Brazil is one of the countries that most attracts the attention of international companies. It has a vast population that consumes many products from abroad, especially from large technology organizations. In Brazil, there are several foreign companies operating, particularly in the major cities.

Because they operate in more than one location, they have greater experience with the subject and should also already be compliant with the personal data protection laws of other places, whether it be the United States, such as the California Consumer Privacy Act (CCPA), or Europe, with the GDPR (General Data Protection Regulation). 

The presence of international companies in Brazil is no different. When they collect, store, process, and share the personal data of Brazilian citizens, they must comply with the LGPD (Brazilian General Data Protection Law). It's a legal obligation.

A physical headquarters is not necessary to comply with the LGPD (Brazilian General Data Protection Law). A company can have a website, entirely designed for the Brazilian public and with an address geared towards our country, and still need to comply with the General Data Protection Law. In other words, it is sufficient for the company to collect, store, share, and process the personal data of Brazilians.

What is the difference between Brazilian and international companies?

The process is very similar to that of national companies. International companies must follow the same guidelines and can be punished with the same severity in case of non-compliance with the law or security incidents, such as the violation of Brazilian citizens' data. 

They need to appoint a legal representative in Brazil to act as a point of contact with the data subjects and, especially, with the... National Data Protection Authority (ANPD). 

Similarly, it is also recommended to appoint a Data Protection Officer (DPO) to avoid potential penalties under the LGPD (Brazilian General Data Protection Law) and to ensure they are knowledgeable about the application of the legislation in Brazil. 

In short, he is the one who will be on the front line to ensure that the company complies with the LGPD (Brazilian General Data Protection Law) and various other laws that seek greater data protection.  

Another important consideration is reviewing the privacy policy. Depending on the country of operation, it is necessary to review and update privacy policies based on current legislation, such as the LGPD (Brazilian General Data Protection Law); specifying what data the company collects, how it is used and shared, and with which sources. 

In other words, making information accessible so the public can understand, in a simple way, what happens when they create a record on a physical or digital platform. 

Employee training should also be conducted. Many Brazilians work for companies that are not based here and need to be aware of the rule. This is immutable. 

Regardless of their role, they handle data daily and need to be trained to avoid human error and/or other issues of improper sharing. 

It's essential to have a security incident response plan. In other words, conducting security tests to identify vulnerabilities is a great way to minimize the risk of incidents. 

Data protection worldwide: ongoing commitment.

Similarly, if a Brazilian company is operating in another country, whether within Europe or the United States, it must comply with the data protection laws of that location. 

In other words, the commitment to the security of data subjects' data must be the same anywhere in the world. As noted, this also applies to companies originating outside of Brazil but operating nationally. 

In short, the moment a company operates in Brazil – whether through established physical stores or online websites – it must comply with the LGPD (Brazilian General Data Protection Law). International companies need to protect the personal data of Brazilians in the best possible way, in accordance with the provisions of the LGPD. This commitment must be the same for all audiences, without discrimination based on the company's status. 

International companies should adopt security techniques and study strategies aimed at implementing data security systems to avoid potential compromises of Brazilian citizens' data. Over the years, the trend is for companies and the public to become increasingly aware of the issue, consequently reducing the risk to their privacy.