to the GDPR have welcomed the application of the new Law. However, there are certain similarities and differences, and some of the characteristics we make below: In the definition of what personal data may be, the LGPD and the GDPR are similar.
The LGPD even wider than the GDPR qualifies as personal data. Although LGPD refers to as many as 9 rights of data subjects, in relation to the 8 mentioned by the GDPR, it is essentially the same rights as the GDPR stated with the fact that the right of access to information was further clarified as a separate right to the information that the controller shared personal data with all external actors. Both the GDPR and the LGPD set limits on the international transfer of personal data to third countries, allowing such transfers only on a given basis.
However, the Brazilian supervisory authority still has to adopt adequacy decisions and lay down rules so that the mechanisms of international transfer would be legal. The LGPD has clearly specified that the data protection officer has to designate any entity that processes personal data and regardless of which types of processing is processed or the amount of data processed. On the other hand, when applying the personal data breach, the GDPR is clear that the deadline for registration is 72h, while LGPD refers to a reasonable period of application by not imposing it correctly. For non-compliance or breach of the Regulation, the GDPR imposed maximum fines of up to 4% of global turnover or up to EUR 20M (whichever is the larger). LGPD imposed a fine of up to 2% of the non-taxable income of the entity in Brazil in the preceding year, i.e. up to a maximum amount of EUR 11 million.
As mentioned above, these similarities and differences are not the only ones. On the other hand, the LGPD has provided many provisions with broad definitions and guidelines and supplements are expected in the first months of application to be more precise in application. Despite the similarities between the GDPR and the LGPD, compliance with the GDPR does not guarantee and respect the LGPD. Therefore, if your company has relations with partners from Brazil, despite the existing application of the GDPR, it is important to underline the need to further adapt business processes and internal procedures with the Brazilian (LGPD) regulation on privacy.
Ines I Marko Krečak, DPO