Everything You Need To Know About LGPD Privacy Policy Requirements
Brazil’s Lei Geral de Protecao de Dados (“LGPD”), the country’s data protection law, is one of the most restrictive in the world. Modeled after Europe’s General Data Protection Regulation (“GDPR”), LGPD requires companies to comply with strict requirements related to the collection and processing of Brazilian consumers’ personal data. One of those requirements is that an organization post its privacy policy on its website, below we’ll detail how your organization can comply with this requirement.
Does my company need a privacy policy?
The short answer is yes, if your organization is subject to LGPD. One interesting aspect of LGPD is that there is no privacy policy mandate, however a key tenet of LGPD is transparency, so identifying the who, what, where, when, why and how of your data collection, transfer and storage policies, procedures and personnel is a key component of complying with LGPD. A well-drafted privacy policy can enable an organization to properly comply with LGPD.
What should I include in my privacy policy?
At a minimum, your privacy policy should:
-
Be transparent about the personal data you collect
-
First, declare that you collect personal data
-
Second, explain what data you actually collect (e.g. IP address, email address, name, phone number, etc.)
-
Third, describe the specific purpose of the processing
-
Fourth, communicate the duration of the processing
-
-
Provide the justification and reasons for collecting that data
-
LGPD sets out 10 legal grounds for data processing, so you can’t legally collect personal data unless you can justify it under one of these bases:
-
Individual consent
-
Performance of a contract with the individual
-
Public health
-
Protecting a credit score
-
Complying with your organization’s legal obligations
-
The individual’s safety
-
Performing public statutory duties
-
Legal proceedings
-
Research
-
-
-
Inform individuals of their rights pursuant to LGPD
-
LGPD provides individuals with 9 specific rights that you need to tell them about, including:
-
The right to confirmation of the existence of the processing;
-
The right to access the data;
-
The right to correct incomplete, inaccurate or out-of-date data;
-
The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
-
The right to the portability of data to another service or product provider, by means of an express request
-
The right to delete personal data processed with the consent of the data subject;
-
The right to information about public and private entities with which the controller has shared data;
-
The right to information about the possibility of denying consent and the consequences of such denial; and
-
The right to revoke consent.
-
-
-
Communicate how individuals can contact your organization to exercise their rights
-
You need to provide at least one way for an individual to contact you about their personal data (e.g. email, phone, mail or other).
-
Do I need my LGPD policies in different languages?
As of this writing, we’re not aware that the privacy policy needs to be in any specific language, however LGPD does require that the language used be clear and transparent, so it is likely best to have your privacy policy be in Portuguese for Brazilian visitors.
How often do I need to update my LGPD policies?
Unlike California’s CCPA, which imposes a requirement to update your organization’s privacy policy at least every 12 months, there is no such requirement for LGPD.
What documents do I need in order to be compliant with LGPD?
A privacy policy is the document required to be compliant with LGPD.
How to add a Privacy Policy to my Website?
With Clym, you can easily manage all your Privacy and other legal documents in multiple languages and versioning. We also give you the ability to embed these documents into pages or sub-domains so if you need to edit them, you only need to do it in one place. All of your policies can be timestamped, and as regulations continue to evolve, you can show your website visitors how your policies have been updated. Watch the video below for more information or click this link to learn more about our Document Management.
Key Takeaways
While the LGPD does not explicitly state that a privacy policy is mandatory, it does require organizations to clearly and transparently communicate with individuals regarding their data being collected, transferred and stored. A well-drafted privacy policy can accomplish this goal, and mitigate risks associated with noncompliance with LGPD.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.