First data protection law is enacted in Brazil 28 jun 2023

First data protection law is enacted in Brazil


The official redaction of the Brazilian general data protection law was published on August 15, 2018 (Law n. 13,709/2018).

It is important to notice that the President vetoed the creation of the National Data Protection Authority due to legal irregularities in view of its creation by the legislative sphere. In any case, the President affirmed that the authority will be duly created by proper means in due course.

Furthermore, the President also vetoed three articles of the bill of law related to the treatment of personal data by public authorities and specificities to the transfer of personal data between public authorities and private entities.

Finally, the last vetoes were related to possible administrative sanctions set forth by the bill of law, which provided for the (i) total or partial suspension of system operation of the database related to the infraction; (ii) suspension of the activities of personal data treatment; or (iii) total or partial prohibition of the exercise of the activities related to data treatment.

Please find below the main points of attention of the law, duly updated in observation of the final redaction of the enacted law.

  • Application: The Law will apply to any transaction or operation involving data treatment that (i) is performed in Brazil; (ii) has the objective of offering or supplying goods or services, or treatment of data of people located in Brazil; or (iii) is carried out with personal data collected in Brazil.


  • Exceptions: The Law will not apply to the treatment of personal data (i) carried out by individuals for private and nonprofit purposes; (ii) performed for journalistic, artistic or academic purposes; (iii) carried out for purposes of public safety, national security and defense or activities for investigation and deterrence of crimes (which will be the subject of a specific law); or (iv) with foreign provenance and that are not the target of communication, shares use with Brazilian data treatment agents or the object of transfer of data with another country that other than the country of provenance, provided such country provides a degree of protection adequate to the Brazilian Law.


  • Definition of Data: The expression “personal data” is defined as any data or information related to an identified or identifiable individual (called“owner”), with “sensitive personal data” being data about racial or ethnic background, religious belief, political opinion, membership labor unions or religious, philosophical or political organizations, as well as referring to the health or sexual life, genetic or biometric data.


  • Data Treatment: “Treatment” is considered to be all operations carried out with personal data, such as collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation, control, modification, communication, transfer, diffusion or extraction of data or information.


  • Treatment Agents: Agents fall into two categories, “controller”, defined as any individual or public or private legal entity responsible for the decisions related to the treatment of personal data, and the “operator”, defined as the individual or legal entity that carries out the treatment of personal data at the behest of the controller.


  • Principles: Important principles must be observed in the treatment activity, such as (i) purposes: the treatment must be carried out for specific and legitimate purposes, explicitly and informed to the owner, without the possibility of subsequent treatment in a form incompatible with these purposes; (ii) adequacy: compatibility of the treatment with the purposes reported to the owner; (iii) need: limitation of treatment only to the extent necessary to achieve the purposes; (iv) free access: guarantee that the owners can consult, easily and at no cost, the form and time frame of the treatment, as well as the integrity of their data; (v) quality of the data: guarantee of the precision, clarity, relevance and currency of the data; (vi) transparence: guarantee of clear information that is easily accessible by the owners;  (vii) security: utilization of technical and administrative measures to protect the data from access by unauthorized parties and misuse; (viii) prevention: adoption of measures to prevent the occurrence of damages due to treatment of personal data; (ix) nondiscrimination: impossibility of treatment for discrimination, illicit or abusive purposes; and (x) accountability: demonstration of effective means to observe and prove compliance with the rules on protection of personal data.


  • Requirements for Treatment: The treatment may only be carried out (i) with consent; (ii) to comply with a legal or regulatory obligation of the controller; (iii) by the public administration, for treatment of data necessary for public policy purposes; (iv) for conduction of studies by a research entity, with guarantee of anonymization; (v) when necessary to perform a contract; (vi) for regular exercise of rights in a judicial, administrative or arbitral proceeding; (vii) for protection of the life or physical integrity of the owner or third parties; (viii) for production of health, though a procedure carried out by professionals in the area of public health of by sanitary authorities; (ix) in the legitimate interests of the controller or third parties; and (x) for protection of credit.


  • Consent: The consent must be expressed in writing (in the case of a contract, highlighted with respect to the other clauses) or by other means that demonstrate the manifestation of will of the owner, with the controller have the burden of proving consent was obtained pursuant to the Law. Generic consent will be deemed null and void, and treatment in cases of defective consent is forbidden.


  • Revocation of Consent: The consent can be revoked at any moment, by express manifestation of the owner on a free and easy procedure, with ratification of any treatment performed under the consent provided previously.


  • Access to the Data: The owner shall have facilitated access to the data subject to treatment, which must be provided clearly and ostensibly, with mention of the purpose, form and duration of the treatment, identification of the controller and the corresponding contact information, explanation of the shared use of data and the purpose, responsibilities of the treatment agents, besides explicit mention of the rights of the owner specified in Article 18 of the Law (next).


  • Rights of the Owner (Art. 18): The owner has the following rights: (i) confirmation of the existence of treatment; (ii) access to the data; (iii) correction of incomplete, inexact or outdated data; (iv) anonymization, blockage or elimination of unnecessary or excessive data; (v) portability of the data; (vi) elimination of personal data treated with consent; (vii) information about the public or private entities with which the controller has carried out shared used of the data; (viii) information about the possibility of not providing consent and the consequences of denial; and (ix) revocation of consent.


  • Treatment of Sensitive Data: The treatment can only occur when the owner or its legal representative consents, specifically and in highlight, for specific purposes, or without consent of the owner in cases of compliance with a legal or regulatory obligation by the controlling, need to carry out public policies by the public administration set forth in law; studies by research entities (with anonymization of sensitive personal data); regular exercise of rights; protection of the life or physical integrity of the owner; protection of public health; prevention of fraud; and security of the owner.


  • Anonymized Data: They are defined as data by which the owner cannot be identified, for which reason they will not be considered as personal, unless they can be reversed and identify the owner.


  • Children and Adolescents: The treatment of data on children and adolescents must be performed with the specific and highlighted consent of at least one of the parents or legal guardians, except when necessary to contact the parents or guardians.


  • End of the Treatment: The treatment must end when the purpose has been attained or the date cease being necessary or pertinent; at the end of the treatment period; by communication from the owner; or determination of a national authority (once created). The data must be deleted after the end of the treatment, other than specific exceptions.


  • Treatment of Data by the Public Authorities: The treatment must be performed only to serve the corresponding public purpose and with the objective of satisfying the legal attributions of the public service, with observation of the conditions determined in law.


  • International Transfer of Data: The transfer of personal data to other jurisdictions will be allowed only in the cases set forth in law, such as: (i) with the specific consent of the owner; (ii) to satisfy a legal or regulatory obligation, when necessary to perform contracts or for regular exercise of rights in a judicial, administrative or arbitral proceeding; (iii) to countries or international organizations that provide an adequate degree of protection of personal data as specified in law or determined by a competent entity; (iv) when the controller of the data proves it has guarantees of compliance with the principles, rights of the owner and data protection regime set forth in Brazilian law; (v) for protection of the life of physical integrity of the owner or a third party, among other situations.


  • Records of Operations for Treatment of Personal Data: The controller and operator must keep records of the operations for treatment of personal data they carry out, mainly when the treatment is based on a legitimate interest


  • Report of the Impact of Protection of Personal Data: In relation with operations to treat data, the competent body, once created, can request the preparation of a “Report of the Impact of Protection of Personal Data,” which must state they types of data collected, the method used for their collection and the guarantee of their security, as well as analysis of the controller of the measures, safeguards and mechanisms for risk mitigation adopted.


  • Chief of Treatment: The new Law creates the figure of Head of Data Treatment, who is the person responsible for accepting complaints and other communications from the owner and competent authorities, orienting employees about good practices, among others attributions. The Chief must be appointed by the controller and his/her identity and contact information must be disclosed clearly and objectively.


  • Joint and Several Liability: Other than in exceptional cases identified in law, the operator and controller are deemed to be jointly and severally liable for the data with respect to pecuniary or moral damages, either individual or collective, caused by the date treatment.


  • Security Measures: It is mandatory to adopt technical and administrative security measures to protect the personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, disclosure or any other form of inadequate or illicit treatment. The minimum technical standards must be disclosed by the competent body opportunely, considering the specificities of the personal data and their treatment.


  • Communication in Cases of Security Incidents: The controller must report to the competent body (once created) and the owners when any security incidents occur that can cause a relevant risk or damage to the owners of the personal data.


  • Administrative Penalties: Infractions of the Law can subject the Treatment Agents to the applicable administrative penalties by the competent body, after an administrative proceeding that affords rebuttal and ample defense. Among the penalties are official warning, publicity of the infraction, single or daily fine (up to 2%) of the gross revenue of a private company, business group or conglomerate in Brazil in the preceding year, excluding taxes, capped at R$ 50 million per infraction).

Within the 18 months of vacatio legis, the Brazilian General Data Protection Law will be fully effective within 18 months, that is, in February, 2020.


In case of any doubts about this subject, please do not hesitate to contact us.


Paula Mena Barreto
T: +55 21 3262-3028

Manoela Esteves
T:  +55 21 3262 3042