Brazil Lgpd Effective

Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) entered into effect on 18 September 2020, establishing full data protection obligations for teams processing personal data in Brazil or offering goods and services to individuals in Brazil. With administrative sanctions applicable from 1 August 2021, companies must operationalize governance, lawful bases, rights handling, security, and vendor management controls that stand up to National Data Protection Authority (ANPD) oversight.

Enforcement scope and penalties

LGPD applies to processing operations conducted in Brazil, to the processing of data subjects located in Brazil, or to activities aimed at offering goods or services to individuals in Brazil, irrespective of where the data processor is located. The law covers personal data in digital and physical formats and protects both identified and identifiable individuals. Ten legal bases are available (including consent, legitimate interest, contract performance, legal obligation, credit protection, and fraud prevention), but each must be tied to a specific purpose, recorded, and communicated to data subjects.

Article 52 penalties include fines up to 2% of a company’s Brazilian revenue capped at BRL 50 million per violation, daily fines, public disclosure of infractions, deletion or anonymization orders, and partial or total prohibition of data processing. Sector regulators such as the Central Bank, SUSEP, and ANS may also issue complementary sanctions where sectoral regulations intersect with LGPD obligations.

ANPD oversight and guidance

The ANPD, formally operationalized in December 2020, is helped to issue interpretative guidance, approve standard contractual clauses, authorize international transfers, and conduct investigations. Resolution CD/ANPD No. 1/2021 established its internal regulations and investigative procedures, including inspection requests and technical reports that can lead to sanctions or corrective determinations. Teams should monitor ANPD consultations and guidance notes, because they clarify expectations on legitimate interest assessments, children’s data, and breach notification timing.

Maintain a formal liaison channel with the ANPD through the designated Data Protection Officer (Encarregado). Ensure DPO contact information is prominent in privacy notices and continuously updated, and keep evidence of responses to ANPD inquiries or data subject escalations.

Data subject rights and fulfillment

LGPD grants rights to confirmation of processing, access, correction, anonymization, deletion of unnecessary or excessive data, portability, information on public and private sharing, and withdrawal of consent. Companies must respond “promptly” and often within 15 days. Establish authenticated intake channels (web forms, dedicated email, call center scripts) and identity verification steps proportional to risk. Build workflows that connect CRM, ERP, HR, marketing automation, and ticketing systems to retrieve, correct, and delete data without breaking business records or statutory retention obligations.

Track metrics for response times, denial rationales, and remediation actions. When denying a request—for example, because deletion would impair legal or regulatory compliance—document the legal basis and communicate it clearly to the requester. Provide machine-readable outputs for portability that follow ANPD guidance once published.

Lawful bases and consent management

Review every processing activity and assign a primary legal basis. For legitimate interest, conduct a balancing test covering necessity, proportionality, safeguards, and reasonable expectations. For consent, ensure the request uses clear Portuguese language, is granular by purpose, and can be withdrawn through the same or easier channel. Avoid bundled consent for unrelated purposes and track timestamp, provenance, and version of consent wording for auditability. Children’s data (under 12) requires specific and highlighted consent from a parent or guardian, with age verification steps documented.

Update privacy notices to include purposes, legal bases, categories of data, recipients, retention periods, international transfer mechanisms, rights, and DPO contact details. Provide equivalent transparency at offline collection points such as retail stores and call centers, not just on digital interfaces.

Data inventory, minimization, and retention

Conduct a data mapping exercise cataloguing processing purposes, systems, data elements (including sensitive personal data such as racial or ethnic origin, health data, biometric data, and children’s data), retention periods, storage locations, and recipients. Maintain Records of Processing Activities (RoPAs) similar to GDPR Article 30 but tailored to LGPD terminology and lawful bases. Use automated discovery tools where possible and validate with business process owners.

Apply data minimization by pruning collection forms, disabling unused system fields, and deleting redundant datasets. Create a retention schedule that reconciles LGPD principles with Brazilian civil, tax, labor, and consumer protection retention mandates. Implement deletion and anonymization routines with evidence logs, and periodically review archival storage to prevent silent retention creep.

Security controls and incident response

LGPD requires technical and organizational measures proportionate to processing risks. Align controls with ISO 27001, NIST CSF, or Brazil’s Complementary Law 105/2001 for financial secrecy where applicable. Enforce role-based access, strong authentication, encryption in transit and at rest, network segmentation, secure software development practices, vulnerability management, and continuous monitoring. Pay particular attention to systems handling sensitive personal data or large-scale profiling.

Update incident response plans to incorporate LGPD breach notification. While the statute refers to a “reasonable time,” ANPD and sector regulators may define shorter windows. Prepare decision trees to evaluate risk to data subjects, draft notice templates for ANPD and affected individuals, and coordinate with PROCON consumer agencies when consumer harm is plausible. Run tabletop exercises that include marketing, legal, and communications to avoid over- or under-reporting.

Vendor management and international transfers

Inventory processors, sub-processors, and joint controllers. Update contracts to include LGPD-required clauses: processing instructions, confidentiality, sub-processor approval, security standards, breach notification timelines, and audit rights. For multinational groups, map cross-border transfers and apply appropriate mechanisms—currently contractual clauses, global corporate rules, or specific consent—pending ANPD’s approval of standard contractual clauses and Binding Corporate Rules.

Assess vendors on their ability to honor data subject rights, delete or return data at contract termination, and provide incident cooperation. Maintain evidence of due diligence, including SOC 2/ISO 27001 reports, pen test summaries, and data flow diagrams.

Employment, marketing, and sector nuances

For HR data, balance legitimate interest with labor law obligations (for example, CLT record-keeping, social security, tax). Provide candidate and employee notices that explain monitoring, background checks, and retention periods. For marketing, rely on consent or legitimate interest aligned with consumer expectations; provide straightforward opt-outs in Portuguese on email, SMS, and app channels.

Highly regulated sectors face overlapping rules. Financial institutions should align LGPD controls with Central Bank Resolution 4,658/2018 cybersecurity requirements. Health providers must reconcile LGPD with ANS and Ministry of Health data rules, and telecom operators should integrate LGPD with Anatel data retention obligations.

Documentation and accountability

LGPD’s accountability principle requires demonstrable evidence of compliance. Maintain a policy library covering data protection, data retention, incident response, and third-party management. Keep training records, DPIA templates, and audit logs for rights requests, consent changes, and vendor reviews. When relying on legitimate interest, archive the balancing assessments and mitigation steps taken (pseudonymization, data minimization, opt-outs).

Regularly brief executive leadership and the board on LGPD risk, enforcement developments, and remediation progress. Tie privacy metrics to business KPIs—customer trust scores, incident frequency, and time-to-fulfil rights requests—to sustain investment and oversight.

Action: Teams that operate in Brazil or target Brazilian residents should lock in governance, lawful bases, rights operations, security controls, and vendor oversight now, ahead of escalating ANPD enforcement and sector regulator scrutiny. Treat LGPD as an ongoing program rather than a one-time project to keep pace with emerging guidance and cross-border data transfer requirements.

More on this topic

Further reading from our research library.

Policy · Credibility 93/100 · September 18, 2020

Brazil’s LGPD enters into force with immediate controller obligations

Brazil’s Lei Geral de Proteção de Dados became effective on 18 September 2020, activating lawful basis, transparency, data subject response, and processor oversight duties ahead of administrative sanctioning in August…

Policy · Credibility 88/100 · November 3, 2020

California Privacy Rights Act Approved

California voters passed CPRA (Prop 24) in November 2020, expanding CCPA with new rights like correction and restriction. Enforcement started January 2023. If you have already built CCPA compliance, you need to extend it…

Policy · Credibility 91/100 · November 17, 2020

Canada Tables Digital Charter Implementation Act

Canada introduced Bill C-11 to replace PIPEDA with the Consumer Privacy Protection Act, add a Personal Information and Data Protection Tribunal, and create EU-grade penalties, shaping the blueprint for successor federal…

Policy · Credibility 90/100 · December 1, 2020

New Zealand Privacy Act 2020 Commences

New Zealand brought the Privacy Act 2020 into force, replacing the 1993 framework with mandatory breach notification, stronger cross-border controls, and new compliance orders overseen by the Privacy Commissioner.

Policy · Credibility 92/100 · April 8, 2020

EU COVID-19 Contact Tracing Recommendation

The EU Commission set ground rules for COVID contact tracing apps in April 2020. Voluntary adoption only, strong privacy requirements, and apps should work across borders. This shaped how the Corona-Warn-App and others…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

September 18, 2020

Coverage pillar

Policy

Source credibility

87/100 — high confidence

Topics

Brazil · LGPD · Privacy · Data governance · Compliance

Sources cited

3 sources (planalto.gov.br, gov.br, iso.org)

Reading time

7 min

Source material

1. Lei Geral de Proteção de Dados Pessoais (LGPD) — Presidência da República do Brasil
2. ANPD — Regulamento Interno e competências sancionatórias — Autoridade Nacional de Proteção de Dados
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization