Brazil has a new General Data Protection Law On August 15, Federal Law No. 13.709/2018, known as the General Data Protection Law "LGPD", was published in the Federal Official Gazette. The law will only come into force after eighteen months, but the need to be attentive to the change is necessary due to the importance of the adaptation process until then. Considered a milestone in the management and storage of personal data, the law establishes a series of rules and criteria for activities involving the collection, production, storage, use, transfer and disposal of information relating to identified or identifiable natural persons. On a more practical level, many internal routines and procedures will have to be adapted to the new legal guidelines. The simple collection of CVs by the Human Resources department, for example, will have to follow the security and data capture criteria. But it's not just companies that will have to adapt. The new law also applies to individuals, regardless of whether they are Brazilian or foreigners, when the data processing operation is carried out in Brazilian territory, is aimed at offering or supplying goods or services, when the data of individuals located in Brazilian territory is processed, or in the event that the personal data being processed was collected in Brazilian territory. According to the new law, personal data can only be processed on the following occasions: (i) through the provision of consent by the data subject; (ii) for the fulfillment of a legal or regulatory obligation by the controller; (iii) by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments; (iv) for the performance of studies by a research body; (v) when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject; (vi) for the regular exercise of rights in judicial, administrative or arbitration proceedings; for the protection of the life or physical safety of the data subject or a third party; (vii) for the protection of health, in a procedure carried out by health professionals or health entities; (viii) when necessary to meet the legitimate interests of the controller or a third party, except where the fundamental rights and freedoms of the data subject that require the protection of personal data prevail; or (ix) for the protection of credit, even with regard to the provisions of the relevant legislation. On the other hand, this requirement is not supported when personal data is processed by a natural person for exclusively private and non-economic purposes. Likewise, it is waived when there is a journalistic, artistic or academic purpose, as well as when it is carried out for the exclusive purposes of public security, national defense, state security or the investigation and prosecution of criminal offenses. The change brings risks to corporate business, which must be managed in corporations, including by the legal department. For individuals, it is necessary to know how to demand the protection of their data when rightfully so and to beware of possible civil liability.