What is the LGPD?
Brazil’s General Data Protection Act (Lei Geral de Proteção de Dados) (LGPD) is the comprehensive privacy and security law governing the protection of personal data in Brazil. LGPD was enacted on August 14, 2018.
Under the LGPD, any information that makes it possible to identify an individual can be considered personal data.
The key definitions of the LGPD are similar to GDPR. For example, there are two main roles that a company can take on in personal data processing activities. These are the data controller and data processor.
A data controller is an entity in charge of making the decisions regarding the processing of personal data, while a data processor is an entity that processes personal data on behalf of a data controller. However, in comparison with the GDPR, the LGPD does not explain the concept of joint controllership.
However, the concept of joint controllership was introduced by ANPD (Brazil’s data protection authority) in its guidelines and can be understood as “the joint, common or convergent determination, by two or more controllers, of the purposes and essential elements for the realization of the treatment of personal data, through an agreement that establishes the respective responsibilities regarding compliance with the LGPD”.
If a company fails to comply with LGPD requirements, a national authority, i.e. ANPD may apply administrative sanctions against such a company, including fines of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (approximately USD 10,000,000) per infraction.
Is it necessary to receive consent to process emails?
No, it is not strictly necessary. The LGPD provides ten legal bases for the processing of personal data. We mostly rely on four of them, e.g. during the processing of the prospects’ email addresses as a controller we rely on legitimate interest. When we act as a processor, we believe that clients have the appropriate legal basis to transmit your personal data to us, including by obtaining valid consent from data subjects to do so.
What is legitimate interest?
The legitimate interest basis is one of the ten legal bases for personal data processing under the LGPD.
We have defined that the processing of emails relies on our, yours, and the prospects’ legitimate interests which are the following:
- contribution to business cooperation between you and your potential prospects;
- creation and assistance in discovering the new business-targeted marketing and sales opportunities for you and your potential prospects;
- your interest in the expansion of the database of the potential prospects;
- development of the new unique platform that simplifies and facilitates professional interaction between businesses;
- your interest in the use of an online platform for businesses that combines sales, CRM, analytics, marketing, and email service functionality;
- prospects’ interest in the approach of new potential and verified clients or suppliers;
- prospects’ interest in commercializing the use of their publicly posted information related to their professional or business interests/occupation.
How does Snov.io ensure it has the right to process email contacts?
We do our best to ensure that our activities comply with the requirements of the LGPD.
Under Article 10 of the LGPD, the controller shall adopt measures to ensure transparency of data processing based on their legitimate interests.
Snov.io has completed a legitimate interest assessment regarding all personal data whose processing is based on legitimate interest, including emails. We concluded that the data subject’s fundamental rights and freedoms, which require personal data protection under applicable laws, do not prevail in this case and therefore do not contradict with requirements of Article 10 of the LGPD.
How does Snov.io fulfil the rights of prospects under the LGPD?
We do our best to comply with the requirements of the LGPD, guidelines issued by ANPD, and applicable laws.
Snov.io fulfils the prospects’ rights as follows:
- undertakes appropriate technical and organizational measures to ensure secure processing and transfer of prospects’ personal data;
- fulfils the prospects’ requests regarding the processing of their personal data;
- answers the prospects’ questions regarding the processing of their personal data;
- processes prospects’ personal data on a lawful basis under the LGPD;
- transfers prospects’ personal data only to the trusted service providers.
Do you need to comply with the LGPD?
We would strongly recommend that you comply with the requirements of the LGPD when this act applies to your data processing activities. Please note that you act as a joint data controller together with us regarding the prospects’ personal data you provide us with.
Important: as joint data controllers, we should cooperate and provide reasonable assistance to each other in order to ensure fulfilment of the prospects’ rights, so in case you receive requests from the prospect, you may contact us. For more information, please check our Joint Controllership Agreement.
If you have any other questions about Snov.io data processing activities, in particular regarding Snov.io commitments under the LGPD, do not hesitate to contact us at firstname.lastname@example.org or via live chat in the lower right corner.