Brazil Data Protection

Brazilian General Data Protection Law Overview

1. Introduction

The Lei Geral de Proteção de Dados (LGPD) represents Brazil’s comprehensive data protection framework, inspired by the European Union’s GDPR. Enacted in 2018 and effective from September 2020, the LGPD establishes rules for collecting, processing, storing, and sharing personal data in Brazil. It marks Brazil’s first comprehensive data protection law, setting new standards for data privacy across South America.

The LGPD introduces significant changes to Brazil’s privacy landscape, establishing individual rights over personal data and creating obligations for organizations that handle such information. Unlike sector-specific regulations, it applies broadly across all industries and to both public and private entities, reflecting the modern digital economy’s data processing realities.

2. Scope and Application

The LGPD has broad territorial scope, applying to any organization that processes personal data in Brazil or handles data relating to Brazilian residents, regardless of the organization’s location.

Processing ActivityTerritorial ConnectionExamples
Processing in BrazilActivities carried out in Brazilian territoryLocal businesses, Brazilian branches of international companies
Services to BrazilOffering goods or services to Brazilian individualsInternational e-commerce, digital services
Brazilian Data SubjectsData collected from individuals in BrazilOnline platforms, international services

Protected Data Categories

CategoryWhat It IncludesSpecial Requirements
Personal Data – Name and identification
– Contact information
– Location data
– Online identifiers
Basic protection measures required
Sensitive Personal Data – Racial/ethnic origin
– Religious beliefs
– Health information
– Biometric data
Enhanced protection and specific legal bases needed
Children’s Data – Any personal data of children
– Educational information
– Family details
Parental consent required, special safeguards

3. Legal Bases for Processing

The LGPD establishes ten legal bases for processing personal data, similar to but slightly different from GDPR’s six bases. Organizations must identify and document the appropriate legal basis before processing begins.

Legal BasisPlain Language ExplanationExample
ConsentClear permission from the individualOpting in to receive marketing communications
Legal ObligationRequired by Brazilian lawKeeping employee records for tax purposes
Legitimate InterestNecessary for legitimate business purposesFraud prevention measures
ResearchScientific, historical, or statistical studiesAcademic research using anonymized data

4. Data Subject Rights

The LGPD grants individuals specific rights over their personal data, requiring organizations to implement procedures for handling these rights requests effectively.

RightWhat It MeansHow It Works
AccessRight to know what data is heldLike being able to view your complete customer file
CorrectionRight to fix incorrect informationLike updating an old address in a database
DeletionRight to have data erasedLike having your account completely removed
PortabilityRight to transfer data elsewhereLike moving your profile to a new service

5. Enforcement and Penalties

The Brazilian Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados) oversees LGPD enforcement. Organizations can face significant penalties for non-compliance, though the focus is on promoting compliance rather than punishment.

Violations can result in fines of up to 2% of an organisation’s Brazilian revenue from the previous year, capped at 50 million reais (approximately US$10 million) per violation. The ANPD can also impose warnings, publicize violations, and require changes to business practices.

Scroll to Top