On July 10, the draft of the General Data Protection Regulation ("LGPD") was approved by the Senate and will be sanctioned by President Michel Temer within the next days.

The Bill ("PLC 53/2018") was passed with forty six amendments, as well as three other bills that were attached to the proposal. In addition, PLS 131/2014, PLS 181/2014 and PLS 330/2013 were rejected by the Committee on Economic Affairs (CAE) since the Commission understood, after extensive dialogue between the Chamber and the Senate, that PLC 53/2018 already covered everything that was understood by the Plenary Session as essential to the Brazilian Data Protection Law.

Inspired by the European Data Protection Law (GDPR), which has been in force since May 25, 2018, the Brazilian Bill provides that any company that gathers and processess personal data, (such as name, address, email, among others) obtained by electronic or physical means, will require the consent of the owner of such information, and in the case of children, the consent must be given by their parents or legal guardians. Additionally, the Bill grants the dataowner the right to access his collected information and correct it, and also obligates companies to inform immediately if a leakage of data occurs, and provides the creation of a regulatory body. Below, the main aspects of PLC 53/2018 provided by the Senate Agency:


* PLC 53/2018 has 65 Articles, distributed into 10 Chapters. The text was significantly inspired by specific lines of European regulation that entered into effect on May 25, 2018, the General Data Protection Regulation (GDPR).

Protection for Possible Data Processing Scenarios

* With the owner's consent.

* For compliance with legal or regulatory obligations to those responsible for the processing.

* For the Public Administration, for the processing and shared use of necessary data for the execution of public policies.

* For the performance of studies by research bodies, without the individualization of the people.

* For the protection of the well-being or physical safety of the data owner or third parties.

* For the protection of the data-owner's health, involving procedures performed by health professionals or healthcare entities.

* For the execution of a contract or preliminary procedure related to a contract to which the data-owner is a party when at his request.

* For pleading in lawsuits or judicial, administrative or arbitration proceedings.

* For the protection of credit, under the terms of the Consumer Protection and Defense Code (CDC).

Scope and Coverage

* Any data, such as name, address, e-mail, age, marital status, and financial situation, obtained in any type of support or medium (paper, electronic, computer, sound, image or other).

Contracts of Adhesion

* In cases of adhesion contracts, when the processing of personal data is a condition for the delivery of products or services, the data-owner must be informed in detail of this fact.

Sensitive data

* The text brings forward the concept of sensitive data, which receives differential treatment regarding: racial or ethnic origin; religious beliefs; political opinions; membership of syndicates or religious, philosophical or political organizations; data relating to health or sexual life; and genetic or biometric data when linked to a natural person.

Vacatio Legis

* The new rules will only come into effect after a year and a half following the publication of the Law, so that agencies, companies and entities can adapt.

National Data Protection Authority Autoridade Nacional de Proteção de Dados (ANPD)

* The Bill provides for the creation of a special independent governmental agency linked to the Ministry of Justice, with the aim of safeguarding the protection of data, surveillance and application of sanctions, among others duties.

Administrative sanctions

* Those who violate the new Law are subject to a warning, a single fine, daily fine, partial or total suspension of operation, among other sanctions.

Civil Liabilities

* The responsible party that, due to professional data processing activities, causes damage to property, or moral, individual or collective damage, is obligated to repair it. In civil proceedings, a court , may reverse the burden of the proof in favor of the data-owner when, in its opinion, the allegation of damage is plausible, when there is a lack of evidence or when the production of evidence by the data-holder would be hard or impossible.