Brazilian General Data Protection Law Overview
1. Introduction
The Lei Geral de Proteção de Dados (LGPD) represents Brazil’s comprehensive data protection framework, inspired by the European Union’s GDPR. Enacted in 2018 and effective from September 2020, the LGPD establishes rules for collecting, processing, storing, and sharing personal data in Brazil. It marks Brazil’s first comprehensive data protection law, setting new standards for data privacy across South America.
The LGPD introduces significant changes to Brazil’s privacy landscape, establishing individual rights over personal data and creating obligations for organizations that handle such information. Unlike sector-specific regulations, it applies broadly across all industries and to both public and private entities, reflecting the modern digital economy’s data processing realities.
2. Scope and Application
The LGPD has broad territorial scope, applying to any organization that processes personal data in Brazil or handles data relating to Brazilian residents, regardless of the organization’s location.
| Processing Activity | Territorial Connection | Examples |
|---|---|---|
| Processing in Brazil | Activities carried out in Brazilian territory | Local businesses, Brazilian branches of international companies |
| Services to Brazil | Offering goods or services to Brazilian individuals | International e-commerce, digital services |
| Brazilian Data Subjects | Data collected from individuals in Brazil | Online platforms, international services |
Protected Data Categories
| Category | What It Includes | Special Requirements |
|---|---|---|
| Personal Data |
– Name and identification – Contact information – Location data – Online identifiers | Basic protection measures required |
| Sensitive Personal Data |
– Racial/ethnic origin – Religious beliefs – Health information – Biometric data | Enhanced protection and specific legal bases needed |
| Children’s Data |
– Any personal data of children – Educational information – Family details | Parental consent required, special safeguards |
3. Legal Bases for Processing
The LGPD establishes ten legal bases for processing personal data, similar to but slightly different from GDPR’s six bases. Organizations must identify and document the appropriate legal basis before processing begins.
| Legal Basis | Plain Language Explanation | Example |
|---|---|---|
| Consent | Clear permission from the individual | Opting in to receive marketing communications |
| Legal Obligation | Required by Brazilian law | Keeping employee records for tax purposes |
| Legitimate Interest | Necessary for legitimate business purposes | Fraud prevention measures |
| Research | Scientific, historical, or statistical studies | Academic research using anonymized data |
4. Data Subject Rights
The LGPD grants individuals specific rights over their personal data, requiring organizations to implement procedures for handling these rights requests effectively.
| Right | What It Means | How It Works |
|---|---|---|
| Access | Right to know what data is held | Like being able to view your complete customer file |
| Correction | Right to fix incorrect information | Like updating an old address in a database |
| Deletion | Right to have data erased | Like having your account completely removed |
| Portability | Right to transfer data elsewhere | Like moving your profile to a new service |
5. Enforcement and Penalties
The Brazilian Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados) oversees LGPD enforcement. Organizations can face significant penalties for non-compliance, though the focus is on promoting compliance rather than punishment.
Violations can result in fines of up to 2% of an organisation’s Brazilian revenue from the previous year, capped at 50 million reais (approximately US$10 million) per violation. The ANPD can also impose warnings, publicize violations, and require changes to business practices.