Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 International Privacy

LGPD – Lei Geral de Proteção de Dados (Brazilian General Data Protection Law)

Brazil's LGPD is the country's comprehensive data protection law effective since September 2020, closely modeled on the European GDPR.

LinkedIn X WhatsApp

Summary

The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law. Enacted in 2018 and effective September 2020, the LGPD is closely modeled on the European GDPR and establishes a unified data protection regime for public and private entities in Brazil.

  • Legal bases: 10 defined legal bases for data processing including consent, contract performance, legitimate interest, and legal compliance.
  • Data subject rights: Access, correction, deletion, portability, withdrawal of consent, and information about sharing.
  • Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD).
  • Fines: Up to 2% of Brazilian annual revenue, capped at BRL 50 million per violation.

History

Brazil long lacked a unified data protection law; individual provisions were scattered across statutes such as the Marco Civil da Internet (2014) and the Código de Defesa do Consumidor. Momentum for comprehensive legislation grew in the early 2010s, accelerated by Edward Snowden's 2013 revelations about US surveillance of Brazilian communications.

The LGPD was enacted on August 14, 2018. Its effective date was postponed several times, most recently due to the COVID-19 pandemic. The substantive provisions entered into force on September 18, 2020, with enforcement sanctions following on August 1, 2021. The supervisory authority ANPD was established in 2020 and has since been actively issuing guidelines and regulations.

Scope

The LGPD applies to any processing of personal data that takes place in Brazil, is aimed at offering goods or services in Brazil, or involves data of individuals located in Brazil – regardless of where the data controller is established. Both public and private entities are covered.

Exceptions include:

  • Purely private, non-commercial processing by natural persons
  • Processing exclusively for journalistic, academic, artistic, or literary purposes
  • Processing for public security, national defense, and state security purposes
  • Data of individuals located outside Brazil not collected within Brazil

Key Requirements

  • Legal basis: All processing must rest on one of 10 statutory legal bases.
  • Transparency: Clear and accessible information about data processing practices.
  • Data subject rights: Confirmation, access, correction, anonymization/blocking/deletion, portability, information about third-party sharing, withdrawal of consent, right to object.
  • Data Protection Officer (DPO): Appointment of an "Encarregado" recommended; mandatory for certain controllers as determined by ANPD.
  • Privacy by Design and by Default.
  • Data breach notification: Notification to ANPD and affected individuals in the event of serious incidents.
  • International data transfers: Only permitted under specific conditions (adequacy decision, contractual guarantees, consent).
  • Data Protection Impact Assessment (RIPD): Required for high-risk activities.

Related Frameworks

Privacy/DatenschutzGDPR/DSGVO

Content last reviewed: 22 February 2026. Found an error or need an update? [email protected]