The General Data Protection Law - LGPD and Online Security



And what is done with this information? How to ensure they are secure? This is what Law 13.709 regulates, known as the General Data Protection Law. The LGPD was sanctioned in August 2018, by Michel Temer and entered into force on September 18 of this year. From the sanction, all companies must follow the legal definitions for treating the personal data of customers, employees, visitors, suppliers or any other category of holder that has his/her data processed. The use of any personal information, from the most basic ones, such as name and e-mail, to health data, should fit in the new law. Fines for non-compliance can reach R$ 50 million.


Data treatment is any procedure involving the use of personal information, such as collection, classification, use, processing, storage, sharing, transfer, deletion, among other actions.


LGPD determines the rules on the use of personal data in all online transactions. The law prohibits the indiscriminate use of personal data. To comply with the legislation,


the companies will have to define the legal basis for the use of the data and will have to inform what is the specific purpose of the data used. LGPD also obliges companies or public bodies to delete data after the end of the data treatment period, respecting the need to comply with other laws, such as labor and tax laws. In addition, companies will be obliged to inform the user what personal data is in their database if he/she requests it. Information about children and adolescents will also be more protected and can only be used with the consent of parents or legal guardians.


There is still the guarantee of a differentiated treatment of personal information considered sensitive. Sensitive data are those referring to racial or ethnic origin, religious conviction, political opinion, union membership or religious, philosophical or political organization, data referring to health or sexual life, genetic or biometric data.​




The citizen will need to be aware of the rules informed by the companies that treat his/her data, as well as be aware of their rights and how to exercise them. At any time in the relationship with the institution, one can request the data and know how they are being used. 

Companies will have to implement a structure and an internal policy of compliance to properly treat their customers' data. This applies to both public and private sector entities.

In order for this process to occur properly, LGPD defines three important roles in organizations: the controller, who will determine decisions about data treatment, and usually is the company with which the holder has the commercial relationship; the operator, who can be hired by the controlling company to perform a personal data treatment; and the data protection officer (DPO), who is the professional who makes the communication between the controller and the agency responsible for law enforcement.

It is recommended that companies create a committee to develop internal policies, goals and plans for data protection management, as well as emergency plans for crisis management involving security and privacy. In times of information leakage, the customer and the government regulatory agency should be advised in a timely manner.

The employees of the controlling organization must be aware of the procedures and, therefore, must be trained on the new legislation and also how the data treatment within the company will be performed.

The government will structure the National Data Protection Authority (ANPD), which will be the body responsible for monitoring compliance with LGPD. This body will also have to draw up the guidelines of the law and apply the penalties provided for public or private companies that fail to comply with the requirements.​






LGPD was eight years in discussion before it was created. It is based on GDPR (General Data Protection Regulation) which is the pioneering law on the protection of personal data and privacy in the European Union. Effective since 1995, it was created after leak scandals and data sharing without consent of the holders by large technology companies such as Facebook.

GDPR is valid only for companies based in Europe, operating on the continent or using data from European citizens. However, large technology companies have extended the requirements to all their users, regardless of the country of origin. The same should happen with LGDP which is for use in national territory or with data from Brazilians, but can work in other countries.​




Neoen​ergia defined three phases for its adequacy to the General Data Protection Law. They were: mapping and definition of action plans; implementation of the defined plans


and adjustments in the data treatment catalog; improvement in the governance model. The company is already in the third phase of this project. The first Neoenergia decision was to do the Registration of Data Treatment Actions. In this large catalog there is all the information about the data treatment carried out in the company. This catalog also contains the legal basis for each treatment and supports various information about it.


With the action plans defined after the data mapping, Neoenergia implemented the publication of privacy notifications on the websites, implemented the channels for the holders to exercise their rights and initiated a process of training and formation of personal data protection culture among its employees - as well as the adequacy of its processes.


Today the holders (customers, visitors, etc.) who have personal data treated by Neonergia Group can already access the page of Policy/Privacy notifications on the websites of the company. The organizational structure to treat personal data security is already formed, starting with the DPO (Data Protection Officer) up to the 21 Data Protection Responsible People in the various areas of the company. In addition, the Cybersecurity, Personal Data Protection and Incident Treatment regulations have been reviewed and updated for greater compliance with LGPD.


Currently, the company is making improvements in the governance model and personal data protection, as well as implementing some adjustments in the Incident Treatment Milestone, which are the internal rules of how to proceed in case of data leakage or other cyber security incidents.


Neoenergia considers LGPD important so that Brazil can continue to operate in international trade of services. With a law clearly establishing duties and rights in relation to the protection of personal data, there will be a great advance in the level of maturity of the organizations, as well as of the holders, in relation to the use of personal data.