Brazil: General Data Protection Law is in effect now!

The beast that has been haunting businesses in Europe for quite some time has now arrived in Brazil. The General data Protection Law (LGPD, Law 13.709 / 2018) came into effect on September 18th, 2020.


What is the scope of the law?

As the name reveals, the LGPD aims to protect everyone’s data against privacy violations. Therefore, it is essential that a program be implemented for the protection and specific consent of previously stored data.


What are the implications of the law?

Knowing that the data of individuals or legal entities will be shared with the Government, whether through inspection or not, it is important to redouble the care of the information received and sent. There is no specific determination regarding the legal entity or individual, to comply with the standard, so everyone who performs data processing must provide the proper storage of information, whether physical or digital. What concerns a company is of paramount importance that the direct and indirect information that influences accounting and tax results must also be properly protected.


How does the LGPD affect businesses in Brazil?

It is a difficult task to measure the reach that the LGPD may reach within an organization in view of the range of information stored, since the data exposed occurs in different ways. With respect to a company as an ICMS taxpayer, take for example the SPED FISCAL, EFD Fiscal ICMS E IPI, which have information related to:

  • Electronic Invoice
  • Customer records
  • Supplier records


What happens in case of non-compliance?

All information must be adequately protected in order to avoid the application of penalties as provided for in article 52 of 13.709 / 2018:

  • warning, indicating the deadline for adopting corrective measures
  • simple fine, up to 2% (two percent) of the billing of a private company, group or conglomerate in Brazil in its last year, excluding taxes, limited in total to R $ 50,000,000.00 (fifty million reais) for infraction
  • daily fine, observing the total limit referred to in item II
  • publicizing the infraction after it has been properly investigated and confirmed its occurrence
  • blocking of the personal data to which the infraction refers until its regularization
  • elimination of personal data to which the violation refers
  • partial suspension of the operation of the database to which the infraction refers for a maximum period of 6 months, extendable for an equal period, until the regularization of the treatment activity by the controller
  • suspension of the exercise of the personal data processing activity referred to in data processing

The sanctions will be applied after administrative procedure that allows the opportunity of ample defense, gradually, isolated or cumulative, according to the peculiarities of the specific case.


In conclusion, the application of tax sanctions is the responsibility of the Data Protection Authority, ANPD, and although the proper regulations have not yet been published, it is recommended that companies do not fail to take appropriate measures to protect data for avoid unpleasant surprises.


These regulatory changes could affect your business with view to customizing or support of your ERP/SAP system. Please contact us to learn about possible necessary reactions to the changes – we are happy to assist you!