Brazil
2.2. Additional or ancillary regulation, directives, or norms A key provision of the LGPD is the establishment of the Brazilian Data Protection Authority (“ANPD”). Beyond its main role in overseeing data processing and legislation adherence, the ANPD also offers comprehensive guidance and clarification on complex and important issues encountered by data controllers in their operations. The ANPD has issued several regulations to enhance clarity and compliance within the LGPD framework, including the Regulation of the Inspection and Administrative Sanctioning Processes, specific to the ANPD's role and authority. The Authority has also issued regulations for applying the LGPD to small-scale data controllers and on the application of penalties, among others. More recently, the ANPD issued Resolutions No. 18/241 and No. 19/242, which also mark significant developments in the Brazilian data protection framework. Resolution No. 18 provides detailed guidance on the role, responsibilities, and minimum requirements for the Data Protection Officer (DPO), while Resolution No. 19 establishes rules and safeguards for international transfers of personal data. As will be further detailed in the following sections, both resolutions bring greater specificity to key areas of data protection, offering practical guidance that enhances legal certainty and operational clarity for organizations. Moreover, they underscore the ANPD’s pivotal role in the national data protection https://klalaw.com.br/en/home/
ecosystem, reinforcing its authority in setting standards and providing concrete directions for the effective and consistent application of the LGPD. Scope of Application 3.1. Legislative Scope The LGPD applies to any personal data processing activity carried out by individuals or legal entities, whether private or public. This applies regardless of the processing method (online or offline), the company's headquarters location, or the data's location, provided that: (i) the processing is performed in national territory; (ii) the processing activity has the purpose of offering or providing goods or services to individuals located in the national territory; (iii) the processing activities have, as purpose, the processing of data from individuals located in the national territory; or (iv) when the personal data has been collected in the national territory. The country in which the processing agents were incorporated or have head offices, the nationality and place of residence of the data subjects, and the country where the data is located are all elements that are considered irrelevant to the assessment of whether the LGPD shall apply to a given processing activity.
Made with FlippingBook - PDF hosting