General Data Protection Law

In a context where our personal information is increasingly exposed and where our confidential data are increasingly vulnerable, legislation to protect our data is necessary.

The General Data Protection Law – Law No. 13.709 – was enacted on August 14, 2018 and comes into force as of January 2021 throughout the national territory, with the objective of protecting the fundamental rights of freedom and privacy and the free development of the natural person’s personality.

The General Data Protection Law is based on the GDPR, a European regulation that establishes the fundamental rights of freedom and privacy regarding the collection, storage and sharing of personal data, determining the application of penalties in case of non-compliance.

It is based on the following principles:

• respecting privacy;
• in informative self-determination;
• freedom of expression, information, communication and opinion;
• in the inviolability of intimacy, honor and image;
• in economic and technological development and innovation;
• in free enterprise, free competition and consumer protection;
• and in human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.

Current Scenario

Currently, legal entities can ask individuals, when registering for purchases or other purposes, for a set of data that often has nothing to do with the purpose of the company.

Often this data that should be confidential is sold without the consumer’s authorization, which results in a series of annoyances that we are unfortunately already used to: direct mail, spam, phone calls and a series of contacts made by companies to which we never provide information. or demonstrate any interest.

What changes with the General Data Protection Law

The General Data Protection Law empowers consumers, giving them control over their data and the possibility of punishing those responsible for any damage caused by the misuse of their information.

The new law provides for several situations that make data processing legal. Among them, the following deserve to be highlighted:

  • The need to obtain explicit consent from the data owner. He must be clearly informed of the terms of use and freely authorize their use.
  • The company must prove that its collection will be useful for its interaction with its consumers.

It is also important to remember that data subjects may at any time rectify, cancel or even request their deletion. With the General Data Protection Law, the scenario will change, as the data owner will have to clearly sign their consent and legal entities that still ignore this prerogative will be subject to fines of up to 50 million reais.

How to adapt to new requirements

General Data Protection Law acts so much in relation to every company that handles data, whether from customers or employees. The same rule is valid for private companies, state companies, autarchies and government agencies.

The first step is to create an Information Security Committee within the company responsible for analyzing the current status of internal procedures regarding the data received.

There is a lot to be accomplished by companies regarding the collection and use of customer data, so they should immediately begin reviewing their processes to comply with legislation. And this procedure is valid both for companies already familiar with the technology and for those that still keep their records on paper.

Within this process, it is important to carry out a very detailed mapping of how personal data is treated and its entire life cycle within the company. Know where they go, where they are stored, who has access and if they are shared with third parties – in Brazil or abroad. Having identified the deficiencies, we must initiate the procedures to make the data transaction totally secure for both the company and the consumers.


In the case of private companies, they must respond in formats ranging from a warning to a fine of 2% of their sales, without exceeding R$ 50 million, in addition to possible daily fines depending on the degree of offense committed. The interpretations regarding the infractions of companies in the public sphere will be defined on a case-by-case basis.


By creating a system to protect the data collected and processed, the company also ends up protecting any and all information it possesses, whether from external attacks or the human error of its employees.

It may seem like a very long list of rules to be complied with, but the adaptation to the General Data Protection Law presents itself as a robust form of protection by preventing the occurrence of incidents with personal data and protecting one of the greatest assets of any and every company , your reputation.


How Synergye acts in the General Data Protection Law –