General Data Protection Act (LGPD)
The General Data Protection Act (LGPD) – Law No. 13.709/2018 regulated the use of personal data by companies, so that Brazilian citizens have more security and control over their personal information. The LGPD effectiveness started in August 2021 and imposes a change in a form that companies collect, store, use, and share people’s data in order to ensure more privacy, security, and transparency in dealing with the personal information of third parties, especially clients, employees, and suppliers. An example of this right granted to companies is the possibility for people to consult what information of theirs each company stores and even request its display in administrative and judicial proceedings, as currently occurs in the labor courts. If any irregularity is found in the use of third parties’ data, the ANPD (National Authority for Data Protection) and other bodies, such as the Public Prosecution Office, Procon, and Secom, act in legal matters or apply fines against companies that breach the current law (e.g., art. 52, item II, of Law 13.709/2018 – a simple fine of up to two percent (2%) of the revenue of the private legal entity, group or conglomerate in Brazil in its last year, excluding taxes, limited, in total, to fifty million Reais (R$ 50,000,000.00) per breach; III – daily fine, according to the total limit referred to in item II).
In relation to the application of penalties, the demonstration of the adoption of good practices will be considered a mitigating criterion, which is why the demonstration of an internal policy of the company is effective for mitigating the risks of action, especially the demonstration of the existence of a security committee and a policy of request, consent, and control of personal data. BAW Law has a team prepared to format the program and the appointment of a DPO (Data Protection Officer) as an active body in data protection and privacy regulation within the company.