Freedom, Privacy and Free Development
- EcoMetrologia

- Jan 6
- 11 min read
Updated: Jan 6
General Law on the Protection of Personal Data (LGPD): Law No. 13,709, of August 14, 2018

In our previous article, we discussed the Access to Information Law (LAI - Law No. 12.527/2011), demonstrating the relevance of this legal framework in enabling not only access but also the availability, transparency, and social control of personal or public data for private individuals or state bodies.
In today's article, we will discuss the General Data Protection Law (LGPD – Law No. 13.709/2018), which complements the LAI. Understand how the LGPD is associated with your personal routine and get ready because in the next articles we will articulate these two legal frameworks with Business Management practices, mainly regarding Strategic Planning and the maintenance of Quality, Risk, and Environmental Management Systems. So, activate the bell on our social networks, subscribe to our channel on the website, and enjoy your reading!
The fundamentals
The Brazilian General Data Protection Law (LGPD), enacted in 2018 and in force since 2020, aims to protect the constitutional rights of freedom, privacy, and free development of citizens. To this end, this legislation primarily aims to regulate the processing of personal data, both in physical form (physical documents) and in digital form (computerized data). The regulation of data processing applies to individuals or legal entities, public or private, that carry out these operations with the personal data of third parties, as we will discuss later. The central focus of this regulation is to guarantee the security, transparency, and control of personal information for the data subjects themselves. Article 6 of the LGPD defines the guiding principles for data processing, which underpin the application of the Law in these operations:
FinalPurpose: Data processing must have a legitimate, specific purpose, informed to the data subject, without the possibility of subsequent use incompatible with that purpose. Data may only be collected and used for a clear, pre-defined, and communicated purpose. Generic use or use as a precaution is prohibited. This is the first filter for the lawfulness of data processing.
Adequacy: the processing must be compatible with the purposes informed to the data subject. The use of the data must be consistent with the purpose for which it was collected. Even if the data was obtained legally, any use outside the original purpose is irregular. NOTE: adequacy is different from purpose; purpose defines the "why" and adequacy ensures that the use is in accordance with that why.
Necessity (data minimization): limit processing to the minimum necessary to achieve the intended purpose. Collect only strictly relevant data to reduce the risk of leaks and abuse. This principle is universal in European law and has been expressly adopted by the LGPD.
Free access: the subject of data must have easy and free access to information about the processing of their data, including its existence and how it is used. The data subject may request, at any time, confirmation, access, and information about their data. The controller must guarantee simple and clear means of access. Free access is not "free access"; here it presupposes controlled transparency, not the public exposure of data.
Data quality: ensuring that data is accurate, clear, relevant, and up to date. The controller has a duty to keep information correct and up-to-date, and the data subject has the right to correct errors. This principle is related to the right to rectification.
Transparency: the processing must be done in a clear, accessible, and understandable way for the data subject, with information about the agents, purposes, and methods of data use. The data subject must understand who processes their data, why, and how. Privacy policies should be written in simple language. Therefore, transparency presupposes clarity about the processing, as well as free access and the possibility of verifying one's own data.
Security: adopt technical and administrative measures capable of protecting personal data from unauthorized access, loss, destruction, alteration, or improper disclosure. The controller and the operator have preventive responsibility and must guarantee the confidentiality, integrity, and availability of the data. This principle does not eliminate the duty to repair data in case of failures (as stipulated in article 42 of the LGPD).
Prevention: adopting measures to prevent harm from occurring due to data processing. It is a principle of governance and compliance. Therefore, prevention presupposes organizational and anticipatory protection, while security establishes technical protection.
Non-discrimination: data cannot be processed for discriminatory, illicit, or abusive purposes. No one can be harmed, excluded, or differentiated based on personal data (such as origin, gender, religion). This is directly linked to Article 5 of the Brazilian Constitution of 1988: equality and dignity of the human person.
Accountability and transparency: the data controller must demonstrate that it adopts effective measures capable of proving compliance with the LGPD. It is not enough to comply; it is necessary to prove compliance, which implies the production of records, audits, reports, and internal policies. This is the only principle with a procedural aspect, requiring the demonstration of legal compliance during data processing (Article 6, item 10 and Article 50).
Table 1 summarizes the 10 principles that guide the LGPD. It's important to note that the Law applies to any data processing operation carried out within the national territory, offering goods and services to individuals located in the country, or involving data of individuals located in Brazil.
Table 1: Summary of the 10 Principles of the LGPD
Nº | Principle | Essence | Keyword |
1 | Purpose | Legitimate and specific purpose | “Why?” |
2 | Adequacy | Compatibility with the purpose | “Does it match?” |
3 | Necessity | Data minimization | “Only the Essentials” |
4 | Free Access | Free and easy access | “View my data” |
5 | Data Quality | Accuracy and up to dateness | “Correct data” |
6 | Transparency | Clarity in information | “Simple language” |
7 | Security | Techinical and physical protection | “Shielding” |
8 | Prevention | Proactive actions against risks | “Avoiding harm” |
9 | Non-Discrimination | Respect and equality | “Without prejudice” |
10 | Accoutability | Proving compliance | “Demonstrating compliance” |
It is important to keep in mind that there are cases where the LGPD does not apply (article 4). This occurs when: the processing is for exclusively personal and non-economic purposes; for public security, national defense and criminal investigation; for journalism, art and literature (freedom of expression); for academic research, observing ethical standards and the data anonymization process.
Data processing, the agents who carry it out, and the personal data of the data subjects.
To move forward, it is necessary to understand what data processing is, who the agents associated with data processing are, who the data subjects are, and what types of data are covered by the Law. According to Article 5 of the LGPD, data processing is any operation performed with data provided by individuals or legal entities to a third party, which may be another individual or legal entity, a public or private company, or government agencies. The article demonstrates that data processing involves collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, control, modification, communication, transfer, dissemination, or extraction. Therefore, it is understood that processing represents any action performed with personal data, from collection to disposal.
In data processing, there are three main players. The first is the operator, the professional responsible for processing the data and who follows the controller's orders. The controller, the second figure involved in data processing, is responsible for decisions regarding data processing (directs the processing process). The third figure involved is the data protection officer, also known in the market as the DPO (Data Protection Officer), who is the communication channel between the controller, the data subjects, and the National Data Protection Agency (ANPD).
Regarding the agents involved in data processing, Articles 37 to 41 present the duties of the controller and the processor. According to the LGPD, the controller's duties are: 1. To maintain records of processing operations; 2. To adopt security measures and best practices; 3. To be jointly liable for damage caused; 4. To appoint a data protection officer (DPO). Additionally, the processor's duties are: 1. To follow the controller's instructions; 2. To adopt security measures; 3. To report security incidents to the controller.
Additionally, the ANPD (National Data Protection Agency) is the body responsible for overseeing and regulating the LGPD and was created by Law No. 13.853/2019. Article 55-J outlines the main functions of the ANPD, which are: 1. To ensure the application of the LGPD; 2. To oversee and apply sanctions; 3. To develop regulations and best practice guides; 4. To promote international cooperation; 5. To encourage a culture of data protection.
It is important to highlight that data subjects are natural people to whom the processed data refers and who have rights guaranteed by the LGPD. According to article 18, the subject of data has the right to:
Confirmation of the existence of data processing;
Access to data;
Correction of incomplete, inaccurate, or outdated data;
Anonymization, blocking, or deletion of unnecessary data;
Data portability;
Deletion of data processed with consent;
Information on data sharing;
Revocation of consent;
Complaint to the ANPD (National Data Protection Authority);
Objection to irregular data processing.
These rights are known as ARCO rights (Access, Rectification, Cancellation, and Objection). These rights must be guaranteed free of charge and in an easy manner, and the controller has up to 15 days to respond to the data subject's request.
Considering this, it is necessary to understand the different types of personal data expressed in Article 5 of the Law. According to the regulation, personal data is divided into two main types: personal data and sensitive personal data. Personal data is information related to natural persons who are identified or identifiable, that is, who have an individual associated with the information or who can be associated with a specific individual. Complementary to personal data is sensitive personal data, which refers to characteristics of individuals, such as racial origin, religious beliefs, political opinions, health, sex life, biometrics, genetics, among others. Given these characteristics, it is possible to deduce that sensitive personal data refers to individual particularities that personify citizens and place them within specific niches in the plurality of sociocultural characteristics.
Data processing and its guidelines
Now that we have covered the fundamental concepts of the LGPD, we can delve deeper into the Law and understand the general guidelines for the processing of personal data (PPD). The legal bases for the PPD are expressed in articles 7 and 11 of the LGPD, which stipulate that data processing is only permitted if there is a legal basis and if some of the following conditions are met:
· For personal data:
Consent of the data subject;
Compliance with a legal or regulatory obligation;
Implementation of public policies;
Conducting studies by research bodies;
Contract execution;
Regular exercise of rights in judicial, administrative, or arbitration proceedings;
Protection of life or physical integrity;
Protection of health (professionals or services in the area);
Legitimate interest of the controller;
Credit protection.
· For sensitive data (art. 11), in addition to the data subject's consent, one of the following bases is required:
Compliance with a legal obligation;
Implementation of public policies;
Studies by research bodies;
Exercise of rights;
Protection of life;
Protection of health;
Guarantee of fraud prevention and security of the data subject.
Regarding the consent given by the subject of the data, Articles 8 and 9 establish how it should be structured, determining that consent must:
To be free, informed, and unambiguous;
To be granted in writing or by other means that demonstrate a manifestation of will;
It must be specific to each purpose;
The controller must prove that the data subject consented;
The data subject may revoke consent at any time by means of a simple statement.
The same articles indicate that consent obtained through deception, coercion, omission, misinformation, or through a confusing form is null (invalid). Regarding the revocation and termination of the PPD (Article 8, paragraph 5, and Article 16), the data subject may revoke consent at any time, and termination occurs when: the purpose has been achieved; the data is no longer necessary; the PPD has been prohibited by law; the data subject has revoked consent; or the ANPD has determined the termination of the PPD.
Article 20 deals with the automation of the PPD and decisions made through algorithms. According to the article, the data subject has the right to request a review of decisions made solely based on automated processing, as well as to request information about the criteria used in these processes, to avoid algorithmic discrimination and lack of transparency in the PPD. Examples include credit and profile analysis.
Furthermore, the LGPD addresses data processing scenarios involving anonymized and pseudonymized data. Anonymization involves data that cannot be associated with a data subject, even by reasonable technical means; therefore, the LGPD does not apply, unless there is a possibility of reversal. Conversely, pseudonymization involves data replaced by codes, but which are reversible using a key; in this case, the LGPD applies directly. For example, when a name and CPF (Brazilian taxpayer ID) are removed from a database, but an internal identifier code is maintained, this is classified as pseudonymization.
Articles 23 to 30 address the General Data Protection Regulation (GDPR) carried out by the Public Administration. According to these articles, the public authorities must follow the same principles as the LGPD, being able to share data only for legitimate and specific purposes, being prohibited from transferring data to private entities without a legal basis or the consent of the data subjects, and guaranteeing transparency in the process, in compliance with the Access to Information Law (2011). Similarly to the private sector, each public body must appoint a data protection officer (DPO). The LGPD expressly states that consent is not required for the processing of data by the public authorities, provided there is a legal basis or clear public purpose for its execution.
Articles 7 (paragraph 5), 33, and 34 address the communication and sharing of data. According to the LGPD, communication refers to the transfer of data within the national territory between public and private entities. On the other hand, sharing is associated with the provision of data between different controllers. In both cases, the same rules discussed so far apply, that is, both procedures must: 1. Have a legitimate purpose and legal basis; 2. The data subject must be informed about the sharing; 3. The public authority may only share for specific and legitimate purposes; 4. International transfer is only permitted to countries with an adequate level of protection or with authorization from the ANPD. Regarding the international transfer of data, articles 33 to 36 indicate that this is only permitted when: 1. The recipient country guarantees an adequate level of protection; 2. There is authorization from the ANPD; 3. There are specific contractual clauses; 4. With the explicit consent of the data subject.
Finally, articles 46 to 50 address aspects related to security and best practices in data processing. According to these articles, agents must: 1. Adopt technical and administrative measures to protect data; 2. Report security incidents to the ANPD and the data subject; 3. Implement privacy governance programs and periodic audits.
Administrative liability under the LGPD
The administrative sanctions established by the LGPD are listed in Article 52 of the Law and are applicable to agents, bodies, and companies involved in the PPD. These are penalties determined by the Law:
· Warning: with a deadline for adopting corrective measures;
· Simple fine: up to 2% of revenue (limited to R$ 50 million per infraction);
· Daily fine: until the legal limit is reached;
· Public disclosure of the infraction: disclosure of the violation;
· Data blocking: temporary suspension of use;
· Deletion of personal data: permanent removal;
· Suspension or partial/total prohibition of processing activities: in the most serious cases.
In addition, Articles 42 and 45 define that the controller and operator are jointly liable for patrimonial, moral, individual, or collective damage caused by data processing carried out irregularly or in violation of the principles expressed in the LGPD. However, the same articles indicate that the agents may be exempt from liability if they demonstrate that they did not carry out a specific PPD or that the damage caused is not the result of the actions of both and that they acted in accordance with the provisions of the General Data Protection Law.
Final considerations
After reviewing the General Data Protection Law – LGPD (Law No. 13.709 of 2018), we understand that it applies to both the public and private sectors, ensuring control and efficiency in the processing of personal or sensitive personal data. We understand the rights associated with data subjects and how they can act against agents that process data, whether public or private. Finally, we see that the LGPD emerged to complement the Access to Information Law, ensuring transparency, efficiency, and data security. In future articles, we will address the implications of these regulations for Corporate Management, as data are vital sources for business prospecting, strategic planning, quality/environmental/risk management, and maintaining operational records. See you soon.




Comments