Brazil: Processing in jurisdiction
The Brazilian General Personal Data Protection Law (LGPD) establishes its applicability to data processing activities based on several factors, including whether the processing takes place within Brazilian territory.
Text of Relevant Provisions
LGPD Art.3(I):
*"This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that:
I – the processing operation is carried out in the national territory;"*
LGPD Art.3(III):
*"This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that:
III – the personal data being processed were collected in the national territory."*
Analysis of Provisions
The LGPD's applicability extends to data processing activities occurring within Brazil, as indicated by Article 3(I). This provision clarifies that the law applies regardless of the data controller's location or where the data is stored, as long as the processing itself takes place in Brazil.
Furthermore, Article 3(III) adds another layer to the LGPD's territorial scope by encompassing data that was collected within Brazil. This means that even if the processing occurs outside Brazil, the LGPD still applies if the personal data was initially collected within the country.
The rationale behind these provisions is to ensure the protection of individuals' data within Brazilian borders, regardless of where the data controller is based. This approach aligns with the LGPD's objective of safeguarding the fundamental rights of data subjects in Brazil.
Implications
The LGPD's territorial scope has significant implications for businesses:
- Foreign companies processing data in Brazil: Companies without a physical presence in Brazil but processing data within its territory using servers or cloud services located in Brazil are subject to the LGPD.
- Data collection in Brazil: Companies collecting data from individuals in Brazil must comply with the LGPD, even if the data processing happens outside the country. For instance, a foreign online retailer collecting data from Brazilian customers through its website must adhere to the LGPD.
- Data transfers: Transferring data collected in Brazil to other countries requires careful consideration under the LGPD's requirements for international data transfers.
- Compliance obligations: Companies falling under the LGPD's scope due to processing data within Brazil or processing data collected in Brazil must comply with its obligations, including data subject rights, data security measures, and data breach notification requirements.
Jurisdiction Overview
Gavel Factors: (7)