We are prepared to comply with the General Personal Data Protection Law (LGPD)



Approved in August 2018, the General Personal Data Protection Law (LGPD) becomes effective on 9/18. In practice this legislation regulates any operation handling personal data, such as collection, processing, visualization, sharing and storing of personal data. All personal data must be duly handled and stored, and companies are subject to sanctions that range from a simple warning to fines.

The purpose of the law is to protect citizens from unauthorized use of their personal data and ensure their fundamental freedom and privacy rights. In other words, from now on consumers may demand that their personal data collected by companies, both by digital and physical means, be excluded or not used.

Valid in the entire country and extra-territorial application (applies to facts occurring outside the country), the law covers all organizations, public or private, and individuals that offer goods and services and handle client personal data.


Transpetro works to adapt to regulations and is ready to meet the legal data protection requirements. We conduct a detailed mapping of the macro-processes for handling personal data, identifying the type of information collected, its purpose, where it is stored and which areas or personnel have access.

Pertaining to personal data

According to the LGPD, personal data is defined as what allows for identification of a living person: name, surname, DOB, personal documents (such as CPF, RG, work book, passport and voter registration), residential or business address, phone number, email, bank card, income, credit history, consumer habits, leisure preferences, cookies and IP address.

The law also defines sensitive personal data linked to a person, pertaining to racial or ethnic origin, religious conviction, political opinion, membership in unions or religious, philosophical or political organizations, data relative to health or sexual life, and genetic or biometric data. Due to its higher damage potential, handling of this data must observe stricter rules.

The companies that do not comply with the new legislation may be subject to nine different types of sanctions, which may be isolated or cumulative. Among them are warning and simple fine of up to 2% of the business revenues for the last fiscal year, up to R$ 50 million per infraction. In addition to the financial risks, it is important to note the risk to the company’s image may also have consequences.

Access to data by the principal

The principals may request access to their personal data. Contact the Transpetro Ombudsman for this purpose.