Brazil’s Lei Geral de Protecao de Dados Pessoais (LGPD), Law No. 13,709/2018, is the country’s comprehensive data protection framework. In force since September 2020, with administrative sanctions applicable from August 2021, the LGPD establishes clear rules on how organizations must collect, store, process, and share personal data. With the Autoridade Nacional de Protecao de Dados (ANPD) actively regulating and enforcing, understanding your obligations under the LGPD is no longer optional — it is an operational and legal necessity.
LGPD Principles
The LGPD establishes ten principles in Article 6 that must guide all personal data processing activities:
1. Purpose (Finalidade). Processing must be carried out for legitimate, specific, explicit purposes that are communicated to the data subject. You cannot collect data without a clear, documented objective.
2. Adequacy (Adequacao). Processing must be compatible with the purposes communicated to the data subject. The data collected must be relevant and proportional to what is necessary.
3. Necessity (Necessidade). Processing must be limited to the minimum necessary to achieve its purposes. This principle combats excessive data collection.
4. Free access (Livre acesso). Data subjects must have easy and free access to information about the form and duration of processing, as well as the entirety of their personal data.
5. Data quality (Qualidade dos dados). Accuracy, clarity, relevance, and currency of data must be guaranteed in accordance with the purpose of processing.
6. Transparency (Transparencia). Clear, precise, and easily accessible information about processing and the respective processing agents must be provided.
7. Security (Seguranca). Technical and administrative measures must be used to protect personal data from unauthorized access and accidental or unlawful situations.
8. Prevention (Prevencao). Measures must be adopted to prevent harm arising from the processing of personal data.
9. Non-discrimination (Nao discriminacao). Processing may not be carried out for unlawful or abusive discriminatory purposes.
10. Accountability (Responsabilizacao e prestacao de contas). The processing agent must demonstrate the adoption of effective measures capable of proving compliance with the rules.
Who Must Comply With the LGPD
The LGPD has broad extraterritorial application (Article 3). It applies to any personal data processing operation that:
- Is carried out in Brazilian territory
- Has the purpose of offering or providing goods or services to individuals located in Brazil
- Involves personal data collected in Brazilian territory
Extraterritorial reach. A company based in Portugal, the United States, or Germany that offers products or services to Brazilian consumers or collects data from people in Brazil is subject to the LGPD. This reach is comparable to that of the European GDPR (Article 3 of the GDPR).
Exceptions. The LGPD does not apply to processing carried out by a natural person for exclusively private and non-economic purposes, for exclusively journalistic, artistic, or academic purposes, or by the state for public security, national defense, and criminal investigation purposes (Article 4).
Legal Bases for Processing
The LGPD establishes ten legal bases in Article 7 that authorize the processing of personal data. Every processing operation must be founded on at least one of them:
1. Consent of the data subject. Must be free, informed, unambiguous, and provided for a specific purpose. Consent can be revoked at any time.
2. Compliance with a legal or regulatory obligation.
3. Execution of public policies by the public administration.
4. Research studies by research bodies.
5. Contract execution or preliminary procedures related to a contract to which the data subject is a party.
6. Regular exercise of rights in judicial, administrative, or arbitral proceedings.
7. Protection of life or physical safety of the data subject or a third party.
8. Health protection in procedures carried out by health professionals or health entities.
9. Legitimate interest of the controller or a third party. Requires a proportionality test (Article 10) balancing the controller’s interests with the data subject’s rights and expectations.
10. Credit protection.
For sensitive data (Article 11), the legal bases are more restricted: specific consent or necessity for compliance with a legal obligation, execution of public policies, research, exercise of rights, protection of life, or health protection.
Data Subject Rights
Article 18 of the LGPD guarantees data subjects a comprehensive set of rights:
Confirmation and access. The data subject may request confirmation of the existence of processing and access to their personal data.
Correction. Right to request correction of incomplete, inaccurate, or outdated data.
Anonymization, blocking, or deletion. Right to request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
Portability. Right to request the portability of data to another service or product provider, upon express request.
Deletion. Right to request deletion of personal data processed on the basis of consent.
Information about sharing. Right to obtain information about the public and private entities with which the controller has shared data.
Revocation of consent. Right to revoke consent at any time, by express declaration.
For a detailed comparison of data subject rights under the LGPD and the GDPR, see our article on LGPD vs GDPR: key differences.
Data Protection Officer (Encarregado)
Article 41 of the LGPD requires the controller to appoint a Data Protection Officer (encarregado). The officer’s functions include:
- Accepting complaints and communications from data subjects and providing clarification
- Receiving communications from the ANPD and taking appropriate action
- Advising employees and contractors on data protection practices
- Performing other duties assigned by the controller or established by supplementary regulations
The ANPD may establish supplementary rules on the waiver of DPO appointment for small-scale processing agents.
Data Protection Impact Report
Article 38 of the LGPD provides that the ANPD may require the controller to prepare a data protection impact report (RIPD). This report must contain:
- A description of the types of data collected
- The methodology used for collection
- Information security measures
- The controller’s analysis regarding measures, safeguards, and risk mitigation mechanisms
While the ANPD has not yet fully regulated the criteria for mandatory RIPD preparation, it is highly advisable for businesses that process data at scale or handle sensitive data to prepare this document proactively.
International Data Transfers
The LGPD regulates international transfers of personal data in Article 33. Transfers are permitted when:
- To countries or international organizations that provide an adequate level of protection
- When the controller offers guarantees of compliance with LGPD principles (specific contractual clauses, standard clauses, global corporate rules)
- Through specific consent of the data subject
- For compliance with a legal or regulatory obligation
- For international legal cooperation
The ANPD has been working on regulating transfer mechanisms, including standard contractual clauses and adequacy criteria, in line with European GDPR mechanisms.
Sanctions and Penalties
Article 52 of the LGPD establishes a regime of administrative sanctions applicable by the ANPD:
Warning. With an indication of the deadline for adopting corrective measures.
Simple fine. Up to 2% of the revenue of the private legal entity, group, or conglomerate in Brazil in its last fiscal year, excluding taxes, limited to a total of BRL 50 million per infraction.
Daily fine. Subject to the same total limit of BRL 50 million.
Publication of the infraction. After it has been duly investigated and confirmed.
Blocking of the personal data related to the infraction until regularization.
Deletion of the personal data related to the infraction.
Partial suspension of the database operation for a maximum of 6 months, extendable for an equal period.
Suspension of the data processing activity for a maximum of 6 months, extendable for an equal period.
Partial or total prohibition of activities related to data processing.
The ANPD has already applied sanctions to Brazilian companies, including warnings and compliance orders, demonstrating that enforcement is active.
Four Approaches to LGPD Compliance
Hiring a specialized lawyer
Cost: BRL 15,000 to 50,000 for a comprehensive compliance program. Timeline: 4 to 8 weeks.
A lawyer specializing in data protection can conduct a complete mapping of data flows, draft internal policies, train teams, and structure incident response. Recommended for businesses with large data volumes or sensitive data.
Using a generic AI tool
Apparent cost: BRL 0. Real cost: the compliance gaps it creates.
Generic AI tools can generate text that resembles a privacy policy but cannot audit your actual data flows or ensure coverage of the ten legal bases and LGPD principles.
Copying a free template
Cost: BRL 0. Risk: high.
Free templates are generic, often outdated, and never adapted to your specific activity. The ANPD expects your privacy policy to reflect your actual processing practices.
Using a specialized legal document generator
Cost: €19.90 to €49.90. Timeline: under 10 minutes.
A specialized generator asks targeted questions about your business and produces a privacy policy that addresses LGPD requirements, including legal bases, data subject rights, and transparency obligations.
To quickly check your site’s compliance, use our free compliance scanner. See also our LGPD vs GDPR comparison to understand key differences, and our guide on LGPD privacy policy requirements.
Conclusion
The LGPD has transformed the data protection landscape in Brazil. With clear principles, defined legal bases, comprehensive data subject rights, and sanctions reaching BRL 50 million, compliance is no longer an option — it is a legal obligation with real consequences. The ANPD is active in enforcement and rulemaking, and the regulatory framework continues to evolve. Every day without compliance is a day of unnecessary exposure to regulatory and reputational risk. Act now to protect your business and your customers’ trust.