The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law, enacted in August 2020. It governs how personal data is collected, processed, and stored in Brazil, regardless of where the data processor is located. Modeled partly after the GDPR, the LGPD applies to any business handling personal data of Brazilian residents and aims to strengthen individual privacy rights and unify over 40 existing laws.

Core Principles and Rights

The LGPD establishes ten legal bases for processing personal data, including consent, legal obligation, and legitimate interest. It grants individuals rights such as confirmation of processing, access to data, correction of inaccuracies, deletion of unnecessary or excessive data, and data portability. Organizations must also provide clear privacy notices and ensure data is only used for specific, lawful purposes. The law covers both digital and physical records.

Compliance and Enforcement

To comply, businesses must appoint a Data Protection Officer (DPO), create transparent privacy policies, and adopt security measures to protect data. Affected organizations should conduct data mapping, review third-party contracts, and establish mechanisms for handling data subject requests. The LGPD is enforced by Brazil’s National Data Protection Authority (ANPD), which can issue warnings, fines of up to 2% of a company’s revenue (capped at 50 million BRL), and even suspend data processing activities.

LGPD represents Brazil’s commitment to digital rights and is essential for any organization doing business in or with Brazil.