Main Obligations of Companies under the LGPD and Simplified Regulation for Small Businesses

The General Data Protection Law (LGPD), Law No. 13,709/2018, introduced significant obligations for companies that handle personal data in Brazil, aiming to protect the fundamental rights of freedom and privacy. Below, we highlight the main obligations imposed by the LGPD on companies and discuss the mitigated rules applicable to small businesses.

1. General Obligations under the LGPD:

1. Consent: Companies must obtain explicit consent from data subjects to process their data, except in legal exceptions where processing is justified by other legal grounds, such as compliance with legal obligations or credit protection.
2. Transparency: It is crucial that companies are clear, precise, and accessible in their communications with data subjects, especially regarding the purposes of data processing.
3. Access and Correction: Ensure that individuals have the right to access, correct, and update their personal data.
4. Data Security: Implement technical and administrative measures to protect personal data from unauthorized access and accidental or illegal situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing.
5. Incident Notification: In the event of a security incident that may pose a significant risk or damage to data subjects, companies are required to notify the National Data Protection Authority (ANPD) and the data subjects.
6. Data Deletion: Personal data collected must be deleted after the end of its processing, except for cases of mandatory record-keeping as required by law.
7. International Data Transfer: Transfers of personal data to countries or international organizations that do not provide an adequate level of data protection as prescribed by the LGPD may only occur under specific conditions.

1. Mitigated Obligations for Small Businesses:

Recognizing the challenges and limitations faced by small businesses, micro-enterprises, and startups, the LGPD provides more flexible rules for these entities:

1. Simplification: The possibility of presenting data protection impact reports in a simplified manner.
2. Extended Deadlines: In certain circumstances, these companies may have longer deadlines to comply with data subjects’ requests.
3. Reduced Penalties: In case of infractions, fines may be reduced, considering the company’s annual revenue, economic capacity, and the severity of the infraction.

It is essential that all companies, regardless of size, be aware of their obligations under the LGPD to ensure compliance and avoid penalties. For small businesses, it is advisable to take advantage of the flexibilities offered by the law to facilitate adaptation to the new data protection regime.