Skip to main content

Lei Geral de Proteção de Dados Pessoais

The LGPD is Brazil's comprehensive data protection law, modeled on the GDPR, governing personal data processing across public and private sectors. It grants data subject rights and is enforced by the national authority, the ANPD.

Jurisdiction
Brazil

The Lei Geral de Proteção de Dados Pessoais (LGPD), or General Personal Data Protection Law, is Brazil's comprehensive data protection law. It was enacted as Law No. 13,709 in 2018 and took effect on September 18, 2020. The LGPD is strongly modeled on the EU GDPR and replaced a patchwork of sector-specific rules with a single national framework. It established the Autoridade Nacional de Proteção de Dados (ANPD) as the national data protection authority.

The LGPD applies broadly to processing of personal data carried out by individuals and organizations, in the public and private sectors, regardless of the medium or the country where the data controller is based.

Who It Applies To

The LGPD applies to any processing operation where the processing is carried out in Brazil, where the purpose is to offer goods or services to or to process data of individuals located in Brazil, or where the personal data was collected in Brazil. It covers controllers and processors (operators) in both private and public sectors. Some narrow exceptions exist, such as processing for purely personal purposes or exclusively for journalistic, artistic, or academic purposes.

Key Requirements

Processing must rely on one of the law's legal bases, which include consent, compliance with a legal obligation, execution of a contract, legitimate interests, protection of life, and others. Data subjects have rights to confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, and revocation of consent. Controllers must keep records of processing operations, adopt security and governance measures, and conduct data protection impact reports for high-risk processing when requested by the ANPD. Most organizations must appoint a person in charge of data protection (encarregado), comparable to a DPO. Security incidents that may cause risk or harm must be reported to the ANPD and to affected data subjects within a reasonable time. International transfers are allowed only under specific conditions such as adequacy, standard contractual clauses, or consent.

Penalties for Non-Compliance

The ANPD can impose warnings, require corrective measures, and levy fines of up to 2 percent of a company's revenue in Brazil, capped at BRL 50 million per violation. It can also publicize violations and order the blocking or deletion of the personal data involved.

How to Comply

Map your processing activities and document a legal basis for each. Publish clear privacy notices and build processes to honor data subject rights. Appoint an encarregado where required and keep records of processing. Adopt security and governance measures and prepare to produce impact reports. Establish an incident response process to notify the ANPD. Review international transfer mechanisms and use approved safeguards.