BRAZIL: The General Data Protection Law takes effect – changes and effects of the law

October 2020 – Brazil – Rossetti Advogados

Law No. 14.058/20 was sanctioned last September 18, 2020. It resulted from the conversion of Provisional Measure No. 959, dated April 29, 2020, which regulated the general part of obligations of the General Data Protection Law – Law No. 13.709/18(“LGPD”). Thus, the legal framework governing the use, protection and transfer of personal data took effect in Brazil.

The LGPD defines rights of individuals with respect to their personal information and rules for those who collect and process these records, such as obligations to obtain consent in some cases, publicity of how they use the data and guarantee of safety to avoid leakage. In addition, it created a national authority to carry out inspections and established sanctions, such as fines, for those who violate the rules.

Initially, the provisional measure established that the LGPD rules would take effect only as from August 2021. However, during review thereof in the Brazilian Congress, the article that provided on this term was eliminated and, therefore, due to publication of the text of Law 14.058/20 in the Federal Official Gazette, the general part of the LGPD takes effect immediately.

However, the sanctioned law provided that the punishments for noncompliance with the LGPD shall only apply as from August 2021. Until then, we expect that the Brazilian Data Protection Authority (“ANPD”) will be already structured — such body will be responsible for regulating the law, preparing instructions for compliance with its rules and inspecting compliance.

The following provisions of the LGPD, without limitation, take effect immediately:

  1. compliance with the minimum data processing requirements, especially the consent of the data subject (person to whom the personal data refer);
  2. the need to grant the data subjects facilitated access to their data;
  3. differentiated processing of sensitive data and data on children and adolescents, such as the need for specific consent;
  4. the need to designate a controller (who has the duty to make the decisions relating to the data processing), operator (who processes personal data in the name of the controller) and person in charge (person designated by the controller and operator to act as a communication channel between the controller, the data subjects and the ANPD), as well as the need to adopt a data processing structure in this form; and
  5. the need to comply with the minimum data security standards, good governance practices set forth in the LGPD, such as the adoption of measures to protect personal data from unauthorized access and accidental or unlawful events of destruction, loss, alteration, communication or any form of inappropriate or unlawful processing.

Therefore, even if some regulations are still required, which shall be provided by the ANPD, as from September 2020 the data subjects will note that business of all kinds will require new authorizations for things that are currently trivial. Applications already installed will clearly inform which types of permission they will request or use upon installation in mobiles, companies will inform how and for which purpose they will use the data etc.

The future will tell how will the companies and users adjust to all these changes, in addition, of course, to the legal evolution that will take place as defined by the practice.

For more information on the above or in other matters, please contact Maristela SA Rossetti ( or Gilberto Rossetti (

This article is based on publicly available information and given for informational purposes only. It is not intended as legal advice or as a comprehensive analysis of the matters referred to herein.