Brasilien LGPD und Guest WiFi: Ein Compliance-Leitfaden

Dieser technische Referenzleitfaden beschreibt, wie Brasiliens LGPD auf Enterprise Guest WiFi-Implementierungen angewendet wird, mit Fokus auf Captive Portal-Compliance, rechtmäßige Verarbeitungsgründe und die Schnittstelle zum Marco Civil da Internet. Er bietet umsetzbare Implementierungsanleitungen für IT-Führungskräfte und Netzwerkarchitekten, um regulatorische Risiken zu mindern und gleichzeitig die Netzwerknutzung aufrechtzuerhalten.

📖 5 Min. Lesezeit📝 1,004 Wörter🔧 2 Beispiele❓ 3 Fragen📚 8 Schlüsselbegriffe

🎧 Diesen Leitfaden anhören

Transkript anzeigen

Brazil LGPD and Guest WiFi: A Compliance Guide. A Purple Intelligence Briefing.

Welcome to the Purple Intelligence Briefing. I'm your host, and today we're tackling something that every IT manager, network architect, and compliance officer operating in Brazil needs to get right: the Lei Geral de Proteção de Dados — the LGPD — and specifically what it means for your guest WiFi deployments.

If you're already GDPR-compliant across your European operations, you might assume Brazil is a straightforward extension of that work. And you'd be partly right — but only partly. The LGPD has some meaningful differences that will catch out multinationals who simply copy-paste their EU compliance posture. And with the ANPD — Brazil's data protection authority — steadily maturing its enforcement capability, the window for a casual approach is closing fast.

So let's get into it. We'll cover the legal framework, the lawful bases that actually apply to WiFi sign-ups, how the ANPD compares to regulators like the ICO and CNIL, and what your captive portal needs to look like to keep you on the right side of the law.

Let's start with the fundamentals. The LGPD — Law Number 13,709 — came into force in August 2020, with administrative sanctions kicking in from August 2021. It was modelled closely on the GDPR, which means if you understand one, you have a solid foundation for the other. But the devil is in the details.

The moment a guest connects to your WiFi network, you are collecting personal data. MAC addresses, IP addresses, connection timestamps, session duration — all of this falls squarely within the LGPD's definition of personal data. Add a captive portal registration form collecting names, email addresses, or phone numbers, and you've moved firmly into territory that requires a clear lawful basis for processing.

The LGPD provides ten lawful bases under Article 7. For guest WiFi, three are particularly relevant. First, consent — Article 7, Roman numeral one. This is the most straightforward basis: the guest actively agrees to your privacy notice and ticks a consent checkbox before connecting. The consent must be free, informed, unambiguous, and specific to the purpose. You cannot bundle marketing consent with the basic connectivity consent — those need to be separate checkboxes.

Second, contract performance — Article 7, Roman numeral five. This applies when WiFi connectivity is part of a contracted service. A hotel guest who has booked a room that includes WiFi access can have their connection data processed under this basis, because it's necessary to deliver the service they've contracted for. This is a cleaner basis for hospitality operators than consent, because it doesn't require an active tick — it's inherent to the service relationship.

Third, legitimate interests — Article 7, Roman numeral nine. This is the most flexible but also the most legally exposed basis. You need to conduct and document a legitimate interests assessment — a balancing test — demonstrating that your interests don't override the data subject's fundamental rights. For basic network security logging, this is generally defensible. For behavioural analytics or marketing profiling, it becomes much harder to justify.

Now, here's something that catches out a lot of operators: the Marco Civil da Internet. This is Brazil's internet civil rights framework — Law 12,965 of 2014 — and it sits alongside the LGPD rather than being superseded by it. Under Article 13 of the Marco Civil, internet connection providers must retain connection logs for a minimum of one year. If your venue is providing internet access to the public, you may well fall within that definition. That means your data retention policy cannot simply say we delete everything after 30 days — you have a statutory obligation to retain connection logs for twelve months, regardless of what your LGPD privacy notice says about data minimisation.

Let's talk about the ANPD — the Autoridade Nacional de Proteção de Dados. It was established by the LGPD itself and operates as a special federal authority linked to the Ministry of Justice. Its mandate covers supervision, guidance, and enforcement.

How does it compare to the ICO in the UK or the CNIL in France? The honest answer is that the ANPD is still maturing. The ICO has issued fines in the tens of millions — British Airways received a twenty-million-pound penalty, Marriott eighteen-point-four million. The CNIL fined Google a hundred and fifty million euros and Facebook sixty million. The ANPD's first fine, issued in July 2023, was a total of fourteen thousand four hundred Brazilian reais — roughly three thousand US dollars — against a small telemarketing firm. In 2024, its enforcement actions were all against public sector entities and resulted in warnings rather than financial penalties.

But don't let that lull you into complacency. The ANPD's enforcement trajectory is clearly upward. In July 2024, it issued a preventive measure against Meta, ordering the immediate suspension of Meta's AI training data policy. In December 2024, it took action against X Corp over children's data. The ANPD's regulatory agenda for 2025 and 2026 explicitly prioritises AI and facial recognition — which is directly relevant to any venue deploying biometric authentication for WiFi access.

The maximum penalty under the LGPD is two percent of a company's Brazilian annual revenue, capped at fifty million reais per violation — approximately nine million euros at current exchange rates. That's significantly lower than GDPR's four percent of global revenue, but it's calculated on Brazilian revenue only. For a multinational with substantial Brazilian operations, the exposure is still material.

One critical difference from GDPR: the LGPD requires a Data Protection Officer for all data controllers, full stop. Under GDPR, a DPO is only mandatory in specific circumstances. Under the LGPD, if you're processing personal data in Brazil, you need one. ANPD Resolution 18, published in July 2024, sets out the detailed responsibilities and qualifications required. The DPO's contact details must be publicly disclosed — typically on your website.

Data subject rights under the LGPD number nine, compared to GDPR's eight. The practical differences for WiFi operators are two-fold. First, you have fifteen days to respond to a data subject access request — half the thirty-day window under GDPR. If you're running a large venue network with thousands of daily connections, your data retrieval and response processes need to be operationally capable of meeting that tighter deadline. Second, the LGPD includes an explicit right to request anonymisation of data, not just deletion. Your platform needs to support both responses.

So what does a compliant deployment actually look like? Let me walk you through the key implementation requirements.

Your captive portal must display a privacy notice in Portuguese — Brazilian Portuguese, not European Portuguese. The notice must identify the data controller, state the lawful basis for processing, specify the purposes for which data will be used, identify any third parties with whom data will be shared, and provide the DPO's contact details. This is non-negotiable.

Consent checkboxes must be unchecked by default. Pre-ticked boxes do not constitute valid consent under the LGPD, just as they don't under GDPR. Marketing consent must be separate from the connectivity consent — you cannot gate internet access on the guest agreeing to receive promotional emails.

On data minimisation: only collect what you actually need. If you're deploying guest WiFi purely for connectivity, you don't need a date of birth or a home address. If you're running a loyalty programme through your WiFi platform, you need to justify each additional data field against the stated purpose.

For data retention, document your policy explicitly. Connection logs: one year minimum under the Marco Civil. Marketing data: retain only as long as necessary for the stated purpose, and delete on withdrawal of consent. Your WiFi analytics platform should support automated retention schedules and deletion workflows.

The biggest pitfall I see in practice is the consent bundling problem. Operators build a single consent screen that covers connectivity, analytics, and marketing in one checkbox. That's non-compliant under both LGPD and GDPR. Separate the consents. Yes, it adds friction. But the alternative is an enforcement action that costs you far more.

The second major pitfall is ignoring the Marco Civil. Operators who focus entirely on LGPD compliance and forget about the one-year connection log retention obligation under the Marco Civil create a different kind of legal exposure. These are two separate legal instruments and both apply.

Third pitfall: failing to implement a data subject rights workflow. It's not enough to have a privacy notice that says contact us to exercise your rights. You need an operational process — a dedicated email address or web form, a documented internal workflow, and the technical capability to retrieve, correct, export, or delete a specific individual's data within fifteen days.

Let me run through some quick questions I hear regularly from clients.

Do we need a DPO if we only have one venue in Brazil? Yes. The LGPD applies to all data controllers processing personal data in Brazil, regardless of scale.

Can we use legitimate interests as our basis for WiFi analytics? Potentially, but you need a documented legitimate interests assessment. For basic network security and operational analytics, it's defensible. For behavioural marketing profiling, it's much harder to justify.

What about biometric authentication — facial recognition at the WiFi portal? That's sensitive data under the LGPD. You need explicit consent, and you need to be very careful about how you store and process it. The ANPD has this squarely in its sights for 2025 to 2026 enforcement.

We're GDPR-compliant — does that cover us for LGPD? Largely yes, but not entirely. The tighter data subject access request response window, the mandatory DPO requirement, the Marco Civil retention obligation, and the Portuguese-language notice requirement are all areas where GDPR compliance alone won't get you there.

To wrap up: the LGPD is a mature, GDPR-inspired data protection framework with some important Brazil-specific characteristics. For guest WiFi operators, the key actions are these.

Audit your captive portal: is your privacy notice in Brazilian Portuguese, does it state the lawful basis, are your consent checkboxes separate and unchecked by default?

Appoint a DPO and publish their contact details. This is mandatory for all controllers.

Check your data retention policy against the Marco Civil's one-year connection log requirement.

Build a data subject rights workflow capable of responding within fifteen days.

And if you're deploying any form of biometric authentication or advanced analytics, get a Data Protection Impact Assessment done before you go live.

Purple's guest WiFi platform is built with these compliance requirements in mind — configurable consent flows, automated retention schedules, and data subject rights tooling that works across both GDPR and LGPD jurisdictions. If you're deploying across Brazil and want to talk through your specific compliance architecture, reach out to the Purple team.

That's it for today's briefing. Thanks for listening, and we'll see you next time.

Wichtigste Erkenntnisse

✓The LGPD applies to all guest WiFi deployments in Brazil, treating MAC addresses, IPs, and session data as personal data.
✓Consent for network access cannot be bundled with marketing consent; checkboxes must be separate and unchecked by default.
✓The Marco Civil da Internet mandates a 1-year retention period for connection logs, overriding standard data minimisation policies.
✓Unlike GDPR, the LGPD requires all data controllers to appoint a Data Protection Officer (DPO) and publicly display their contact details.
✓Network operators have only 15 days to respond to Data Subject Access Requests (DSARs) under the LGPD, necessitating automated retrieval tools.
✓Profile-based authentication and 'Contract Performance' lawful bases offer robust, low-friction compliance architectures for hospitality and enterprise venues.
✓ANPD enforcement is escalating, with maximum fines reaching 2% of Brazilian revenue (up to R$50 million), making compliance a critical operational requirement.

Zusammenfassung für Führungskräfte

Für IT-Führungskräfte und Netzwerkarchitekten, die Guest WiFi in brasilianischen Betrieben implementieren, stellt die Lei Geral de Proteção de Dados (LGPD) eine besondere Compliance-Herausforderung dar. Obwohl stark von der europäischen GDPR beeinflusst, enthält Brasiliens Datenschutzrahmen kritische Nuancen – wie eine obligatorische Anforderung an einen Datenschutzbeauftragten (DPO), engere Antwortfristen für Anfragen von betroffenen Personen und die sich verstärkenden Verpflichtungen des Marco Civil da Internet. Die Autoridade Nacional de Proteção de Dados (ANPD) hat ihre Durchsetzungsposition in den Jahren 2024 und 2025 stetig verschärft und ist von anfänglichen Warnungen zu gezielten Sanktionen übergegangen. Dieser Leitfaden bietet eine definitive technische Referenz für die Strukturierung der Captive Portal-Authentifizierung, die Verwaltung von Datenaufbewahrungszyklen und die Sicherstellung einer robusten Compliance, ohne die aus Ihren WiFi Analytics gewonnenen Betriebsdaten zu opfern.

Technischer Deep-Dive: Das LGPD-Framework für Netzwerkbetreiber

Wenn ein Benutzer sich mit einem öffentlichen oder unternehmenseigenen Gastnetzwerk verbindet, verarbeitet die Infrastruktur von Natur aus personenbezogene Daten. Gemäß der LGPD (Gesetz Nr. 13.709/2018) stellen MAC-Adressen, IP-Zuweisungen, Sitzungszeitstempel und alle über das Captive Portal gesammelten Informationen personenbezogene Daten dar, die eine rechtmäßige Grundlage für die Verarbeitung erfordern.

Rechtmäßige Grundlagen für die Captive Portal-Authentifizierung

Die LGPD legt zehn rechtmäßige Grundlagen für die Verarbeitung personenbezogener Daten fest (Artikel 7). Für Guest WiFi-Implementierungen müssen Architekten Datenflüsse sorgfältig der entsprechenden Grundlage zuordnen:

1. Einwilligung (Artikel 7, I) Die häufigste Grundlage für öffentliche Einrichtungen (wie Einzelhandelsumgebungen ). Die Einwilligung muss freiwillig, informiert, eindeutig und spezifisch sein. Das Captive Portal muss ein nicht angekreuztes Kontrollkästchen anzeigen, das auf eine Datenschutzerklärung in portugiesischer Sprache verweist. Entscheidend ist, dass Betreiber die Einwilligung zum Netzwerkzugang nicht mit der Marketing-Einwilligung bündeln dürfen; diese müssen getrennte Aktionen bleiben.

2. Vertragserfüllung (Artikel 7, V) Hochrelevant für Gastgewerbe -Implementierungen. Wenn ein Gast ein Hotelzimmer bucht, das explizit WiFi-Zugang beinhaltet, ist die Verarbeitung seiner Verbindungsdaten für die Erfüllung dieses Vertrags notwendig. Dies bietet eine robuste Grundlage für die grundlegende Netzwerkbereitstellung, ohne dass eine aktive Kontrollkästchen-Einwilligung am Portal erforderlich ist.

3. Berechtigte Interessen (Artikel 7, IX) Diese Grundlage erfordert eine dokumentierte Interessenabwägung, die zeigt, dass die Interessen des Verantwortlichen die Grundrechte der betroffenen Person nicht überwiegen. Obwohl für grundlegende Netzwerksicherheitsprotokollierung und Bedrohungsabwehr vertretbar, birgt die Berufung auf berechtigte Interessen für Verhaltensanalysen oder Marketing-Profiling ein erhebliches regulatorisches Risiko.

Die Schnittstelle zum Marco Civil da Internet

Ein kritischer Fehlerpunkt bei multinationalen Implementierungen ist die isolierte Betrachtung der LGPD. Brasiliens Rahmenwerk für Internet-Bürgerrechte, das Marco Civil da Internet (Gesetz 12.965/2014), operiert gleichzeitig. Gemäß Artikel 13 des Marco Civil sind Unternehmen, die als Internetverbindungsanbieter qualifiziert sind, gesetzlich verpflichtet, Verbindungsprotokolle für mindestens ein Jahr aufzubewahren. Dies ersetzt die Standardprinzipien der LGPD zur Datenminimierung; eine Richtlinie, die besagt, dass „alle Verbindungsdaten nach 30 Tagen gelöscht werden“, ist aktiv nicht konform mit dem Marco Civil.

Implementierungsleitfaden: Compliance-Architektur

Die Implementierung einer konformen Architektur erfordert die Abstimmung von Netzwerk-Controllern, Identitätsanbietern und Analyseplattformen. Purple fungiert als nahtloser Identitätsanbieter, der eine sichere, konforme Authentifizierung ermöglicht – einschließlich Unterstützung für OpenRoaming unter der Connect-Lizenz – und gleichzeitig den zugrunde liegenden Einwilligungslebenszyklus verwaltet.

1. Captive Portal-Konfiguration

Sprachlokalisierung: Die Datenschutzerklärung und die Einwilligungsmechanismen müssen in brasilianischem Portugiesisch präsentiert werden.
Granulare Einwilligungsarchitektur: Implementieren Sie separate, nicht angekreuzte Kontrollkästchen für (a) die Annahme der Nutzungsbedingungen/Datenschutzerklärung, die für den Zugang erforderlich ist, und (b) optionale Marketingkommunikation.
Identifikation des Verantwortlichen: Das Portal muss den Datenverantwortlichen klar identifizieren und direkte Kontaktdaten für den obligatorischen Datenschutzbeauftragten (DPO) bereitstellen.

2. Verwaltung des Datenaufbewahrungslebenszyklus

Konfigurieren Sie automatisierte Datenlebenszyklusrichtlinien innerhalb Ihrer Analyseplattform:

Verbindungsprotokolle: Legen Sie die Aufbewahrungsfrist auf genau ein Jahr fest, um der Marco Civil-Verpflichtung nachzukommen, gefolgt von einer automatischen Löschung.
Marketing-/Profildaten: Verknüpfen Sie die Aufbewahrung direkt mit dem angegebenen Zweck und stellen Sie die sofortige Löschung bei Widerruf der Einwilligung sicher.

3. Workflow für Anfragen betroffener Personen (DSAR)

Die LGPD schreibt ein Antwortfenster von 15 Tagen für DSARs vor – die Hälfte der unter GDPR zulässigen Zeit. Netzwerkbetreiber müssen automatisierte Tools implementieren, um die Daten eines bestimmten Benutzers in der gesamten WiFi-Architektur innerhalb dieses engen Zeitrahmens abzurufen, zu exportieren, zu korrigieren oder zu anonymisieren.

Best Practices & Industriestandards

Berücksichtigen Sie bei der Gestaltung Ihrer Netzwerkarchitektur diese etablierten Best Practices:

Profilbasierte Authentifizierung einführen: Der Übergang zu einer profilbasierten Authentifizierung (wie Passpoint/OpenRoaming) reduziert die Abhängigkeit von wiederholter Captive Portal-Datenerfassung, erhöht die Sicherheit und optimiert gleichzeitig den Compliance-Fußabdruck. Dies steht im Einklang mit modernen Prinzipien der Internet of Things Architecture: A Complete Guide .
Verpflichtende DPO-Ernennung: Im Gegensatz zur GDPR verlangt die LGPD von allen Datenverantwortlichen die Ernennung eines DPO. Stellen Sie sicher, dass diese Rolle gemäß ANPD-Resolution 18 besetzt und öffentlich dokumentiert ist.
Datenschutz-Folgenabschätzungen (DPIA): Führen Sie eine formelle DPIA durch, bevor Sie fortschrittliche Analysen wie ein Indoor Positioning System: UWB, BLE, & WiFi Guide einsetzen, da die Standortverfolgung erhöhte Auswirkungen auf die Privatsphäre hat.

Fehlerbehebung & Risikominderung

Häufige Fehlerquellen

Die Übersetzungsfalle: Die Verwendung von europäischem Portugiesisch anstelle von brasilianischem Portugiesisch für Datenschutzerklärungen, was die informierte Einwilligung ungültig machen kann.
Die überzogene Löschung: Konfiguration aggressiver 30-Tage-Datenlöschrichtlinien, die gegen das einjährige Aufbewahrungsmandat des Marco Civil für Verbindungslogs verstoßen.
Das Einwilligungs-Bündel: Benutzer zwingen, Marketingkommunikation zu akzeptieren, um Netzwerkzugang zu erhalten. Dies verstößt gegen die LGPD-Anforderung, dass die Einwilligung freiwillig erteilt werden muss.

ANPD-Durchsetzung in der Praxis

Obwohl die anfänglichen Bußgelder der ANPD im Vergleich zur ICO oder CNIL relativ niedrig waren, beschleunigt sich ihre Durchsetzung. Jüngste Maßnahmen zielten auf unsachgemäße Datenweitergabe und unzureichende Sicherheitsmaßnahmen ab. Die Höchststrafe beträgt 2 % des jährlichen brasilianischen Umsatzes (begrenzt auf 50 Millionen R$ pro Verstoß), was die Compliance zu einer Priorität auf Vorstandsebene für Unternehmensbetreiber macht.

ROI & Geschäftsauswirkungen

Die Investition in eine robuste, LGPD-konforme WiFi-Architektur liefert messbaren Geschäftswert über die Risikominderung hinaus. Ein transparenter, sicherer Authentifizierungsprozess schafft Benutzervertrauen und erhöht die Konversionsraten des Portals. Darüber hinaus können Veranstaltungsorte durch die Nutzung einer konformen Plattform wie Purple die Monetarisierung von Retail Media und operative Analysen sicher nutzen, ohne das Unternehmen regulatorischen Sanktionen auszusetzen. Der ROI wird nicht nur in vermiedenen Bußgeldern berechnet, sondern in der nachhaltigen Fähigkeit, First-Party-Datenintelligenz auf dem brasilianischen Markt zu generieren.

Podcast-Briefing

Hören Sie unser umfassendes 10-minütiges Briefing zur Gestaltung der LGPD-Compliance für Unternehmens-WiFi-Netzwerke:

Schlüsselbegriffe & Definitionen

Autoridade Nacional de Proteção de Dados (ANPD)

Brazil's national data protection authority, responsible for issuing guidance, auditing compliance, and enforcing administrative sanctions under the LGPD.

IT teams must monitor ANPD resolutions (such as Resolution 18 regarding DPOs) to ensure their technical configurations remain aligned with regulatory expectations.

Marco Civil da Internet

Brazil's internet civil rights framework (Law 12,965/2014) which mandates specific data retention periods for internet connection providers.

Network architects must configure storage systems to retain connection logs for one year to satisfy this law, running parallel to LGPD requirements.

Lawful Basis

The specific legal justification required under Article 7 of the LGPD to process personal data, such as Consent or Contract Performance.

Before deploying a captive portal, the IT team must document exactly which lawful basis applies to the data being collected to survive an ANPD audit.

Data Subject Access Request (DSAR)

A formal request from an individual to access, correct, anonymise, or delete their personal data held by a controller.

WiFi operators must have automated tooling to process these requests across all databases within the strict 15-day window mandated by the LGPD.

Data Protection Officer (DPO)

The individual designated by the controller to act as a communication channel between the controller, data subjects, and the ANPD.

Unlike GDPR, the LGPD requires all entities processing personal data to appoint a DPO and publicly display their contact information on the captive portal.

Profile-Based Authentication

A secure method of network access (e.g., OpenRoaming) where devices authenticate automatically using a cryptographic profile rather than a web-based captive portal.

Reduces compliance overhead by minimizing repetitive data collection and relying on established identity providers.

Connection Logs

Technical metadata generated during network access, including IP addresses, MAC addresses, and session timestamps.

Must be securely stored for exactly one year under the Marco Civil, requiring specific configuration in the network controller or analytics platform.

Anonymisation

The process of irreversibly altering personal data so that it can no longer be attributed to a specific individual.

Under the LGPD, users have an explicit right to request anonymisation of their data, which analytics platforms must support as an alternative to outright deletion.

Fallstudien

A multinational retail chain is expanding into São Paulo and needs to deploy guest WiFi across 50 stores. They currently use a standard GDPR captive portal that deletes all data after 90 days. How must they adapt this architecture for the Brazilian market?

The architecture requires three critical modifications. First, the data retention policy must be bifurcated: connection logs (IP, MAC, timestamps) must be retained for exactly one year to comply with Article 13 of the Marco Civil da Internet, while marketing data can follow the 90-day policy. Second, the privacy notice must be translated into Brazilian Portuguese and explicitly name the mandatory Data Protection Officer (DPO). Third, the automated DSAR response workflow must be reconfigured to ensure data retrieval or deletion is executed within 15 days, rather than the 30 days permitted under GDPR.

Implementierungshinweise: This approach correctly identifies the intersection of the LGPD and the Marco Civil, which is the most common architectural failure point for foreign entities entering Brazil. It also practically addresses the operational impact of the compressed 15-day DSAR window.

A luxury hotel in Rio de Janeiro wants to provide seamless WiFi to guests without requiring them to fill out a captive portal form every time they connect. How can they achieve this compliantly under the LGPD?

The hotel should leverage 'Contract Performance' (Article 7, V) as the lawful basis for processing connection data for registered guests, as internet access is a contracted amenity of the room booking. They can implement profile-based authentication (like Passpoint) tied to the guest's reservation profile. For non-guests (e.g., conference attendees or restaurant patrons), the network should segment them to a standard captive portal relying on explicit 'Consent' (Article 7, I).

Implementierungshinweise: This demonstrates advanced architectural thinking by segmenting user types and applying the most appropriate lawful basis to each, thereby reducing friction for high-value users while maintaining strict compliance.

Szenarioanalyse

Q1. Your marketing team wants to implement a new captive portal in your São Paulo locations that requires users to provide their email address and agree to receive promotional offers before they can access the free WiFi. As the network architect, how should you respond?

💡 Hinweis:Consider the LGPD requirements for consent to be 'freely given' and the concept of consent bundling.

Empfohlenen Ansatz anzeigen

You must reject this architecture. Under the LGPD, consent must be freely given. Conditioning the provision of a service (WiFi access) on consent for an unrelated purpose (marketing communications) invalidates the consent. The portal must be redesigned with two separate checkboxes: one mandatory checkbox for accepting the network terms of service, and one optional, unchecked checkbox for marketing communications.

Q2. A user who connected to your stadium WiFi six months ago submits a formal request to have all their data deleted under the LGPD. Your automated system is configured to purge their CRM profile, but the network engineering team points out that deleting their connection logs violates the Marco Civil. How do you resolve this conflict?

💡 Hinweis:Evaluate the hierarchy and interaction between the LGPD data subject rights and statutory retention obligations.

Empfohlenen Ansatz anzeigen

You must execute a partial deletion. Under the LGPD, the right to deletion is not absolute; it does not override statutory obligations. You must delete the user's marketing and profile data from the CRM and analytics platforms. However, you must retain the core connection logs (IP, MAC, timestamps) for the remainder of the 1-year period mandated by Article 13 of the Marco Civil. You must respond to the user within 15 days explaining exactly what was deleted and why the connection logs were retained.

Q3. You are migrating your European WiFi architecture to Brazil. Your current GDPR process allows 30 days to respond to Data Subject Access Requests (DSARs) and relies on manual database queries by the IT team. Why is this problematic for the Brazilian deployment?

💡 Hinweis:Compare the statutory response windows between the two regulatory frameworks.

Empfohlenen Ansatz anzeigen

This is problematic because the LGPD mandates a 15-day response window for DSARs, exactly half the time allowed under GDPR. A manual query process that takes up to 30 days will result in compliance failures in Brazil. The IT team must implement automated tooling within the analytics platform to rapidly retrieve, compile, and export user data to meet the stricter 15-day SLA.