New General Data Protection Law in Brazil- what changes?

Last Tuesday, August 14, Brazilian President Michel Temer sanctioned the General Data Protection Law – GDPL- which regulates how personal data of Brazilians may be used by companies and public agencies.

The companies will have 18 months to comply with the new legislation, which goes into effect in February 2020.

The change was the subject of a lecture by attorney Fernando Santiago, data protection expert at the Chenut Oliveira Santiago office, presented last Monday (13) at the France-Brazil Chamber of Commerce, in São Paulo.

“We live in an age where data is a very valuable asset. Google, for example, has a business model based on following the citizens/consumers, detecting their choices and consumption habits, and profiting from that data. But any asset can turn out to be a liability, in the sense that an undue spill of data can be very costly for a company”, explained Santiago during the event.

With the new law, the oversight and sanctions that can be suffered by Brazilian companies become clearer, and even more stringent. According to the expert, although in Brazil the subject of data protection is new, in Europe it has been discussed since the 1970s. “The GDPL is very inspired by the GDPR (European Regulation of Protection of Personal Data“), he explains.

In Santiago’s view, the big issue in Brazil is a broad paradigm shift. “With the enactment of the new law, companies need more than ever to reflect on whether they need to actually collect and store certain data”, analyzes.

“One of the most delicate areas in companies is Human Resources, which usually stores medical records and other very detailed and sensitive information about employees. A data leak of this kind can do a lot of damage, so much care is needed in the treatment of this data”, he says.

What changes with the new law

Among the main changes brought with GDPL are:

– companies will no longer be able to collect personal data without the consent of the owners (consumers or employees), and will also be fully responsible for the security of this information

– in addition to having to consent, the data owner may also request the revocation of the authorization to use his information at any time

– the consumer may also request the portability of the data and require that his information be erased

– companies becomes responsible for data security that they collect, transmits, process and store

– company can be fined up to 2% of the billing or up to R$ 50 million for infraction

Europartner approves the new law

For Singrid Teixeira, responsible for the commercial department of Europartner and management of new partnerships, the new law is welcome because it helps to regulate relations between companies, their employees, clients and other third-parties.

“Europe is already more advanced in the data protection issue, but in Brazil this awareness has been growing. We see the law with good eyes because every citizen has the right to personal data protection, and now it will be easier for companies to know how to avoid leaks and to ensure the protection and correct treatment of the data, as well as to collect only the really relevant information for business”, she says.

Read more in our blog:

Software law: dispute between states and municipalities around taxes