What is LGPD?
Lei Geral de Proteção de Dados (LGPD) is the new data protection law which came into effect in Brazil on September 18, 2020. Due to the COVID-19 Pandemic, enforcement has been postponed until August 1, 2021. The law tries to unify previous data protection legislation in the country and is modeled after the European General Data Protection Regulation (GDPR).
Keeping in mind that as the LGPD is a new piece of legislation, the implementation of certain provisions thereof may require companies to use a substantial degree of discretion.
The following topics are covered below:
- Steps that Fyber is taking to support its Publishers and Demand Partners’ compliance with the LGPD
- Steps Publishers can take to prepare for LGPD
- Steps Demand Partners can take to prepare for LGPD
- LGPD vs. GDPR – similarities and differences
Steps that Fyber is taking to support its Publishers and Demand Partners’ compliance with the LGPD
In order to comply with the requirements of the LGPD Fyber will update its SDK to enable the handling of LGPD specific flags, strings or other technical implementations.
Fyber will apply the same processes to respond to its controller’s requests received under the LGPD from Brazilian data subjects as it does for those it receives under the GDPR but will align the response time frames with the new requirements.
Steps Publishers can take to prepare for LGPD
Furthermore, publishers are encouraged to review their processes for responding to data subject requests (e.g. deletion, access) under the GDPR and update the time frame for responding to such requests in accordance with LGPD. Data controller publisher are encouraged appoint a DPO. Publishers are encouraged to review and assess their data protection documentation and processes and update those if and where necessary.
Steps Demand Partners can take to prepare for LGPD
Demand partners are expected to ensure they are able to receive Fyber’s LGPD signals as described herein. Where applicable, demand partners may rely on their existing technical measures and processes used under the GDPR.
Furthermore, demand partners are encouraged to review their processes for responding to data subject requests (e.g. deletion, access) under the GDPR and update the time frame for responding to such requests in accordance with LGPD. Data controller demand partners are encouraged to appoint a DPO. Demand partners are encouraged to review and assess their data protection documentation and processes and update those if and where necessary.
LGPD vs. GDPR – similarities and differences?
While both the GDPR and the LGPD protect any information related to an identified or identifiable natural person, the LGPD does not specify what kind of information it refers to, resulting in a possibly broader scope of the type of data that is protected.
For practical reasons and until further guidance from the newly created Brazilian supervisory authority is received, Fyber will be treating the same categories of data as personal data as it does under GDPR. Anonymized data falls outside the scope of both laws as long as measures are taken to ensure that the data cannot be re-identified.
Data Subject Requests
Under the GDPR, data subject requests (i.e. individuals in the European Economic Area) require a response from the data controller within one month and the deadline may be extended by further two months where necessary, taking into account the complexity and number of requests. The LGPD on the other hand, only allows the response to take 15 days (for access requests) or a reasonable time (for other requests).
Both GDPR and LGPD acknowledge six legal grounds (such as consent and legitimate interest) for processing personal data. The LGPD expands the list further to allow processing based on studies by a research body, exercise of rights in legal proceedings, health protection and credit protection. For practical reasons, relying on the same legal grounds for processing personal data under the GDPR also under the LGPD will make compliance with the LGPD much easier.
Data Protection Officers
Under the GDPR, both data controllers and processors are subject to the obligation to appoint a DPO if they meet certain requirements. Under LGPD, processors are free from such obligation while all controllers that process personal data are required to appoint a DPO.
Data Breach Notifications
Both the GDPR and the LGPD contain mandatory data breach notifications. While controllers are required to inform the relevant data protection authority within 72 hours under the GDPR, the LGPD requires such notification within a “reasonable timeframe”. For practical reasons, also in this case, applying the same procedure for the LGPD that has been adopted for the GDPR will make compliance with the LGPD much easier until further guidance is received from the Brazilian supervisory authority.