Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

LGPD: All you need to know about Brazil’s General Data Protection Law 🔐 Comparison with GDPR


What is LGPD in Brazil?

The Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, in short: LGPD) is a federal law containing 10 legal bases for the processing of personal data. The law was designed in part as a step to achieve “compliance” with the European GDPR, in order to share data with the EU.

The LGPD’s main objectives are privacy protection, ensuring openness; encouraging progress and development; standards harmonization; legal safety; and promoting market competitiveness.

The Brazilian Data Protection Law brings together 40 existing laws to regulate the processing of personal data of individuals or legal persons.

After several delays, the law entered into force in 2020. A transitional period of 1 year was given for businesses to comply with the law.

Read on to find out if the LGPD also applies to you!

Provisions of the LGPD Law

  • Setting the guiding principles for the processing of personal data

  • Providing consumers with a set of rights over their data

  • Rules regarding data breach reporting

  • The law also establishes a Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados = ANPD)

The “Lei Geral de Proteção de Dados” (LGPD), is a long and detailed law that significantly affects everyday business in Brazil. A solid understanding of LGDP is a must for any business with Brazilian clients, customers, partners. The maximum penalty for leaking personal data is R$ 50 million or up to 2 percent of the organization’s annual revenue.

We’ll look at the law a little deeper below. Let’s start:

Who does the LGPD apply to?

The LGPD applies to organizations worldwide that have any connection with people in Brazil. Whether it’s customers, employees, business partners, or contractors. International privacy laws often share the characteristic of including an extraterritoriality element, just like GDPR or CCPA do.

If a company directly or indirectly deals with Personally Identifiable Information (PII) from people outside it, then the control and management of that data must fully comply with the law.

By external persons, we include all stakeholders that a company may have, such as: customers, suppliers, visitors, service providers, leaders, etc. Since every company deals with data from outsiders, it can be said that the requirements of this law cover every company. LGPD is not limited to businesses of a particular size or turnover.

The LGDP will cover you or your organization if it’s:

  • Processing personal data in Brazil, or data that was collected in Brazil

  • Processing the personal data of people in Brazil, or

  • Offering goods or services to Brazilian clients and consumers

Exceptions to the LGPD law:

LGPD does not apply in case when:

  • you carried out processing personal data exclusively for private, non-profit, journalistic, artistic and/or academic purposes

  • the processing of personal data is carried out exclusively for the purpose of public and state security, national defense, or investigation and prosecution of crimes

  • shared with Brazilian data processing agents, is subject to international transfer to a country besides the country of origin, or originates outside of Brazil and is not subject to communication

What are Brazil’s LGPD consumer’s rights?

The LGDP provides nine rights for individuals over their personal data.

The controller protects and facilitates the individual’s personal data rights.

The nine ‘data subject rights’:

  1. right of the person to confirm that their personal data is being processed

  2. right of access to personal data

  3. right to correction of incomplete, incorrect or outdated personal data

  4. right to anonymize, block or delete any unnecessary, excessive, or inconsistent personal data

  5. the right to ask the data controller to move their personal data to another service or product provider (data portability)

  6. right to erasure of their personal data (with exceptions, according to Article 16)

  7. right to information about public or private entities with whom their personal data is shared, as well as why it is shared

  8. right to provide information about own rights and to refuse to consent to the processing of one’s personal data and the consequences of refusal

  9. right to revoke the consent to the processing of their personal data

The European General Data Protection Regulation GDPR inspired the origin of Lei Geral de Proteção de Dados. What the GDPR is to residents of Europe, the LGDP is to residents of Brazil. LGPD is similar to GDPR in many ways, however, there are a few differences.

In the following, we will make a short comparison of these two laws, highlighting the key differences between them.


1. Who does the law apply to?

LGDP: Residents of Brazil

GDPR: Residents of the EU

2. What are the differences in the legal basis for processing?

The LGPD covers some legal bases for processing personal data, which are not covered by GDPR. Among them, we include: credit protection, credit analysis; protection of health; anonymization of personal data (where possible); and exercise of rights in administrative, arbitration, or judicial proceedings.

3. Who must comply?

LGDP: Any organization that processes personal data of Brazilian residents, regardless of its location

GDPR: Any organization that processes personal data of European residents regardless of its location

4. Is a DPO 👮 required?

LGDP: required under certain circumstances

GDPR: DPO is mandatory

5. What are the penalties?

LGPD: The greater of 2% of annual revenues or R51 million

GDPR: Up to 4% of annual revenue or up to 20 million euros for violation

It is characteristic of Brazil that there is no real authority to whom you should report an incident for data breach. Instead, investigations, fines and other punitive measures are initiated by Brazilian agencies that monitor the rights of data subjects. Such is the case with the Ministry of Public Affairs.

The deadline for reporting the incident is specified as a “reasonable time”, unlike the GDPR, where the deadline is set at 72 hours.

Does the LGPD apply to your organization?

YES! If:

✔️ Your organization operates in Brazil

✔️ Your organization operates anywhere in the world, but processes the data of any individual in Brazil

The degree of application depends on the nature of your business.

Bottom line 🔐

Today, the LGDP is an effective law which prevents the misuse of personal data by regulating how businesses and organizations can collect, use and handle personal data. It increases accountability by supplementing or replacing existing federal sector privacy laws. LGDP also enables the creation of a Data Protection Authority.

It’s of huge importance for you to evaluate the processing of personal data and determine whether the requirements of the LGPD apply to you.Then consult with a legal expert or a trustworthy Data Compliance Service, who will determine the extent of applicability to your business and provide guidance on the specific requirements of the LGPD that apply specifically to your organization!



Log in or Sign up to comment
AUG Leaders

Atlassian Community Events