top of page

What is the LGPD? Brazil’s New Data Protection Law

Updated: Jul 16, 2021

What is the LGPD's Essence?

The Brazilian General Data Protection Law (Lei Geral de Proteço de Dados Pessoais, or LGPD) had passed by the Brazilian National Congress on August 14, 2018, and took in the force on August 15, 2020.

The LGPD establishes nine rights for data subjects, specifies what constitutes personal data, and provides ten legal bases for lawful data processing.

It also established the Autoridade Nacional de Proteço de Dados (ANPD), Brazil's new national data protection authority, which is in charge of overseeing, guiding, and enforcing the country's administrative penalties.

Big difference from GDPR is that a Data Protection Officer (DPO) is a must for all data controllers. In addition, the LGPD makes data breach notification compulsory.

Who is covered by the LGPD?

It is stated in Article 3 of the LGPD that it applies to:

  • Data processing within the territory of Brazil

  • Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located

  • Data processing of data collected in Brazil

This means that not only Brazilian citizens' personal information is safeguarded, but also anyone whose data was gathered or processed while in the nation.

Organization must document the processing of personal data from the beginning to the end, including a description of what is collected, why it is gathered and processed, how long it is kept, and with whom it is shared.

For data breaches and data leaks, as well as non-compliance with the LGPD, data controllers or processors can be held jointly or separately accountable.

Who is not subject to the LGPD?

The LGPD does not apply to the following:

  • Data processed by a person for strictly personal purposes

  • Data exclusively for journalistic, artistic, literary or academic purposes

  • Data exclusively for national security, national defense, public safety, criminal investigations or punishment activities

What is the Autoridade Nacional de Proteço de Dados (ANPD) and What Does It Do?

Brazil's new data protection authority is the Autoridade Nacional de Proteço de Dados (ANPD).

Its major goal is to establish new regulations, develop technical standards, supervise and audit, educate, respond to data breach complaints, and impose sanctions.

What is the significance of the LGPD?

The LGPD is important because it is a "extraterritorial applicability" privacy law, which means that businesses that process personal data of Brazilians must comply with the LGPD regardless of where they are owned or run, similar to the GDPR or the CCPA.

The LGPD was established by the Brazilian government in order to reach an adequate agreement with the EU in order to allow a free flow of data between the two.



Bilgi Teknolojileri Ekibi


bottom of page