Highlights - 06/20/2018

Understand the impact of the General Data Protection Regulation on Brazilian companies

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect, a law implemented by the European Union establishing rules for the processing of personal data and the free movement of such data.

Contrary to what many people may believe, the regulation does not apply exclusively to companies or institutions which are established in the European Union, but to any establishment that, in the context of its activities, processes personal data of EU residents.

In view of the scope provided for in the Regulation, it is incontrovertible that companies from all over the world may be affected by and will need to comply with the General Data Protection Regulation.

Another important factor is that delimiting what is considered “personal data” can generate great doubt to those who need to comply with the Regulation. After all, the expression may be comprehensive to the point of considering as personal data any and all data intrinsic to the individual.

It is believed that for this reason, the General Data Protection Regulation provides a wide range of definitions regarding terms that are used in the Regulation.

With regard to personal data, the definition brought by the Regulation is that personal data are information relating to a natural person, and can be understood as an individual, identified or identifiable, being considered as identifiable the person that can be distinguished, directly or indirectly, by reference to a identifying element, such as a name, identification number, location data, or one or more specific elements of physical, physiological, genetic, mental, economic, cultural or social identity.

Finally, it is important to emphasize that sanctions were imposed for cases of violation of its provisions in order to strengthen the enforcement of the rules of the Regulation.

The data subject that considers that his/her rights have been violated, must submit a complaint to a control authority, without prejudice to any other administrative or judicial action. The General Data Protection Regulation also assigns responsibility to the author of the data processing in case of violation of the provisions of the Regulation and entitles the data subject to the right to receive indemnification from this author.

Likewise, in addition to granting protection mechanisms to the data subject, the Regulation provides for the imposition of fines and penalties to be applied by the control authorities, considering parameters imposed by the Regulation in case of violation of the provisions of the GDPR.

In short, the Regulation brings important definitions, rules and penalties on the subject and we need to observe how the European Union and other countries that need to comply with the Regulation will react to the changes.


Regulation (EU) 2016/679 of April 27, 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Published By Marília Rodrigues