LGPD — Lei Geral de Proteção de Dados

Scope and territorial reach

Where it applies — 1 jurisdictions

🇧🇷Brazil

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Purpose (Finalidade) Art 6, I

Process personal data only for legitimate, specific, explicit purposes communicated to the data subject. No subsequent processing may be incompatible with those original purposes — repurposing without a fresh basis is prohibited. Purposes must be documented and surfaced in the privacy notice before collection begins.
02

Adequacy (Adequação) Art 6, II

Processing operations must be compatible with the purposes communicated to the data subject and with the context of collection. Each operation — storage, analysis, sharing — must fit the original objective. Mismatched processing (e.g. analytics data repurposed for credit scoring) violates the principle of adequacy.
03

Necessity (Necessidade) Art 6, III

Limit processing to the minimum data necessary to achieve the stated purpose — relevant, proportional, and not excessive. Equivalent to GDPR data minimisation: collect what you need, no more. Default-broad analytics configurations and over-retention typically fail this test before any other principle.
04

Free access (Livre acesso) Art 6, IV

Data subjects must be guaranteed easy and free consultation of the form and duration of processing, and the integrity of their personal data. Translates into operational requirements: a working DSAR channel, plain-language privacy notice, and the ability to confirm what is processed without paying or jumping through unreasonable hoops.
05

Quality of data (Qualidade dos dados) Art 6, V

Personal data must be accurate, clear, relevant, and up to date — kept current as the purpose requires. The controller is responsible for correction mechanisms and for preventing decisions based on stale or wrong data. Aligns with GDPR Art 5(1)(d) accuracy but is framed more broadly to include clarity and relevance.
06

Transparency (Transparência) Art 6, VI

Data subjects must receive clear, precise, easily accessible information about processing and the respective processing agents, subject to commercial and industrial secrets. Drives the privacy notice (Aviso de Privacidade) requirement and the obligation to identify both the controller and the encarregado (DPO equivalent) by name and contact.
07

Security (Segurança) Art 6, VII

Use technical and administrative measures suitable to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination. ANPD's 2021 guidance for small-scale processors set a baseline (access control, encryption in transit, incident response). Higher-risk processing requires proportionally stronger TOMs.
08

Prevention (Prevenção) Art 6, VIII

Adopt measures to prevent damages arising from processing of personal data. This is a forward-looking duty — not only react to incidents but anticipate and mitigate. In practice it underpins DPIA-style risk assessments (Relatório de Impacto à Proteção de Dados Pessoais) and the obligation to maintain a working incident-response process.
09

Non-discrimination (Não discriminação) Art 6, IX

Processing may not be performed for unlawful or abusive discriminatory purposes. Combined with Art 20 (review of automated decisions), this principle is the LGPD's response to algorithmic profiling: scoring, pricing, and access decisions cannot encode protected-class discrimination, even if the model itself is opaque.
10

Accountability (Responsabilização e prestação de contas) Art 6, X

Controllers and processors must demonstrate adoption of effective measures capable of proving compliance — including the effectiveness of those measures. Generates documentation duties: ROPA, governance program, risk assessments, incident logs. Mirrors GDPR Art 5(2) but ANPD has signalled it expects evidence, not declarations.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 7, I

Consent (Consentimento)

Data subject gives free, informed, and unambiguous consent for a specific purpose.

Common for: Marketing cookies, newsletters, non-essential analytics, profiling

Art 7, II

Compliance with legal or regulatory obligation (Obrigação legal)

Processing is necessary for the controller to comply with a legal or regulatory obligation.

Common for: Tax records, labor law retention, AML/KYC, sector regulator filings

Art 7, III

Public administration policies (Políticas públicas)

Public administration carries out processing necessary for execution of public policies provided by law.

Common for: Government services, social programs, public registries

Art 7, IV

Studies by research entities (Estudos por órgão de pesquisa)

Research entity conducts studies, ensuring anonymization of personal data whenever possible.

Common for: Academic research, public-health studies, statistical projects

Art 7, V

Performance of contract (Execução de contrato)

Necessary to perform a contract or preliminary procedures related to a contract of which the data subject is a party.

Common for: Account creation, order fulfilment, customer support, billing

Art 7, VI

Regular exercise of rights in proceedings (Exercício regular de direitos)

Processing is necessary for the regular exercise of rights in judicial, administrative, or arbitration proceedings.

Common for: Litigation evidence, regulatory disputes, defence files

Art 7, VII

Protection of life (Proteção da vida)

Processing is necessary for the protection of life or physical safety of the data subject or a third party.

Common for: Emergency response, missing-person cases

Art 7, VIII

Health protection (Tutela da saúde)

Processing necessary for health protection, by health professionals, services, or sanitary authorities — exclusively in a procedure carried out by them.

Common for: Patient records, telemedicine, clinical workflow

Art 7, IX

Legitimate interests (Legítimo interesse)

Necessary to meet the legitimate interests of the controller or a third party, except where the data subject's fundamental rights and freedoms prevail.

Common for: Fraud prevention, basic security logging, network defence, support of regular activities

Art 7, X

Credit protection (Proteção do crédito)

Processing necessary for credit protection, including provisions of relevant legislation.

Common for: Credit-bureau scoring, default registries, financial-services risk assessment

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Confirmation of processing (Confirmação)	Art 18, I	15 days	Right to confirm whether a controller is processing the data subject's personal data. ANPD Resolution CD/ANPD No. 2/2022 sets a 15-day response window for this and the right of access.
Access (Acesso)	Art 18, II	15 days	Right to access personal data the controller holds about the data subject, in clear and complete form. 15-day response window. Simplified declaration may be issued immediately on request.
Correction (Correção)	Art 18, III	15 days	Right to correct incomplete, inaccurate, or out-of-date data. Reasonable response window in line with ANPD guidance — 15 days is treated as the working baseline.
Anonymization, blocking, or elimination (Anonimização, bloqueio ou eliminação)	Art 18, IV	15 days	Right to request anonymization, blocking, or elimination of unnecessary, excessive, or unlawfully processed data. Controller assesses which remedy applies.
Portability (Portabilidade)	Art 18, V	15 days	Right to portability of data to another service or product provider, by express request, subject to ANPD regulation and respecting commercial and industrial secrets.
Deletion of data processed with consent (Eliminação dos dados tratados com o consentimento)	Art 18, VI	15 days	Right to deletion of personal data processed on the basis of consent — except in the cases provided in Art 16 (legal obligation, research, transfer to third party, exclusive use of the controller in anonymized form).
Information about sharing (Informação sobre compartilhamento)	Art 18, VII	15 days	Right to information about public and private entities with which the controller has shared personal data.
Information about not consenting (Informação sobre não consentir)	Art 18, VIII	15 days	Right to information about the possibility of not providing consent and the consequences of refusal.
Revocation of consent (Revogação do consentimento)	Art 18, IX	At collection	Right to revoke consent at any time via free and easy procedure. Revocation takes effect prospectively; data already processed under prior consent remains lawful unless another right (deletion) is invoked.

Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 2% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

2024-04 €38k

Fast Shop S.A. ANPD · BR · Art 48

Failure to notify a security incident in adequate timeframe and lacking technical and administrative measures expected after the breach. Among the first incident-related sanctions issued by ANPD.
2023-07 €3k

Telekall Infoservice ANPD · BR · Art 7, Art 41, Art 5

First-ever LGPD sanction. Telemarketing operator processed personal data without lawful basis, failed to appoint an encarregado, and obstructed ANPD's investigation. Three separate fines totalling R$14,400; ANPD also issued public reprimand and warning. Landmark precedent for ANPD enforcement.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
🇧🇷 Brazil BR	LGPD — Lei nº 13.709/2018	Stricter	Federal LGPD applies nationwide. Sanctions regulation (CD/ANPD No. 4/2023) effective Feb 2023; ANPD also issued the Dosimetry Regulation (CD/ANPD No. 4/2023) and the Small-Scale Processing Agents Regulation (CD/ANPD No. 2/2022).
🇦🇷 Argentina AR	Ley 25.326 (Protección de Datos Personales)	Aligned	Pre-GDPR statute (2000) holds EU adequacy decision (2003). Modernization bill in Congress since 2022; AAIP enforces.
🇲🇽 Mexico MX	LFPDPPP + LGPDPPSO	Aligned	Two laws — private sector (LFPDPPP, 2010) and public sector (LGPDPPSO, 2017). INAI was abolished in March 2025 and supervision migrated to the Anti-Corruption and Good Governance Secretariat — transitional period ongoing.
🇨🇴 Colombia CO	Ley 1581/2012	Aligned	SIC enforces; mandatory data-controller registry (RNBD) and breach notification within 15 business days.
🇨🇱 Chile CL	Ley 21.719 (2024)	Aligned	New GDPR-aligned law published 13 Dec 2024 — effective 1 Dec 2026. Replaces Ley 19.628/1999. Creates the Agencia de Protección de Datos Personales.
🇵🇪 Peru PE	Ley 29.733 + Reglamento DS 003-2013-JUS	Aligned	ANPDP (under Ministry of Justice) enforces. Mandatory database registration.
🇺🇾 Uruguay UY	Ley 18.331 + Decreto 64/020	Aligned	First LATAM country with EU adequacy (2012, renewed 2021). URCDP enforces; GDPR-style obligations after 2020 reform.
🇪🇨 Ecuador EC	LOPDP (2021)	Aligned	GDPR-modeled law in force since 26 May 2023 (sanctions phase). Authority: Superintendencia de Protección de Datos Personales.
🇵🇦 Panama PA	Ley 81/2019	Aligned	ANTAI enforces; sanctions effective 29 Mar 2021.
🇵🇾 Paraguay PY	Ley 1.682/2001 (limited)	Aligned	Outdated statute focused on credit reporting. Comprehensive PDP bill pending in Congress.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does LGPD apply to companies outside Brazil?

Yes. LGPD Art 3 applies extraterritorially when (a) processing happens in Brazilian territory, (b) the processing aims to offer or supply goods or services to individuals located in Brazil, or (c) the personal data was collected in Brazil. A US or EU company with Brazilian customers, or that targets Brazilian users with marketing, falls in scope and must appoint an encarregado contactable from Brazil.

What is the maximum LGPD fine?

Per Art 52, II, fines reach up to 2% of the controller's group revenue in Brazil in the prior fiscal year, capped at R$50,000,000 per infraction. ANPD applies the Dosimetry Regulation (CD/ANPD No. 4/2023) — the cap is rarely hit; most 2023-2024 fines have been in the R$14k–R$200k range. Daily fines can also be levied for ongoing violations.

Is consent required for cookies under LGPD?

It depends on the cookie. ANPD's October 2022 Cookies Guide aligns Brazilian practice with the GDPR/ePrivacy logic: strictly necessary cookies can run without consent (legitimate interest under Art 7, IX); analytics, marketing, and profiling cookies require Art 7, I consent — free, informed, unambiguous, and revocable. Pre-ticked boxes and cookie walls are not compliant.

What are the key differences between LGPD and GDPR?

Four practical differences: (1) LGPD lists 10 lawful bases vs GDPR's 6 — credit protection and health protection are uniquely Brazilian. (2) ROPA is mandatory for ALL LGPD controllers (Art 37), with no 250-employee exemption. (3) Encarregado (DPO) appointment is required for all controllers, though small-scale agents can share or outsource. (4) Maximum fine is 2% / R$50M cap per infraction vs GDPR's 4% / €20M. Response times and data-subject rights are broadly aligned.

Do I need a Brazilian-resident encarregado (DPO)?

ANPD does not require the encarregado to reside in Brazil but does require the contact information to be public on the website and the role to be reachable from Brazil during business hours. CD/ANPD No. 2/2022 lets small-scale processing agents (defined by revenue/volume) share an encarregado across companies or outsource the function — useful for SaaS startups with Brazilian users.

What is the difference between the RNBD and a ROPA?

The RNBD is Colombia's national database registry filed with the SIC — a Colombian regulatory artefact. Brazil does NOT have an equivalent registration database. Under LGPD Art 37, controllers maintain an internal Records of Processing Activities document (Registro das operações de tratamento de dados pessoais) and produce it on request when ANPD asks — closer to GDPR Art 30 ROPA than to a public registry.

Does the privacy notice need to be in Portuguese?

ANPD has not issued a hard rule, but the principle of transparency (Art 6, VI) and ANPD's enforcement guidance both expect privacy notices to be in clear, accessible Portuguese for Brazilian data subjects. English-only notices on a Brazil-targeted service are practically non-compliant. Bilingual notices are common; the Portuguese version controls in disputes.

Has ANPD started fining companies under LGPD?

Yes. The first ever LGPD sanction was issued in July 2023 against Telekall Infoservice (R$14,400 across three fines). The Sanctions Regulation (CD/ANPD No. 4/2023) took full effect in February 2024, and ANPD has since issued sanctions against telemarketing operators, retailers (Fast Shop, R$200k for breach-notification failures), and ordered Meta to suspend AI training on Brazilian user data (October 2024). 2025 enforcement has focused on credit bureaus and telecom carriers.

What is a Relatório de Impacto à Proteção de Dados Pessoais (RIPD)?

The RIPD is LGPD's DPIA equivalent (Art 38). ANPD can require it for any high-risk processing — session replay, large-scale profiling, sensitive-data processing. Best practice is to maintain RIPDs proactively for high-risk operations rather than wait for an ANPD request. The structure mirrors GDPR DPIAs: description, necessity-and-proportionality test, risk assessment, mitigation measures.

How fast must a security incident be reported?

Article 48 requires controllers to notify ANPD and affected data subjects within a 'reasonable timeframe' after a security incident that may cause relevant risk or damage. ANPD Resolution CD/ANPD No. 15/2024 operationalized this — the working baseline is 3 business days from awareness for relevant incidents, with additional updates as the investigation matures. Incident records must be retained for at least 5 years.