Jump to content

General Personal Data Protection Law

The Brazilian General Data Protection Law (Portuguese: Lei Geral de Proteção de Dados Pessoais, or LGPD), officially Law No. 13.709/2018, is Brazil's comprehensive data protection legislation. It establishes rules for the collection, processing, storage, and sharing of personal data, both online and offline. The LGPD aligns Brazil with international data protection standards, such as the European Union's General Data Protection Regulation (GDPR), and represents a major milestone in the country’s digital governance framework.

Background and Legislative Context[edit | edit source]

The LGPD was sanctioned on August 14, 2018, and entered into force on September 18, 2020 (with administrative sanctions becoming applicable as of August 1, 2021). The law was inspired by global data protection trends, notably the GDPR, and was developed in response to increasing public concern over the misuse of personal data and the lack of comprehensive regulation in Brazil.

Prior to the LGPD, Brazil's legal framework for privacy and data was fragmented across multiple sectoral laws. The LGPD consolidated and standardized rules under a unified statute.

Scope and Applicability[edit | edit source]

The LGPD applies to any individual or legal entity, public or private, that processes personal data within Brazil or targets individuals located in Brazil, regardless of where the data processor is based. It covers both digital and non-digital data processing activities.

(Ref: Articles 1 and 3, LGPD)

Key Concepts and Definitions[edit | edit source]

  • Personal Data: Information related to an identified or identifiable natural person.
  • Sensitive Personal Data: Includes data on racial or ethnic origin, religious belief, political opinion, health, sexual orientation, biometric and genetic data, among others.
  • Data Subject: The natural person to whom the personal data refers.
  • Controller: The person or entity responsible for decisions regarding the processing of personal data.
  • Processor: The person or entity that processes personal data on behalf of the controller.

(Ref: Article 5, LGPD)

Principles of Data Processing[edit | edit source]

Data processing under the LGPD must adhere to the following principles:

  • Purpose: Processing must have a legitimate, specific, and explicit purpose.
  • Adequacy: Compatibility between the data processed and the purposes.
  • Necessity: Limited to the minimum necessary data.
  • Free Access: Individuals must have access to their data.
  • Data Quality: Accuracy and clarity of data.
  • Transparency: Clear, accessible information about data processing.
  • Security: Use of technical and administrative measures to protect data.
  • Accountability and Prevention: Demonstration of compliance and risk mitigation.

(Ref: Article 6, LGPD)

Legal Bases for Processing[edit | edit source]

The LGPD establishes 11 legal bases that authorize the processing of personal data. These are divided according to the nature of the data:

  • 10 legal bases apply to the processing of personal data (Article 7)
  • 8 legal bases apply to the processing of sensitive personal data (Article 11)

Legal Bases for Processing Personal Data (Article 7)[edit | edit source]

  1. Consent: The data subject has provided free, informed, and unambiguous consent.
  2. Compliance with legal or regulatory obligation: Processing is required to fulfill legal duties.
  3. Public administration: Processing is necessary for public administration to implement public policies.
  4. Research: Processing is carried out for academic, historical, or statistical research purposes, preferably anonymized.
  5. Contract performance: Processing is necessary to enter into or fulfill a contract with the data subject.
  6. Legal rights: To exercise rights in judicial, administrative, or arbitration proceedings.
  7. Life and physical safety: To protect the life or physical integrity of the data subject or third parties.
  8. Health protection: Processing by health professionals, health services, or health authorities to safeguard health.
  9. Legitimate interest: When processing is necessary for the legitimate interests of the controller or third parties, provided it does not violate fundamental rights and freedoms of the data subject.
  10. Credit protection: For credit scoring and financial risk analysis, within the limits of applicable law.

(Ref: Article 7, LGPD)

Legal Bases for Processing Sensitive Personal Data (Article 11)[edit | edit source]

Sensitive data—such as health data, biometric identifiers, racial or ethnic origin, and others—require enhanced protection. Eight legal bases authorize their processing:

  1. Specific and explicit consent: The data subject gives distinct, highlighted consent.
  2. Legal or regulatory obligation: Similar to regular personal data, when required by law.
  3. Public administration: For public policy implementation by government bodies.
  4. Research: For scientific or historical research purposes, with anonymization when possible.
  5. Legal rights: In judicial, administrative, or arbitral proceedings.
  6. Life and physical safety: To protect vital interests of the data subject or others.
  7. Health protection: Processing by health professionals or services for preventive care, diagnosis, or treatment.
  8. Fraud prevention and data subject security: A specific legal basis that applies only to sensitive data, aiming to ensure integrity and security, including authentication in digital systems.

Important Distinction:[edit | edit source]

The following legal bases do not apply to sensitive personal data:

  • Contract performance
  • Legitimate interest
  • Credit protection

(Ref: Article 11, LGPD)

Rights of Data Subjects[edit | edit source]

Under the LGPD, data subjects are granted the following rights regarding their personal data, which they can exercise at any time by request to the data controller:

  1. Confirmation of Processing: Know whether their data is being processed.
  2. Access to Data: Access their personal data held by the controller.
  3. Correction: Request correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, Blocking, or Deletion: Apply these measures to unnecessary, excessive, or unlawfully processed data.
  5. Data Portability: Transfer their data to another service provider, respecting commercial and industrial secrecy.
  6. Deletion of Consent-Based Data: Request deletion of data processed based on consent, unless legally required to retain.
  7. Information on Sharing: Know with whom their data has been shared.
  8. Refusal of Consent: Be informed about the option of not giving consent and the consequences.
  9. Withdrawal of Consent: Revoke consent at any time.


Additional rights include:

  • Object to Processing: Challenge data processing based on non-consent legal bases if it violates the LGPD.
  • Petition to ANPD: File complaints with the National Data Protection Authority.
  • Review of Automated Decisions: Request human review of decisions made solely by automated processing (e.g., profiling or credit scoring).

Controllers must respond to requests free of charge and within regulatory deadlines. Data must be provided in a clear, accessible format, either digitally or on paper.

(Ref: Articles 18–20, LGPD)

Obligations of Data Controllers and Processors[edit | edit source]

Controllers and processors must implement, for example:

  • Data protection policies and impact assessments
  • Security measures (technical and administrative)
  • Clear communication channels for data subjects
  • Incident notification procedures (within a reasonable time to the ANPD and, if necessary, to data subjects)

(Ref: Articles 37–41, LGPD)

Role of the National Data Protection Authority (ANPD)[edit | edit source]

The Autoridade Nacional de Proteção de Dados (ANPD) is the Brazilian regulatory authority created to enforce the LGPD. It is responsible for:

  • Overseeing compliance
  • Investigating and applying administrative sanctions
  • Issuing guidance and regulations
  • Promoting data protection awareness

The ANPD also acts as a bridge between Brazil’s legal framework and international data protection standards, facilitating cooperation with other supervisory authorities.

(Ref: Articles 55–59, LGPD)

Sanctions and Enforcement[edit | edit source]

Non-compliance with the LGPD can result in administrative sanctions, including:

  • Warnings
  • Fines of up to 2% of a company’s revenue in Brazil, capped at BRL 50 million per infraction
  • Publicizing the infraction
  • Blocking or deletion of data

The law also allows for civil and criminal liability under other applicable legislation.

(Ref: Article 52, LGPD)

International and Multistakeholder Relevance[edit | edit source]

The LGPD plays a significant role in the global data governance landscape.

By harmonizing with principles of the GDPR, it facilitates cross-border data flows and international cooperation. The law also reinforces Brazil’s participation in global forums related to Internet governance, such as the Internet Governance Forum (IGF) and ICANN’s multistakeholder ecosystem, by ensuring trust and accountability in data-driven systems.

References[edit | edit source]

[1] [2]