Brazilian Data Protection Law No. 13.709 (LGPD) was published in August 2018, but given the adaptation that many companies and industries would have to make to comply with it, it would have to come into force at a later time, especially because in In full force, any company that does not comply with it could be subject to a sanctioning procedure and very high fines (2% of income or up to USD 12 million, according to article 52 of the Law.).
Initially, it would enter into force in August of this year, but last April, President Bolsonaro, through Provisional Measure No. 959/2020, delayed its entry into force to May 2021. The latter in response to difficulties and uncertainties economic consequences of the pandemic. On the other hand, the Brazilian data protection authority had not yet started its functions, therefore, without the authority that will direct the supervision and control of compliance with such regulation, it would not make much sense for it to come into force.
However, according to IAPPLast Wednesday, in the last Senate vote, the specific article of the Executive Order that postponed the LGPD to May 2021 was excluded, which practically entered into force immediately. According to Carolina Cagnoni, partner at GCA Advogados, “It is a fact that most companies are not prepared and do not comply with the law, it is also a fact that the law cannot be fully complied with at present, as specific regulations have not been issued because the national authority is not in functions"
The "good thing" is that the sanctions are not yet in effect. However, any interested party could seek the application of this law in court.
In this way, it is clear that companies (national or foreign) that process the personal data of Brazilian citizens must accelerate their processes of adaptation to the new law. In this way, they must endeavor to implement channels of attention to the rights of holders of personal data (access, correction, anonymization, blocking, deletion, data portability, among others), they must verify that the data they process comply with the principles of purpose, need, quality, adequacy, security, etc., with the aim that they do not process information that is not necessary for the purpose for which it was collected, that is excessive, or that is no longer relevant.
Likewise, they must designate a compliance officer in charge of the processing of the company's personal data, who must receive the claims of the data owners, must receive the communications from the national authority, guide employees and contractors on practices related to compliance with data protection law, among others.
Undoubtedly, this data protection law is undoubtedly based on the General Data Protection Regulation of the EU, it has practically become a standard for the new regulations on the matter. Which certainly doesn't deserve any criticism.