Brazil Enacts General Data Privacy Law Mirroring the GDPR

The Brazilian President has signed into law a new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais) similar to the EU General Data Protection Regulation (GDPR). The law has broad applicability as it applies to any processing of personal data provided that: (1) the processing operation is carried out in the national territory (i.e. Brazil); (2) the purpose of the processing activity is to offer or provide goods or services to individuals in Brazil or process data of individuals located in Brazil; or (3) the personal data being processed was collected in Brazil. These rules apply irrespective of the country in which the organization is located or the country where the data is.

Like the GDPR, the law prescribes different lawful bases for processing of personal data, including among others, consent, compliance with a legal or regulatory obligation, necessity for the execution of a contract, and necessity for the legitimate interests of the controller or a third party.  However, unlike the GDPR, the law lays out other specific bases for processing, such as to protect health, in a procedure carried out by health professionals or by health entities and the protection of credit.  

The law also imposes different administrative sanctions on data handlers that violate its instructions, among them fines up to two percent (2%) of an entity’s revenues in Brazil for the preceding financial year, up to a total of fifty million Brazilian Real (approximately 12 million dollars) per infraction