Conte um pouco sobre o seu negócio

What changes with the General Data Protection Law (GDPL) in Brazil?:
Grow with Alana

What changes with the General Data Protection Law (GDPL) in Brazil?

Did you know that the General Data Protection Law was enacted in September this year and will take effect from the last day of 2020…

Reading time: 6 min

Did you know that the General Data Protection Law was enacted in September this year and will take effect from the last day of 2020 in Brazil? And what does that mean for your company and your customers?

The CEO of Alana AI, Marcel Jientara, spoke with Jovem Pan about this law that was so awaited in the sector, and about how it affects the daily lives of businesses and individuals, as it regulates the use of personal data.

For Marcel, Law No. 13,709 / 18 is a tremendous advance, as important as the civil framework of the internet, since it consolidates a series of rights granted in the constitution and in the civil framework itself.

GDPL: From approval to sanctioning

The discussion on the use of personal data and information has been around for a long time, and the evolution of the internet and big data has accelerated the need to regulate this practice.

The General Data Protection Law defines and regulates what can and cannot be done with personal data. It also allows the individual to activate the company, question what data it has and, if it is of its will, request the deletion of the information.

For companies, Law No. 13,709 / 18 creates the collection responsibility, that is, it requires that the data collected be previously authorized.

Official Facebook notice inviting Brazilian users to manage personal data settings

In Brazil, the GDPL was approved 2 years ago, a period that was used by most companies to adapt to the new rules, and sanctioned in 2020 to have practical validity from 2021, since the regulatory body does not yet have dedicated people and actively working.

Webseries recommendation: Customer Care = Humans + Technology

Regulatory Agency: ANPD

Decree nº 10.474, of August 26, 2020, approved the creation of the body responsible for compliance and monitoring of the GDPL.

The National Data Protection Authority (ANPD) will be led by a Council composed of the Chief Executive Officer, and by administrative structures of the chief of staff, the General Secretariat, the Legal Counsel, the Ombudsman, and the Internal Affairs, as specified in the decree.

Although Law No 13.709/18 is already in force, the regulatory body does not yet exist effectively, as there are no people in offices.

In theory, the punishments could already be applied, as it was in the European Union that, according to Jientara, imposed fines from the first day that the European Union Data Protection Act (GPDR) came into force.

In Marcel’s view, the ideal would have been the early creation of the ANPD body, so that he could assist small and medium-sized companies in the process of adapting to the new rules. The body could be a focal point of guidance for companies and not just punishment.

What changes regarding data usage?

The main advance brought by the General Data Protection Law is the power given to people to choose how their data will be used and even choose to delete it from the database of the companies they want.

The adaptation to the law requires a great investment in technology, especially in the areas of customer service and marketing, since all data will have to be properly stored for specific purposes, with no possibility of sharing between areas, if the customer does not allow it.

For example, in the hypothetical case cited by Marcel, in which an application requests the person’s email to register, but uses it to send other types of messages. Before the GDPL, nothing would happen to the company, but after the sanction of Law No. 13,709/18, the application could be punished.

Reading recommendation: Regulation of artificial intelligence: understand the global debate

How to write a data usage policy

Before creating a consent form for data use it is important to consult experts on the subject and ensure that the process of adaptation to the GDPL encompasses all necessary aspects.

Ideally, a good data usage policy should be written by an attorney, or a governance expert, and should include the following information:


Check out two text templates for requesting data usage. We emphasize that it is important, and necessary, to consult experts in the field to fully comply with the General Data Protection Law and create authorizations that cover all aspects of your business.

1. For browsing data (cookies)

This site uses cookies

We use cookies to [detail the reasons: content personalization, traffic analysis, advertising campaigns, etc.]. We also share information about [detailing the shared data] with [specifying whether the data is shared with partners or with the brand’s social media], which may combine with other details that you may have provided in direct interaction with them.

Customer options: [provide the option for the customer to choose what they want to do]

2. For personal data 

Term of permission for storage and processing of personal data

This document aims to record the individual’s agreement with the processing of their personal data for a specific purpose, in accordance with Law No. 13.709 / 18, the General Data Protection Law (GDPL).

We inform you that we collect your data [specify which personal data] for [specify the purposes]. Your personal data will be stored and preserved indefinitely [or add the exact time]. Customer data will be stored [as it is stored] and can be deleted at any time, as requested by the customer.

The customer is entitled to:

Requests and inquiries regarding the treatment and deletion of data must be made through [information for contact with the company].

Suitability of sectors to GDPL

Although the ANPD is still not exercising its role effectively, several companies are already seeking to adapt to the new rules, as is the case of business in the insurance sector, which are working together so that the sector is the first to fully adapt to the General Data Protection Law.

There are more than 50 thousand brokerage companies and insurance brokers affiliated with Fenacor (National Federation of Insurance Brokers). The project became known as GDPL cor and seeks to assist entrepreneurs in the following aspects:

A practical guide for compliance with the General Data Protection Law;

What is the “Brazilian Civil Rights Framework for the Internet”?

Law No. 12,965 /14 has been in force since June 2014 and, according to the official text, it “establishes principles, guarantees, rights and duties for the use of the Internet in Brazil”. The main objective of the “Marco Civil da Internet” is to prevent and combat crimes committed online, the cybercrimes.

The text of the law addresses the following topics:

An interesting fact for Brazil is that the country was one of the first to adhere to the principle of net neutrality, which determines the quality of access for all and prohibits internet providers from limiting their use.

Based on the General Data Protection Law (Law No. 13.709/18), the ‘Marco Civil da Internet’ underwent some changes to include the creation of the regulatory body (ANPD), and other aspects related to fines and the possibility of data management by individuals.

The two laws are complementary and, despite the need for investment in technology and time to adapt processes, they are beneficial for both people and companies, who can work even more transparently and develop new strategies to meet all rules of the General Data Protection Law (GDPL).

If you still have questions about this topic, we suggest watching the video added at the beginning of this text. It is fast and extremely useful!