With the entry into force of the new Brazilian General Data Protection Law (LGPD) in September, companies, financial institutions and fund managers in Brazil began the process of adapting to the new law. What about foreign entities operating outside the country, are them subject to the scope of the LGPD?
The answer is yes. The LGPD should be observed by organizations in foreign jurisdictions that:
(i) offer services to the consumer market in Brazil;
(ii) collect and process data from people located in the country; and/or
(iii) receive, through international transfer, personal data originally collected by Brazilian companies, which, in most situations, make them operators.
Inspection regarding foreign companies’ compliance with the LGPD will be carried out by the National Data Protection Authority (ANPD), a public administration body that was created especially to carry out these controls.
Regardless of whether operating from Brazil or abroad, non-compliance with the terms and conditions of the new LGPD may generate sanctions to foreign organizations ranging from simple warning to fines of up to 2% of the organization’s gross revenue (limited to BR$ 50 million).