Global Data and Cyber Handbook

Brazil

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: 3 January 2025

The LGPD defines personal data as "any information related to a natural person identified or identifiable" (article 5, I).

The Constitutional protection of privacy and the provisions of the Civil Code are very broad as they refer to the protection of the individual's privacy, intimacy, and personal data. The CDC refers to any information included in registrations or forms and any data regarding the acquisition of products or services.

Decree No. 8,711/2016, which regulates the Internet Legal Framework, provides a definition of Personal Data which, in theory, is limited to the purposes of such law. The Decree defines Personal Data as any data related to an identified or identifiable individual, including identification numbers, location data, or electronic identifiers when these are related to a person.

Furthermore, the Brazilian Information Access Law defines personal information as any information regarding an identified or identifiable individual. This definition may be used as a reference point for the purposes of data protection laws and is generally adopted in courts and by scholars when addressing this matter.

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: 3 January 2025

Sensitive data includes:

☒        personal data revealing racial or ethnic origin

☒        personal data revealing political opinions

☒        personal data revealing religious or philosophical belief

☒        personal data revealing trade / professional union or association membership

☒        genetic data

☒        biometric data for the purpose of uniquely identifying a natural person or biometric templates

☒        data concerning health/medical information

☒        data concerning a natural person's sex life or sexual orientation

Controller vs Processor

Last review date: 3 January 2025

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • the controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • the processor is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • The concept of "owner" and "agent" is not provided under the LGPD.

Answer: Yes

{{ $store.state.loadingScreen.message }} ...