Brazil Data Privacy
The Brazilian General Data Protection Law (“LGPD”) is Brazil’s primary regulation aimed at the protection of personal data. The LGPD applies to the processing of personal data (defined as information regarding an identified or identifiable natural person) carried out by individuals or legal entities from the public or private sector, irrespective of the means used for the processing or the country where the controller or the data is located, provided that: 1) the processing is carried out in Brazil, 2) the processing is aimed at the offering or provision of goods or services, or at the processing of data of individuals located in Brazil, or 3) the personal data was collected in Brazil.
The LGPD establishes principles and rules for processing personal data. Organizations must be able to demonstrate the adoption of measures which are capable of proving compliance with the rules of personal data protection, including the efficacy of these measures, necessitating the establishment and enforcement of compliant policies applicable to the processing of personal data.
Under the LGPD, controllers and processors (as defined under the LGPD) are required to adopt technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Additionally, the LGPD grants the Brazilian National Data Protection Authority (“ANPD”) authority to establish minimum technical standards to be implemented by controllers and processors.
AWS is vigilant about your privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24x7 to ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help you simplify meeting your own security and regulatory requirements. As an AWS customer, regardless of your size or location, you inherit all the benefits of our experience, tested against the strictest of third-party assurance frameworks.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
For example, ISO 27018 is the first International code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. This demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.
These comprehensive AWS technical and organizational measures are consistent with the goals of the LGPD to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.
As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to the LGPD, customers are ultimately responsible for their own compliance with the LGPD and related regulations. The content on this page supplements the existing Data Privacy resources to help you align your requirements with the AWS Shared Responsibility Model when you store and process personal data using AWS services.
What is LGPD?
The Brazilian General Data Protection Law (“LGPD”) is Brazil’s primary regulation aimed at the protection of personal data, which went into effect on September 18, 2020.
Who does LGPD apply to?
LGPD applies to all organizations, whether or not established in Brazil, that process personal data to offer or provide goods or services to people in Brazil. LGPD also applies to organizations that collect or process personal data in Brazil. Personal data is any information relating to an identified or identifiable natural person.
Are AWS Services LGPD compliant?
We can confirm that all AWS services can be used in compliance with LGPD. This means that, in addition to benefiting from all of the measures that AWS already takes to maintain services security, customers can deploy AWS services as a key part of their LGPD compliance plans. For more details, see our whitepaper, Navigating LGPD Compliance on AWS.
Where can an individual data subject find information about exercising LGPD rights?
On August 14, 2020, we updated our privacy notice to explain our policies as a data controller in light of the LGPD’s requirements, including how data subjects can exercise their rights under the law.
Does AWS have a privacy hub with a comprehensive description of AWS’ privacy positions and rights afforded to customers?
Yes. Our Data Privacy page provides information about our privacy policies and practices. We have also updated our privacy notice to include all disclosures required under LGPD, including how customers can exercise their rights under the law.
Is AWS compliant with data protection in other countries in LATAM?
AWS continually maintains a high bar for security and compliance across all of our global operations. The protections we make available for GDPR and LGPD are available to customers around the world, and our customer can use these protections to ensure compliance with their local data protection laws.
What is the customer’s role in securing their content?
Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center. LGPD does not change the AWS shared responsibility model, which continues to be relevant for customers and APN Partners who are focused on using cloud computing services. The shared responsibility model is a useful approach to illustrate the different responsibilities of AWS (as a data processor or sub-processor) and customers or APN Partners (as either data controllers or data processors) under LGPD. Under the shared responsibility model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data they put on the cloud. Customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
For more information about additional measures customers can take, and solutions that AWS offers, please refer to AWS Security Learning webpage.
- Security measures that AWS implements and operates - "security of the cloud", and
- Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"
Who can access customer content?
Customers maintain ownership and control of their customer content and select which AWS services process, store and host their customer content. AWS does not have visibility into customer content and does not access or use customer content except to provide the AWS services selected by a customer or where required to comply with the law or a binding legal order.
Customers using AWS services maintain control over their content within the AWS environment. They can:
- Determine where it will be located, for example the type of storage environment and geographic location of that storage.
- Control the format of that content, for example plain text, masked, anonymized or encrypted, using either AWS provided encryption or a third-party encryption mechanism of the customer’s choice.
- Manage other access controls, such as identity access management and security credentials.
- Control whether to use SSL, Virtual Private Cloud and other network security measures to prevent unauthorized access.
This allows AWS customers to control the entire life-cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention and deletion.
Where will customer content be stored?
AWS data centers are built in clusters in various locations around the world. We refer to each of our data center clusters in a given location as a "Region."
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in the location(s) of their choice.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
How does AWS secure its data centers?
The AWS data center security strategy is assembled with scalable security controls and multiple layers of defense that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.
To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.
Learn more about how we secure AWS data centers by design by taking a virtual tour.
Which AWS Regions can I use?
Customers can choose to use any one Region, all Regions or any combination of Regions. Visit the AWS Global Infrastructure page for a complete list of AWS Regions.
What security measures does AWS have in place to protect systems?
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Amazon's scale allows significantly more investment in security policing and countermeasures than almost any large company could afford on its own. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of personal data. More details on the measures AWS puts in place to maintain consistently high levels of security can be found in the AWS Overview of Security Processes Whitepaper.
AWS also provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards and regulations - including ISO 27001, ISO 27017, and ISO 27018. To provide transparency on the effectiveness of these measures, we provide access to the third party audit reports in AWS Artifact. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance Resources.
What has AWS done in preparation for LGPD?
AWS compliance, data protection, and security experts have been working with customers to answer their questions and help them prepare for running workloads in the AWS Cloud. These teams have also reviewed the readiness of AWS services to meet the requirements of LGPD. In addition, we offer customers a Data Processing Agreement that meets the requirements of LGPD.
AWS continually maintains a high bar for security and compliance across all of our global operations. Security has always been our highest priority – truly “job zero.” Our industry-leading security provides the foundation for our long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, NIST FIPS 140-2, C5, and others. To provide transparency on the effectiveness of these measures, we give our customers and APN Partners access to the third party audit reports through the AWS Management Console. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance webpage.
What services does AWS offer customers to help them comply with LGPD?
AWS is already providing specific features and services which help customers to meet requirements of LGPD:
Data Access Control: Allow only authorized administrators, users and applications access to AWS resources.
- Multi-Factor-Authentication (MFA)
- Fine granular access to objects in Amazon S3-Buckets/ Amazon SQS/ Amazon SNS and others
- API-Request Authentication
- Temporary access tokens through AWS Security Token Service
Monitoring and Logging: Get an overview about activities on your AWS resources.
- Asset Management and Configuration with AWS Config
- Compliance Auditing and security analytics with AWS CloudTrail
- Identification of configuration challenges through AWS Trusted Advisor
- Fine granular logging of access to Amazon S3 objects
- Detailed information about flows in the network through Amazon VPC-FlowLogs
- Rule-based configuration checks and actions with AWS Config Rules
- Filtering and monitoring of HTTP access to applications with WAF functions in AWS CloudFront
Encryption: Encrypt Data on AWS.
- Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS)
- Centralized managed Key Management (by AWS Region)
- IPsec tunnels into AWS with the VPN-Gateways
- Dedicated HSM modules in the cloud with AWS CloudHSM
How can AWS help data controllers meet their data breach notification obligations under LGPD?
AWS gives customers and APN Partners a number of tools to understand who has access to their resources, when, and from where. One of these tools is AWS CloudTrail which enables governance, compliance, operational auditing, and risk auditing of an AWS account. With AWS CloudTrail, customers can log, continuously monitor, and retain information about account activity related to actions across their AWS infrastructure. This helps organizations understand what is happening with their AWS infrastructure and can take action on any unusual activity, immediately. For more information on AWS CloudTrail, and the other security tools AWS gives customers to help meet their obligations as data controllers under LGPD, visit our Security webpage.
How does AWS help me to protect my data against cyber-attacks?
AWS gives customers and APN Partners a number of tools to secure their data and help protect against cyber-attacks. One such tool is AWS Shield. This is a managed Distributed Denial of Service (DDoS) protection service to safeguard websites and applications running on AWS. AWS Shield Standard is available at no additional charge and provides always-on detection and automatic inline mitigations that can minimize application downtime and latency. For higher levels of protection against attacks targeting web applications running on AWS and using ELB, Amazon CloudFront, and Amazon Route 53 resources, customers and APN Partners can subscribe to AWS Shield Advanced.
How does AWS handle delete instructions from customers?
AWS services allow for the deletion of content by customers on demand, using the AWS Management Console, APIs, and other input methods. For more information about specific service functionality, please see our Documentation.
Whom should I contact if I have questions regarding LGPD and AWS?
In addition to our Data Privacy page and our privacy notice, we recommend that customers and APN Partners with questions regarding data protection or AWS and LGPD contact their AWS account manager first. If customers have signed up for Enterprise Support, they can reach out to their Technical Account Manager (TAM) as well. TAMs work with Solutions Architects to help customers identify potential risks and potential mitigations. TAMs and account teams can also point customers and APN Partners with specific resources based on their environment and needs.
AWS also has teams of Enterprise Support Representatives, Professional Services Consultants, and other staff to help with LGPD questions. To help further educate customers and APN Partners, AWS is also running a number of speaking engagements, webinars, and workshops at AWS Summits to help them understand LGPD and implement solutions using AWS tools.