Brazil adopts a new GDPR-style data protection law



Inspired by the EU GDPR, Brazil’s General Data Protection Law requires controllers to notify data breaches, appoint a Data Protection Officer (DPO), and follow new, stronger consent requirements. The law, which applies both to the private and public sectors also has provisions for Privacy Impact Assessments and Privacy by Design.

With regard to DPOs, it is expected that there will be further provisions to clarify the duties of DPOs and the criteria as to when a DPO needs to be appointed.

Fines for non-compliance can amount up to 2% of the legal entity, group or conglomerate revenues in Brazil during the previous financial year. Other measures include publishing details of the fine and what led to it, and blocking and deleting the personal data in question.

The law was published on 15 August and will enter into force in February 2020, eighteen months following its official publication. The President vetoed a part of the law which aimed to establish an independent national data protection authority. According to Natlawreview.com, the President announced that his office would send a separate bill to Congress for the creation of a data protection authority.


Read an analysis of this law by Pablo A. Palazzi, Partner at Allende & Brea, in the next issue of PL&B International Report.