Brazil LGPD Compliance: Data Protection for Latin American Operations

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13,709/2018) entered into force on September 18, 2020, with enforcement by the Autoridade Nacional de Proteção de Dados (ANPD) beginning in August 2021. Brazil is the world's fifth-largest country by population and sixth-largest economy, making LGPD compliance essential for any organisation with Brazilian operations, customers, or employees.

Closely modelled on the EU's GDPR, LGPD introduces legal bases for processing, data subject rights, a DPO requirement, cross-border transfer restrictions, and fines of up to 2% of annual Brazilian revenue capped at R$50 million (~$10 million USD) per violation. The ANPD has issued its first significant fines and published sector-specific guidance — enforcement is no longer theoretical.

Key Takeaways

• LGPD applies to any organisation processing personal data of individuals in Brazil, regardless of where the organisation is based
• Ten legal bases for processing exist — none is a default; you must document the basis for each activity
• Consent under LGPD must be free, informed, unambiguous, and for a specific purpose — pre-ticked boxes do not qualify
• Sensitive personal data (race, religion, health, biometrics, political opinions, sexual orientation) requires explicit consent or specific exceptions
• Appointing a DPO (Encarregado) is mandatory for most controllers and processors
• Cross-border transfers are restricted — permitted mechanisms include adequacy decisions, standard contractual clauses, and certification schemes
• ANPD fines reach 2% of Brazilian revenue, capped at R$50 million per violation
• LGPD was updated by Law 13,853/2019, which strengthened ANPD's independence and clarified enforcement provisions

---

LGPD Scope and Territorial Application

LGPD applies to any processing of personal data that:

1. Is carried out in Brazilian territory
2. Has the purpose of offering goods or services to individuals located in Brazil
3. Involves personal data collected in Brazil

Like GDPR's Article 3, this extraterritorial scope means a US company running a Portuguese-language eCommerce store serving Brazilian customers must comply with LGPD for those customers' data. A multinational with Brazilian employees must comply for employee data processing.

Exemptions from LGPD include:

• Processing carried out exclusively for private purposes, not for economic activity
• Processing for journalistic, artistic, or academic purposes
• Processing for public safety, national defence, or criminal investigation (covered by specific legislation)
• Data originating outside Brazil and not the subject of communication or shared use with Brazilian agents

However, these exemptions are narrowly interpreted. Most commercial processing does not qualify.

---

Legal Bases for Processing Personal Data

Article 7 of LGPD establishes ten legal bases for processing personal data. This differs from GDPR (which has six) and reflects Brazil's specific legislative context. Every processing activity must be documented against one of these bases:

Legitimate interests under LGPD is narrower than GDPR: controllers must balance the legitimate interest against the data subject's fundamental rights and freedoms. The ANPD's guidance indicates that this requires a documented three-part test similar to GDPR, and that commercial purposes alone do not automatically qualify.

Sensitive personal data (Article 11) includes data on racial or ethnic origin, religious belief, political opinion, trade union or religious organisation membership, health data, sex life, genetic or biometric data. Processing sensitive data requires explicit consent or one of seven specific legal bases (legal obligation, research, medical care, etc.). The consent standard for sensitive data is higher — explicit, separate from other consents, and purpose-specific.

---

Data Subject Rights Under LGPD

Article 18 of LGPD grants data subjects nine rights:

Key differences from GDPR:

• LGPD includes a right to know the consequences of refusing consent — requiring pre-collection disclosure of what happens if a user declines
• "Without undue delay" is less prescriptive than GDPR's 30-day timeline — ANPD regulations are expected to specify timelines
• Portability rights are conditional on technical feasibility and ANPD regulations

Exercising rights: Data subjects submit requests to the controller. The controller must respond within 15 days (for confirmation and access requests) under ANPD Resolution CD/ANPD No. 4/2023. For other rights, controllers must respond without undue delay as defined by ANPD regulations.

---

Controller and Processor Obligations

Data Controller (Controlador): Determines the purposes and means of processing. Has primary LGPD obligations including legal basis documentation, privacy notices, data subject rights fulfilment, DPO appointment, ANPD reporting, and security measures.

Data Processor (Operador): Processes data on behalf of a controller under a contract. Processors share liability for violations where they do not follow controller instructions or act contrary to LGPD. Controllers must only use processors that provide sufficient guarantees of LGPD compliance.

Processor agreement requirements (Article 39): Controllers and processors must have a written contract covering:

• Personal data processing instructions
• Security obligations
• Confidentiality requirements
• Data subject rights support
• Data return or deletion obligations at contract termination

Joint controllers: LGPD does not explicitly address joint controller arrangements (unlike GDPR's Article 26), but ANPD guidance indicates that joint processing situations should be contractually addressed with clear allocation of responsibilities.

---

Data Protection Officer (Encarregado)

Article 41 requires controllers and processors to appoint a Data Protection Officer (Encarregado). Unlike GDPR, LGPD does not provide thresholds — the requirement appears to apply broadly to controllers and processors. The ANPD has indicated that smaller organisations and sole proprietorships may have reduced obligations, and ANPD Resolution CD/ANPD No. 2/2022 established simplified provisions for small data processors.

DPO (Encarregado) responsibilities:

• Act as a communication channel between the controller, data subjects, and the ANPD
• Receive data subject complaints and communicate with data subjects regarding their rights
• Receive communications from the ANPD and take appropriate action
• Advise internal employees on data protection practices
• Carry out other duties defined by the controller or established in ANPD regulations

Publication requirement: Controllers must publicly disclose the identity and contact information of the Encarregado, typically in the privacy policy.

Can be internal or external: Unlike GDPR, LGPD does not prohibit conflicts of interest for the DPO role, though best practice suggests the DPO should have sufficient independence. External DPO services from qualified consultants are widely used.

---

Security Requirements

Article 46 requires controllers and processors to adopt security, technical, and administrative measures to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of improper or unlawful treatment.

The ANPD Resolution CD/ANPD No. 4/2023 and associated guidance specify minimum security requirements. Key technical measures include:

Access controls:

• Authentication mechanisms proportional to the sensitivity of the data
• Privilege limitation (minimum necessary access)
• Activity logging for access to sensitive data

Encryption:

• Encryption of sensitive personal data in storage
• Encryption for transmission of personal data
• Key management procedures

Data lifecycle management:

• Documented retention periods
• Secure deletion or anonymisation at end of retention period

Organisational measures:

• LGPD training for all employees handling personal data
• Privacy by design consideration in new systems
• Regular security assessments and audits
• Incident response procedures

---

Breach Notification

Article 48 requires controllers to notify the ANPD and affected data subjects of security incidents that may result in relevant risk or damage to data subjects. The LGPD does not specify a specific notification timeline — the law says notification must be made "within a reasonable period of time." The ANPD Resolution CD/ANPD No. 2/2023 on incident notification establishes a 2-business-day preliminary notification requirement for incidents affecting a large number of data subjects or involving sensitive data, with a detailed notification within 5 business days.

Notification content to ANPD:

• Nature of affected data and number of data subjects
• Likely consequences of the incident
• Measures implemented or planned to address the situation
• Identification of the DPO (Encarregado)

Notification to data subjects: When the incident may cause significant harm to data subjects, the ANPD may require notification to affected individuals, including the nature of the incident and measures taken to mitigate effects.

---

Cross-Border Data Transfers

Article 33 of LGPD restricts international transfers of personal data. Permitted mechanisms include:

Current status of adequacy decisions: As of early 2026, the ANPD has not yet issued adequacy decisions for specific countries (including the EU), though this is being discussed. In practice, most organisations use consent or specific contractual clauses while awaiting ANPD's standard contractual clauses.

EU transfers: Despite LGPD's GDPR similarities, there is no mutual adequacy recognition. EU→Brazil transfers require GDPR-compatible mechanisms. Brazil→EU transfers require LGPD-compatible mechanisms. Multinational data flows require both frameworks to be satisfied.

---

ANPD Enforcement and Penalties

The ANPD (Autoridade Nacional de Proteção de Dados) became operationally independent from the federal government in 2023 following legislative amendments. Enforcement powers include:

Administrative sanctions (Article 52):

• Warning with indication of corrective action and time period
• Simple fine: up to 2% of the company's revenues in Brazil in its last fiscal year, limited to R$50 million (~$10 million USD) per violation
• Daily fine for ongoing violations (up to R$50 million total)
• Publication of the violation
• Blocking of personal data processing
• Deletion of personal data

First significant fines: The ANPD imposed its first fines in 2023, targeting a telecom operator and a health platform, demonstrating willingness to enforce against both large corporations and smaller organisations. Fines to date have ranged from R$14,400 to R$14.4 million.

Investigation process: ANPD can initiate investigations ex officio, based on complaints, or through mandatory breach notifications. The sanction process includes notice to the subject organisation, opportunity to present defences, and graduated penalties based on cooperation and remediation.

---

LGPD Compliance Checklist

• LGPD applicability analysis completed
• Data mapping / RoPA documented for all processing activities
• Legal basis documented for every processing activity
• Separate legal basis documented for sensitive personal data
• Consent mechanisms reviewed — pre-ticked boxes eliminated, purpose-specific
• Privacy policy/notice published in Portuguese (for Brazilian users) with all required disclosures
• DPO (Encarregado) appointed and contact information published
• Data subject rights procedures documented and tested (15-day response for access/confirmation)
• Processor contracts reviewed and updated with LGPD-required provisions
• Cross-border transfer mechanisms assessed for all international data flows
• Security measures documented and implemented proportional to data sensitivity
• Incident response and breach notification procedure (2-day preliminary, 5-day full) documented
• Retention schedules documented and automated deletion configured
• Employee training on LGPD completed and documented
• Privacy by design review for new products and features

---

Frequently Asked Questions

Does LGPD apply to my company if we are not based in Brazil?

Yes, if your processing involves data collected in Brazil, or if you offer goods or services to individuals in Brazil. The extraterritorial scope of LGPD is similar to GDPR's approach. A company operating entirely outside Brazil but running a Portuguese-language website serving Brazilian customers, or employing Brazilian remote workers, must comply with LGPD for those individuals' data.

What is the LGPD penalty compared to GDPR?

LGPD's maximum fine is 2% of Brazilian annual revenues, capped at R$50 million (~$10 million USD) per violation. GDPR's maximum is 4% of global annual revenues or €20 million, whichever is higher. For large multinationals, GDPR fines can be substantially higher than LGPD fines. However, LGPD's "per violation" framing — where each data subject affected could potentially be a separate violation — means aggregate exposure can be very significant for large-scale incidents.

Is LGPD consent the same as GDPR consent?

Similar in concept but with some differences. Both require free, informed, specific, and unambiguous consent. LGPD consent must be provided in writing or by other means demonstrating agreement (the ANPD has not yet finalised guidance on digital consent forms). Unlike GDPR, LGPD does not have a specific "freely given" test for employment contexts — though the power imbalance of employment relationships is relevant to whether consent was truly free. For sensitive data, both LGPD and GDPR require a heightened, explicit consent standard.

How does LGPD apply to healthcare data in Brazil?

Healthcare data is classified as sensitive personal data under LGPD. Processing requires explicit consent or falls under specific legal bases including health protection (Article 11, II, c — performed by health professionals or entities). Healthcare organisations in Brazil must also comply with sector-specific regulations from the Brazilian Health Regulatory Agency (ANVISA) and the Federal Council of Medicine (CFM). LGPD and health sector regulations operate in parallel.

Are there simplified compliance obligations for small businesses?

Yes. ANPD Resolution CD/ANPD No. 2/2022 established simplified compliance obligations for "small data processors" — defined as natural persons or private legal entities with annual revenues up to R$4 million, or up to R$16 million for some types. Simplified obligations include reduced reporting requirements and relaxed DPO requirements. However, core obligations including legal basis documentation, data subject rights, and security measures remain applicable.

---

Next Steps

Brazil is one of Latin America's largest digital markets, and LGPD compliance is increasingly required by Brazilian enterprise customers and government procurement processes. Whether you are expanding into Brazil for the first time or remediating existing compliance gaps, ECOSIRE's team can help you navigate LGPD's requirements.

From data mapping and legal basis documentation to implementing privacy-by-design in your technology platforms, our services cover the full compliance lifecycle.

Learn more: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. LGPD requirements continue to evolve through ANPD regulations and enforcement guidance. Consult qualified Brazilian legal counsel for advice specific to your organisation.