Library / Jurisdictions
LGPD

Lei Geral de Proteção de Dados (Brazil)

Brazil's general personal data protection law, in force since 2020, modelled closely on GDPR but with Brazil-specific authority and enforcement structure.

At a glance
Effective
18 September 2020 (sanctions from 1 August 2021)
Authority
Autoridade Nacional de Proteção de Dados (ANPD)
Maximum fine
2% of revenue in Brazil, capped at R$50M per violation
Vendor monitoring
Required (Art. 39, operator obligations)

The Lei Geral de Proteção de Dados (Law No. 13,709/2018) — LGPD — is Brazil's general personal data protection law, modelled closely on GDPR but adapted for the Brazilian context. The terminology mirrors GDPR: controlador (controller), operador (processor), titular (data subject), with parallel obligations.

Who it applies to

LGPD applies to any processing of personal data:

  • Carried out in Brazil,
  • Where the activity has the purpose of offering or providing goods or services in Brazil, or
  • Of personal data subjects located in Brazil at the time the data is collected.

Like GDPR, it has extraterritorial reach.

Controller and processor obligations

LGPD's structure parallels GDPR:

  • Ten lawful bases for processing (Article 7), broader than GDPR's six.
  • Privacy notice with specified contents.
  • Data subject rights: confirmation of processing, access, correction, anonymisation, blocking, portability, deletion, information about sharing, withdrawal of consent.
  • Operator (processor) obligations: process only on controller instructions, security measures, deletion at end of engagement, sub-processing only with authorisation.
  • Data Protection Impact Reports for processing that may pose high risk.
  • Breach notification to ANPD and data subjects within a "reasonable" period (typically interpreted as 2 working days).

DPO (Encarregado)

LGPD requires an Encarregado (data protection officer) for most controllers, with a small-business exception. The role is similar to GDPR's DPO but with some Brazilian specifics around independence and reporting lines.

International transfers

LGPD permits international transfers in several circumstances, including:

  • To countries providing adequate protection (the list is published by ANPD; relatively few countries currently designated).
  • Where the controller offers safeguards equivalent to LGPD (specific contractual clauses, BCRs, codes of conduct).
  • With the data subject's specific consent.
  • For specific necessities (legal obligation, contract, etc.).

ANPD has published model contractual clauses; their use is not mandatory but recommended.

What vendor monitoring looks like under LGPD

LGPD's similarity to GDPR means GDPR-style monitoring covers most LGPD obligations. Brazil-specific considerations:

  • ANPD adequacy list. Smaller than the EU equivalent; transfers to non-listed jurisdictions need contractual safeguards.
  • Sub-processor authorisation. LGPD requires authorisation but is less prescriptive than GDPR Article 28 about objection windows.
  • Data Subject Rights window. Faster than GDPR — controllers should respond promptly, with ANPD guidance suggesting up to 15 days.
  • Specific obligations for sensitive data. LGPD's "sensitive personal data" includes racial/ethnic origin, religious belief, political opinion, union membership, organisations of religious / philosophical / political character, health and life data, sexual orientation, genetic and biometric data.

Enforcement

ANPD became fully operational in 2021 and began administrative sanctions in 2023. Enforcement themes so far:

  • Public-sector data handling.
  • Cross-border transfer mechanisms.
  • Breach notification timeliness.
  • Children's data.

Penalties include warnings, fines (up to 2% of Brazil revenue, capped at R$50M per violation), publication of the violation, blocking of personal data, and elimination of personal data. Daily fines are also available for ongoing violations.

Related references