Brazil’s LGPD enters into force with immediate controller obligations

Brazil's Lei Geral de Proteção de Dados (LGPD) took effect on 18 September 2020, establishing full data protection requirements for organizations processing Brazilian residents' personal data. The law draws heavily from GDPR while incorporating Brazilian constitutional privacy principles and administrative enforcement mechanisms.

Lawful Bases for Processing

Consent requirements under LGPD mandate specific, informed, unambiguous consent for data processing, with heightened requirements for sensitive personal data including health information, biometric data, and data revealing racial origin, religious beliefs, or political opinions. Unlike GDPR, LGPD consent cannot be bundled with other terms and must be provided separately.

Legitimate interest permits processing where data controller interests do not override data subject rights, requiring documented balancing assessments. LGPD explicitly lists legitimate interest factors including fraud prevention, network security, and direct marketing within reasonable expectations.

Contract performance supports processing necessary to fulfill contractual obligations with the data subject or take pre-contractual steps at their request. This basis commonly supports customer relationship management and service delivery activities.

Legal obligation permits processing required by Brazilian law, including regulatory reporting, tax compliance, and judicial orders. Organizations must identify specific legal provisions justifying processing under this basis.

Data Subject Rights

Access and portability rights enable data subjects to obtain copies of their personal data in structured, commonly used formats and transfer data to other controllers. Organizations must establish response procedures within 15-day statutory timeframes.

Correction and deletion rights require organizations to rectify inaccurate data and delete data no longer necessary for processing purposes, subject to legal retention obligations. Deletion requests must be communicated to third parties with whom data was shared.

Opposition and revocation rights permit data subjects to object to processing based on legitimate interest and revoke previously granted consent. Organizations must cease processing upon valid objection unless demonstrating compelling legitimate grounds.

ANPD Enforcement Authority

The Autoridade Nacional de Proteção de Dados (ANPD) serves as Brazil's data protection authority, with powers to issue binding guidance, conduct investigations, and impose administrative sanctions. The authority began issuing regulatory guidance and enforcement actions following its operational establishment in late 2020.

Penalty framework includes warnings, publicity of violations, blocking or deletion of data, and fines up to 2% of Brazilian revenues capped at 50 million reais per violation. The ANPD has discretion in penalty calculation, considering violation gravity, good faith, cooperation, and economic capacity.

Enforcement priorities have focused on consent validity, security incident response, and international data transfer compliance. The ANPD has issued supplementary regulations on data protection officers, security incidents, and international transfer mechanisms.

International Data Transfers

Adequacy determinations permit transfers to countries the ANPD recognizes as providing adequate protection. Initial adequacy assessments are pending, creating uncertainty for transfers outside standard contractual frameworks.

Standard contractual clauses provide the primary mechanism for transfers absent adequacy, requiring execution of ANPD-approved contractual provisions between exporters and importers. If you are affected, adopt SCCs consistent with ANPD guidance.

Binding corporate rules enable intra-group transfers for multinational organizations, subject to ANPD approval of group-wide data protection policies and governance mechanisms.

Implementation Priorities

If you are affected, appoint data protection officers where required, conduct data mapping exercises to identify processing activities and lawful bases, implement consent management for customer-facing applications, and establish incident response procedures meeting 2-day reporting requirements. International you should assess LGPD alignment with existing GDPR compliance programs while addressing Brazil-specific requirements.