• Contact us
  • Today: 9:00 – 13:30 / 14:30 – 23:00 – Open

Featured Featured Article – Article

The new Brazilian General Data Protection Law - GDPL

The new Brazilian General Data Protection Law - GDPL

The Brazilian General Data Protection Law - GDPL is a new data privacy law that will apply to businesses (both inside and outside Brazil) that process the personal data of users located in Brazil.

The Lawyers Global

Published on Tuesday, 14th July 2020 – 10:34:51 pm
by Data Protection Officer

The Brazilian General Data Protection Law - GDPL (Lei Geral de Proteção de Dados) is a new data privacy law that will apply to businesses (both inside and outside Brazil) that processes the personal data of users located in Brazil. It is expected that the new law will take effect on August 16, 2020. Ongoing discussions in the Brazilian government may change the LGPD effective application date.

Below you will find a summary of the new Brazilian General Data Protection Law (GDPL) as a guide for your firm to start working in compliance. The key features of the GDPL are summarized, and we will publish a new article on the subject as soon as the law is set to take effect officially.




Main objectives of the new law

Privacy protection

Ensure the right to privacy and protect users' personal data, through transparent and secure practices, guaranteeing fundamental rights.


Establish clear rules on the processing of personal data.


Foster economic and technological development.

Standardization of standards

Establish unique and harmonious rules on the processing of personal data by all agents and controllers that process and collect data.

Legal certainty

Strengthen the security of legal relations and the holder's trust in the processing of personal data, guaranteeing free initiative, free competition, and the defense of commercial and consumer affairs.

Favoring competition

Promote competition and free economic activity, including data portability.


Data subject's rights

The holders of personal data have had their rights extended and must be guaranteed in an accessible and effective manner. (art.18).

Main rights

  1. Confirm the existence of the treatment of your personal data.
  2. Access your personal data.
  3. Correct incomplete, inaccurate, or outdated personal data.
  4. Anonymizing, blocking, or deleting unnecessary, excessive, or treated personal data in non-compliance with the LGPD.
  5. Portability of personal data to another product or service provider.
  6. Elimination of data processed with your consent.
  7. Obtaining information about public and private entities with which the controller shared personal data.
  8. Gathering information about the possibility of not consenting to the processing of personal data and the consequences of denial.
  9. Revocation of the consent given for the processing of personal data.
  10. Data portability (article 18, V), which, similar to what can be done between different telephone companies and banks, allows the holder not only to request a copy of the complete data but also to provide it in a format interoperable, which facilitates the transfer of these to other services, even to competitors. Due to its nature, this new right has been seen as a strong element of competition between different companies that offer similar services based on the use of personal data.


Agents and controllers

Controllers and operators are the personal data processing agents and must keep a record of the processing operations they carry out, especially when based on a legitimate interest (art. 37).

The operator must carry out the data processing according to the instructions provided by the controller (art. 39). The controller must indicate the person in charge (DPO - Data Protection Officer ) for the processing of personal data (art. 41). According to the innovation brought by the wording of Provisional Measure No. 869/2018, the DPO can be an individual or legal entity (national or international), which acts as a communication channel between the controller and the ANPD and the holders.

The identity and contact information of the person in charge must be public, precise and objective, preferably on the controller's website (art. 41, §1); and the person in charge must accept complaints and communications from the holders, provide clarifications and adopt measures; receive communications from the national authority and take action; guide the entity's employees and contractors about the practices to be taken in relation to the protection of personal data; and perform the other attributions determined by the controller or established in complementary rules (art. 41, paragraph 2).


Impact on companies (Impact on company privacy policies)

The GDPL will significantly impact commercial and consumer relations that require data collection, especially given the growing trend of processing personal data of customers/consumers to outline their profile, identifying various information, especially consumption habits and conditions financial and credit.

Transfer and data

The use of personal data must be related to the underlying legal business. Except in the case of proven public interest, the exchange of information between retailers and companies specialized in databases is prohibited.

The regulation of personal data brought by the GDPL requires adjustments by companies that collect data from users, especially concerning the users' express consent to the collection, processing of data, purpose, and the eventual transfer of their data to third parties.

Working relationships

In labor and employment relations, as the employer holds personal information about its employees, it must observe the GDPL, under penalty of civil liability.

Although the GDPL authorizes companies to use the personal data of their employees and service providers (art. 7, V and IX) for the legitimate execution of contracts, for the benefit of the worker himself, caution and observance of the rules of the GDPL are necessary for all its phases, in the acts performed before the contract, during the term of the contract, in the outsourcing and after the termination of the contracts.

When outsourcing services, employees must obtain written consent for the company to process their data, especially when transmitting it to third parties (service providers), as a result of the activity performed, or even due to legal and regulatory requirements. Contractual terms, clearly specifying what data will be passed on and for what purpose.

In addition to employee consent, it is recommended that companies create specific obligations in their commercial contracts, following the requirements imposed by the GDPL on data processing.


What should firms and businesses do? The key points to become GDPL compliant.

Due Diligence on personal data

Identification of data (personal, sensitive, child, public, anonymous), departments, means (physical or digital), internal and external operators to measure the company's exposure to GDPL.

Treatment Audit

Adherence of the 20 data processing activities (art. 5, X) (collection, control, elimination, etc.) to the general principles provided for in Art. 6 of the GDPL, through review and creation of documents (contracts, terms, policies) for internal and external use.

Consent Management and Anonymization

Control of consent and anonymity to meet a possible request from the holder and the future agency.

Holder Order Management

Creation of a database to control the requests of data subjects (access, confirmation, anonymization, consent, portability, etc.).

Impact Report

Compliance with ANPD and other bodies of the National Consumer Protection System, which may request from the controller an impact report on the protection of personal data.

Data Security

Adoption of information security measures to protect personal data from unauthorized access and accidental or illegal situations.

Treatment Governance

The creation of good practice and governance rules establishes procedures, safety standards, educational actions, and risk mitigation in the treatment of personal data.

Communication Plan - Security Incident

Communication to inspection bodies (ANPD, Procon, Senacon) and the press about a security incident entails risk or damage.

Validation of treatment termination

Adopting the necessary measures for the elimination of the processed data and verifying the possible conservation of the data with the elaboration of documents that evidence the removal.


Certification by a specialized audit of practices related to GDPL.

Data Protection Officer (In-Charge)

Identify the person in charge (Individual or Legal Entity) and his / her capacity to carry out the activities foreseen in the LGPD.

Conflict Prevention

Inclusion of an arbitration clause linked to the private online chamber registered with the CNJ to mitigate judicial litigation.



Although the Brazilian GDPL isn't still final nor its obligatory implementation date set, most of the GDPL follows other consumer data protection laws like the GDPR, CCPA.

The efforts required to become compliant, are mostly relative to the Terms and Condition, and Privacy Policy information already currently internationally required to be effective. Nevertheless, some details may require adjustments by firms and businesses, depending on the type of collected data and how companies control and manage that same personal data.

At The Lawyers Global, we are already taking the necessary actions for GDPL compliance and alerting our clients to do the same before August 16, 2020. Our online Privacy Policy will reflect the required changes shortly.


Official GDPL Reference

http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm (Brazilian Portuguese)

Other Recent Articles

Press Release 2020 Annual Legal Awards Results
2020 Annual Legal Awards Results

Monday, 12th October 2020 – 11:12:38 pm

The Lawyers Global team announces the 2020 Annual Legal Awards results that are now publicly available online on our platform in the Awards directories and on each awarded law firm profile page.

Press Release Law Firms Suspension from our Elite Firms
Law Firms Suspension from our Elite Firms

Wednesday, 5th August 2020 – 01:03:45 am

Was your law firm suspended? Law Firms that have breached contracts, or have not met our strict requirements, and other reasons that make them non-eligible are being suspended from our Elite Law Firms' listings, staring today.


#2020AnnualGlobalLegalAwards #Abogados #Advogados #Africa #Anger #Anxiety #Application #Attorney #Attorneys #Avocats #Award #Awards #Backoffice #Badges #BeatAirPolution #BestLawFirms #BestLawyers #BigLaw #BrandAwareness #Branding #Brazil #BurnoutSyndrome #Burundi #Business #BusinessAwards #BusinessLaw #BusinessPractices #Campaign #CCPA #Cities #City #Clients #Commandments #Compliance #Consulting #ContinentAwards #Coronavirus #Corporate #Corporate&CommercialLaw #CorporateResponsibility #Countries #CountryAwards #COVID-19 #DarkSide #DataProtection #Depression #Design #Disclaimer #Donate #Earth #EarthDay #Economy #EduardoJuanCouture #Ethics #Excellence #Exhaustion #Facebook #FinancialCrisis #GDPL #GDPR #Global #GlobalAwards #GoGreen #Google #GoogleSearch #Growth #Guidelines #Impressum #Imprint #InstaLawyers #Instagram #InternationalBusinessLaw #Jurisdiction #Jurist #Justice #LagalRanking #Law #LawFirm #LawFirmLife #LawFirms #LawFirmsSearchEngine #LawFrmsSearchEngine #Lawyering #Lawyers #Legal #LegalAwards #LegalBusiness #LegalDisclosure #LegalIndustry #LegalMarketing #LegalNotice #LegalPractice #LegalProtection #LegalRanking #LegalRights #LFSE #LGPD #License #LimitedBrandUse #LinkedIn #ManagingPartner #Marketing #MaskChallenge #Media #MentalHealth #Nature #News #Oustanding #Parasuicide #Partnerships #Pinterest #PlasticFree #Policies #PressRelease #Privacy #PrivacyPolicy #Profession #Profiles #ProtectWhatYouLove #Psychiatry #Psychology #Ranking #Recognition #RecommendedLawFirm #Reliability #SaveOurPlanet #SaveTheEarth #Scams #Security #SEO #Services #Sleeplessness #SocialMedia #SocialResponsibility #Solidarity #Strategy #Sub-RegionalAwards #Success #SuicidePrevention #TermsAndConditions #TermsOfService #TheLawyersGlobal #ThoughtLeaders #Top #Tribute #Trophy #Trust #TrustJurisChambers #Twitter #UNEP #UnitedNations #Uruguay #UserExperience #Users #UX #Webdesign #Webdevelopment #WHO #Winner #WomenInLaw #Work #WorkFromHome #Workload #WorldHealthOrganization #WorldEnvironmentDay #WorldEnvironmentDay2019