LGPD
Lei Geral de Proteção de Dados Pessoais — Brazil's General Data Protection Law (Law No. 13,709/2018)
Standard Introduction
LGPD is an active standard published by Brazilian National Data Protection Authority (ANPD). It is commonly used across Technology, Finance & Banking, Retail, Healthcare, Services and applies in Brazil.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with LGPD.
Broad Territorial Scope
Applies to any organization that processes personal data of individuals in Brazil, regardless of where the organization is located — similar to GDPR's extraterritorial reach.
Ten Legal Bases
Provides ten legal bases for data processing, including consent, contract, legal obligation, legitimate interests, credit protection, and protection of life — more than GDPR's six bases.
ANPD Enforcement
The ANPD has evolved from moderate to very active enforcement, with fines totaling approximately BRL 98 million between 2023 and 2025 across healthcare, finance, and technology sectors.
list_alt Core Principles
- Purpose — processing for legitimate, specific, and informed purposes
- Adequacy — compatibility with the stated purposes
- Necessity — limited to the minimum required
- Free access — guarantee of easy and free consultation
- Data quality — accuracy and up-to-date data
- Transparency — clear information about processing
- Security — technical and administrative measures to protect data
- Non-discrimination — prohibition of processing for discriminatory purposes
Who Needs to Comply?
Any public or private organization that processes personal data of individuals located in Brazil, or that collects data in Brazil, or that offers goods/services to individuals in Brazil — regardless of the organization's physical location.
Key Requirements
Legal Basis for Processing
Establish one of ten legal bases before processing personal data: consent, legal obligation, public policy, research, contract, exercise of rights, life protection, health protection, legitimate interest, or credit protection.
Data Protection Officer (DPO)
Appoint a Data Protection Officer (Encarregado) responsible for accepting complaints, providing guidance, and communicating with the ANPD. Contact information must be publicly available.
Data Subject Rights
Guarantee data subjects' rights including access, correction, anonymization, deletion, portability, information about sharing, and the ability to revoke consent.
International Data Transfers
Transfer personal data internationally only with adequate protections — Standard Contractual Clauses, binding corporate rules, adequacy decisions, or specific consent from the data subject.
Incident Reporting
Notify the ANPD and affected data subjects within a reasonable time of any security incident that may create risk or relevant harm. Provide details including the nature of data affected and mitigation measures taken.
Implementation Roadmap
Map processing and legal bases
Identify personal-data processing involving individuals in Brazil, classify controllers and processors, document purposes, legal bases, sensitive data, children data, international transfers, and ANPD-facing accountability needs.
Design governance and notices
Appoint or confirm the data protection officer role, update privacy notices, build processing records, define retention rules, and create workflows for data-subject rights and authority communications.
Implement controls and contracts
Deploy consent management where needed, legitimate-interest balancing, security safeguards, incident response, processor terms, transfer mechanisms, and privacy-by-design reviews for products and operations.
Monitor ANPD guidance and incidents
Review ANPD regulations and enforcement guidance, test rights handling, refresh data maps, assess incidents for notification, and keep evidence ready for audits or authority requests.
Compliance Checklist
checklist Data mapping
checklist Rights and transparency
checklist Security and accountability
Penalties & Enforcement
Administrative fines up to 2% of the company's revenue in Brazil for the preceding fiscal year, capped at BRL 50 million (approximately USD 10 million) per infraction. Daily fines may also apply. Non-monetary sanctions include public disclosure of violations, data deletion orders, and partial or total bans on data processing activities.
Frequently Asked Questions
Who is covered by LGPD?
expand_more
LGPD applies to processing carried out in Brazil, processing that offers goods or services to individuals in Brazil, or processing of personal data collected in Brazil, regardless of where the organization is located.
What legal bases are available under LGPD?
expand_more
LGPD provides multiple legal bases, including consent, legal or regulatory obligation, public-policy execution, research, contract performance, judicial or administrative proceedings, protection of life or health, legitimate interests, and credit protection. Sensitive data has a narrower set of bases.
Does LGPD require a data protection officer?
expand_more
Controllers generally must appoint a person in charge of personal-data processing who acts as a communication channel with data subjects and the ANPD, subject to regulator guidance and potential exemptions.
What rights do data subjects have?
expand_more
Rights include confirmation of processing, access, correction, anonymization, blocking or deletion of unnecessary or unlawful data, portability, information about sharing, consent withdrawal, and review of certain automated decisions.
What should be done after a security incident?
expand_more
Assess the risk to data subjects, document facts and mitigation, notify the ANPD and affected individuals when the incident may cause relevant risk or damage, and preserve evidence of corrective actions.
Official Documentation
Official PDF for LGPD
Official publication or summary for LGPD
Official online resource
Brazilian National Data Protection Authority (ANPD) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for LGPD