Presidential Decree (MP) No. 869/2018, published on December 28, amended provisions of Law No. 13,709/2018, the so-called General Data Protection Law (LGPD), and created the Brazilian Data Protection Authority (ANPD), a part of the Executive Branch.

Among the changes promoted by the MP, it is worth highlighting the extension by six months of the date of entry into force of the new law. As a result, the obligations set out therein will become effective as of August of 2020.

The creation of the ANPD, in turn, takes effect as of the date of publication, with emphasis on the following points: 

  • The ANPD will be composed of a Management Board, the National Council for Personal Data and Privacy Protection, the overseer’s office, the ombudsman's office, the advisory board, and administrative/specialized units for the application of the LGPD.
  • The Management Board shall be composed of five members, appointed by the President of Brazil, for four-year terms.
  • The National Council for Personal Data and Privacy Protection shall have 23 representatives, all of them appointed by the President of Brazil, 11 of them being from the State (6 from the Executive Branch, 1 from the Senate, 1 from the Chamber of Deputies, 1 from the National Council of Justice, 1 from the National Council of the Public Prosecutor’s Office, and 1 from the Internet Governance Committee in Brazil), 4 from civic society entities, 4 from scientific institutions, and 4 from the business sector.
  • The ANPD shall be responsible for, among other things: promulgating rules and procedures for regulating the LGPD, interpreting the LGPD, and monitoring and applying the sanctions set forth in the LGPD.
  • The ANPD shall coordinate its work with the National Consumer Defense System of the Ministry of Justice and other bodies and entities with sanctioning and normative competencies related to the subject of personal data protection, and it shall be the central body for the interpretation of the LGPD and the establishment of standards and guidelines for its implementation.

Other changes that deserve mention:

-      There is no longer any requirement that the Data Protection Officer (DPO) be an individual. Therefore, controllers will have more flexibility in relation to the implementation model of the function.

-      The text expresses the possibility of sharing personal health data for the provision of complementary health services.

-      The right to review decisions made on the basis of automated personal data processing procedures remains, but there is no longer any need for such review to be performed by an individual.

-      The possibility of sharing by the Government of personal data has been expanded, including the possibility of transferring personal data based on contracts, agreements, or similar instruments.

The presidential decree will be subject to the process of conversion into law, whose deadline is up to 120 days, and may be fully approved, rejected, or even approved with amendments. We will continue to monitor the issue and provide those interested with all the clarifications and support necessary.

The full text of the presidential decree may be found at this link: