verified_user
Standardful
首页chevron_right标准chevron_rightLGPD
有效国际标准update 标准更新:2025年8月fact_check 事实核查:2026年6月28日

LGPD

Lei Geral de Protecao de Dados Pessoais(巴西通用数据保护法)

apartment发布组织:巴西国家数据保护局 (ANPD)

标准简介

LGPD 是由 巴西国家数据保护局 (ANPD) 发布的有效标准,常用于科技、金融银行、零售、医疗健康、服务业等行业,并适用于巴西等市场。

本页汇总了 LGPD 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。

public

Broad Territorial Scope

Applies to any organization that processes personal data of individuals in Brazil, regardless of where the organization is located — similar to GDPR's extraterritorial reach.

shield

Ten Legal Bases

Provides ten legal bases for data processing, including consent, contract, legal obligation, legitimate interests, credit protection, and protection of life — more than GDPR's six bases.

account_balance

ANPD Enforcement

The ANPD has evolved from moderate to very active enforcement, with fines totaling approximately BRL 98 million between 2023 and 2025 across healthcare, finance, and technology sectors.

list_alt Core Principles

  • Purpose — processing for legitimate, specific, and informed purposes
  • Adequacy — compatibility with the stated purposes
  • Necessity — limited to the minimum required
  • Free access — guarantee of easy and free consultation
  • Data quality — accuracy and up-to-date data
  • Transparency — clear information about processing
  • Security — technical and administrative measures to protect data
  • Non-discrimination — prohibition of processing for discriminatory purposes

谁需要合规?

groups

Any public or private organization that processes personal data of individuals located in Brazil, or that collects data in Brazil, or that offers goods/services to individuals in Brazil — regardless of the organization's physical location.

关键要求

1

Legal Basis for Processing

Establish one of ten legal bases before processing personal data: consent, legal obligation, public policy, research, contract, exercise of rights, life protection, health protection, legitimate interest, or credit protection.

2

Data Protection Officer (DPO)

Appoint a Data Protection Officer (Encarregado) responsible for accepting complaints, providing guidance, and communicating with the ANPD. Contact information must be publicly available.

3

Data Subject Rights

Guarantee data subjects' rights including access, correction, anonymization, deletion, portability, information about sharing, and the ability to revoke consent.

4

International Data Transfers

Transfer personal data internationally only with adequate protections — Standard Contractual Clauses, binding corporate rules, adequacy decisions, or specific consent from the data subject.

5

Incident Reporting

Notify the ANPD and affected data subjects within a reasonable time of any security incident that may create risk or relevant harm. Provide details including the nature of data affected and mitigation measures taken.

实施路线图

1
阶段 1schedule 预计周期: 3-6 周

映射处理和法律依据

识别涉及巴西境内个人的个人数据处理,划分控制者和处理者,记录目的、法律依据、敏感数据、儿童数据、国际传输以及面向 ANPD 的问责需求。

2
阶段 2schedule 预计周期: 4-8 周

设计治理和通知

任命或确认数据保护负责人角色,更新隐私通知,建立处理记录,定义保留规则,并创建数据主体权利和监管沟通流程。

3
阶段 3schedule 预计周期: 8-16 周

实施控制和合同

在需要时部署同意管理、合法利益平衡、安全保护措施、事件响应、处理者条款、传输机制以及产品和运营的隐私设计审查。

4
阶段 4schedule 预计周期: 持续进行

监控 ANPD 指引和事件

审查 ANPD 法规和执法指引,测试权利处理,刷新数据映射,评估事件是否需要通知,并保留可供审核或监管要求使用的证据。

合规检查清单

0 / 12

checklist 数据映射

checklist 权利和透明度

checklist 安全和问责

处罚与执行

warning

Administrative fines up to 2% of the company's revenue in Brazil for the preceding fiscal year, capped at BRL 50 million (approximately USD 10 million) per infraction. Daily fines may also apply. Non-monetary sanctions include public disclosure of violations, data deletion orders, and partial or total bans on data processing activities.

常见问题解答

LGPD 适用于谁?

expand_more

LGPD 适用于在巴西进行的处理、向巴西境内个人提供商品或服务的处理,或处理在巴西收集的个人数据,无论组织位于何处。

LGPD 有哪些法律依据?

expand_more

LGPD 规定了同意、法律或监管义务、公共政策执行、研究、合同履行、司法或行政程序、保护生命或健康、合法利益和信用保护等法律依据。敏感数据适用范围更窄。

LGPD 是否要求数据保护负责人?

expand_more

控制者通常必须指定个人数据处理负责人,作为与数据主体和 ANPD 沟通的渠道,具体还受监管指引和可能豁免影响。

数据主体有哪些权利?

expand_more

权利包括确认处理、访问、更正、匿名化、阻止或删除不必要或违法数据、可携带、了解共享情况、撤回同意,以及审查部分自动化决策。

发生安全事件后应做什么?

expand_more

评估对数据主体的风险,记录事实和缓解措施,在事件可能造成相关风险或损害时通知 ANPD 和受影响个人,并保留纠正措施证据。

官方文档

查看全部

实施时间线

gavel
2018年8月
LGPD enacted (Law No. 13,709/2018)
check_circle
2020年9月
LGPD entered into force
warning
2021年8月
Administrative sanctions provisions became enforceable
payments
2023年7月
ANPD issues first administrative fine
update
2025年8月
Grace period ends for Standard Contractual Clauses for international data transfers

相关分类