All Regulations
🇧🇷Brazil

LGPD

Lei Geral de Proteção de Dados

Brazil's General Data Protection Law governing the processing of personal data by public and private entities in Brazil, closely modelled on the GDPR.

Overview

Brazil's Lei Geral de Proteção de Dados (LGPD), Law No. 13,709/2018, is Brazil's comprehensive personal data protection law. While it draws heavily from the GDPR's structure, it has important distinctions reflecting the Brazilian legal context. The law applies to the processing of personal data of individuals located in Brazil, regardless of where the data controller or processor is established.

LGPD recognises ten legal bases for processing personal data, going beyond GDPR's six, including: consent, legal obligation, execution of public policy, research, contract, exercise of rights, protection of life, health protection, legitimate interest, and credit protection. The law applies to both natural persons and legal entities in the public and private sectors and covers processing carried out in Brazil, for data subjects in Brazil, or involving data collected in Brazil.

The ANPD, Brazil's data protection authority, was structurally consolidated and given full sanctioning powers in 2021. It has been progressively issuing regulations, guidance, and enforcement actions, including its first major fine in 2023. For organisations operating in Brazil, LGPD compliance is increasingly table-stakes for doing business.

Scope & Applicability

LGPD applies to any natural person or legal entity, whether public or private, that processes personal data: (a) in Brazil; (b) with the objective of offering or providing goods or services in Brazil; (c) relating to data subjects located in Brazil; or (d) where the personal data was collected in Brazil. Exemptions exist for purely personal, journalistic, academic, artistic, literary, and national security processing.

Key Principles

  1. 1
    Purposeprocessing must be for legitimate, specific, explicit, and informed purposes
  2. 2
    Adequacyprocessing must be compatible with the stated purpose
  3. 3
    Necessityonly data strictly necessary for the purpose may be processed
  4. 4
    Free Accessdata subjects must have free, easy access to their data and processing information
  5. 5
    Quality of Datadata must be accurate, clear, relevant, and up to date
  6. 6
    Transparencyclear and accurate information about processing must be provided
  7. 7
    Securityappropriate technical and administrative measures must protect data
  8. 8
    Non-Discriminationprocessing must not enable unlawful or abusive discrimination

Data Subject Rights

Right of Confirmation and Access

Data subjects can confirm whether their data is being processed and access that data, including information about the purposes, duration, and identity of sharing partners.

Right to Correction

Data subjects can request correction of incomplete, inaccurate, or outdated personal data.

Right to Anonymisation, Blocking, or Deletion

Data subjects can request anonymisation, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.

Right to Data Portability

Data subjects can request portability of their data to another service or product provider upon ANPD regulation.

Right to Information on Sharing

Data subjects have the right to know with which public and private entities the controller has shared their data.

Right to Revoke Consent

Where consent is the legal basis, data subjects can revoke it at any time through a clear and free procedure.

Right to Object

Data subjects can object to processing carried out on a legal basis other than consent in cases of non-compliance with LGPD.

Business Obligations

Appoint a Data Protection Officer (Encarregado)

Controllers must publicly appoint a DPO (Encarregado) responsible for receiving complaints, communications, and serving as a channel between the controller, data subjects, and the ANPD.

Maintain Processing Records

Controllers must maintain records of personal data processing activities, especially where processing is based on legitimate interest.

Conduct Privacy Impact Assessments

DPIAs are required for processing based on legitimate interest and recommended by the ANPD for other high-risk activities.

Respond to Data Subject Requests

Requests must be confirmed immediately and fully responded to within 15 days under a simplified free procedure.

Incident Notification

The ANPD and affected data subjects must be notified of security incidents that may cause relevant risk or harm, within a reasonable period (ANPD guidance recommends within 2 working days).

Legal Basis Documentation

Controllers must identify and document one of the ten LGPD legal bases for each processing activity.

Cross-Border Transfer Rules

International transfers of personal data are permitted only to countries or international organisations that provide adequate data protection (as determined by the ANPD), or when the controller provides adequate safeguards through standard contractual clauses, binding corporate rules, or other instruments approved by the ANPD. Specific derogations permit transfers where the data subject has given specific consent, for execution of an international treaty, or for essential public policy reasons. The ANPD has been progressively developing its adequacy assessment framework.

Breach Notification Requirements

Notification Timeline

Within a 'reasonable period' — ANPD guidance recommends notification within 2 working days from awareness of the incident

Notify Authority

Autoridade Nacional de Proteção de Dados (ANPD) via the official incident notification portal

Notify Individuals

Affected data subjects must be notified when the breach may cause relevant harm or risk to them

How TruePrivacy Helps

Purpose-built tools for every LGPD obligation.

LGPD DSR Automation

Purpose-built workflows for Brazil's 15-day response window, with automated data discovery, identity verification, and response generation in Portuguese.

Ten Legal Bases Mapping

TruePrivacy maps each processing activity to one of LGPD's ten legal bases and surfaces documentation gaps before an ANPD inquiry.

Encarregado (DPO) Portal

A dedicated portal for the DPO to manage data subject requests, incident reports, and communications with the ANPD.

Breach Notification Workflows

Automated ANPD incident notification templates with 2-working-day tracking ensure timely reporting of security incidents.

International Transfer Management

Maintain an inventory of cross-border data flows and attach ANPD-approved transfer mechanisms to each one.

Ready to achieve LGPD compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo