verified_user
Standardful
首頁chevron_right標準chevron_rightLGPD
現行有效國際標準update 標準更新:2025年8月fact_check 事實核查:2026年6月28日

LGPD

Lei Geral de Protecao de Dados Pessoais(巴西一般資料保護法)

apartment發布組織:巴西國家資料保護局 (ANPD)

標準簡介

LGPD 是由 巴西國家資料保護局 (ANPD) 發布的現行有效標準,常用於科技、金融銀行、零售、醫療健康、服務業等產業,並適用於巴西等市場。

本頁整理了 LGPD 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

public

Broad Territorial Scope

Applies to any organization that processes personal data of individuals in Brazil, regardless of where the organization is located — similar to GDPR's extraterritorial reach.

shield

Ten Legal Bases

Provides ten legal bases for data processing, including consent, contract, legal obligation, legitimate interests, credit protection, and protection of life — more than GDPR's six bases.

account_balance

ANPD Enforcement

The ANPD has evolved from moderate to very active enforcement, with fines totaling approximately BRL 98 million between 2023 and 2025 across healthcare, finance, and technology sectors.

list_alt Core Principles

  • Purpose — processing for legitimate, specific, and informed purposes
  • Adequacy — compatibility with the stated purposes
  • Necessity — limited to the minimum required
  • Free access — guarantee of easy and free consultation
  • Data quality — accuracy and up-to-date data
  • Transparency — clear information about processing
  • Security — technical and administrative measures to protect data
  • Non-discrimination — prohibition of processing for discriminatory purposes

誰需要合規?

groups

Any public or private organization that processes personal data of individuals located in Brazil, or that collects data in Brazil, or that offers goods/services to individuals in Brazil — regardless of the organization's physical location.

關鍵要求

1

Legal Basis for Processing

Establish one of ten legal bases before processing personal data: consent, legal obligation, public policy, research, contract, exercise of rights, life protection, health protection, legitimate interest, or credit protection.

2

Data Protection Officer (DPO)

Appoint a Data Protection Officer (Encarregado) responsible for accepting complaints, providing guidance, and communicating with the ANPD. Contact information must be publicly available.

3

Data Subject Rights

Guarantee data subjects' rights including access, correction, anonymization, deletion, portability, information about sharing, and the ability to revoke consent.

4

International Data Transfers

Transfer personal data internationally only with adequate protections — Standard Contractual Clauses, binding corporate rules, adequacy decisions, or specific consent from the data subject.

5

Incident Reporting

Notify the ANPD and affected data subjects within a reasonable time of any security incident that may create risk or relevant harm. Provide details including the nature of data affected and mitigation measures taken.

實施路線圖

1
階段 1schedule 預計週期: 3-6 周

映射處理和法律依據

識別涉及巴西境內個人的個人數據處理,劃分控制者和處理者,記錄目的、法律依據、敏感數據、兒童數據、國際傳輸以及面向 ANPD 的問責需求。

2
階段 2schedule 預計週期: 4-8 周

設計治理和通知

任命或確認數據保護負責人角色,更新隱私通知,建立處理記錄,定義保留規則,並創建數據主體權利和監管溝通流程。

3
階段 3schedule 預計週期: 8-16 周

實施控制和合同

在需要時部署同意管理、合法利益平衡、安全保護措施、事件響應、處理者條款、傳輸機制以及產品和運營的隱私設計審查。

4
階段 4schedule 預計週期: 持續進行

監控 ANPD 指引和事件

審查 ANPD 法規和執法指引,測試權利處理,刷新數據映射,評估事件是否需要通知,並保留可供審覈或監管要求使用的證據。

合規檢查清單

0 / 12

checklist 數據映射

checklist 權利和透明度

checklist 安全和問責

處罰與執行

warning

Administrative fines up to 2% of the company's revenue in Brazil for the preceding fiscal year, capped at BRL 50 million (approximately USD 10 million) per infraction. Daily fines may also apply. Non-monetary sanctions include public disclosure of violations, data deletion orders, and partial or total bans on data processing activities.

常見問題解答

LGPD 適用於誰?

expand_more

LGPD 適用於在巴西進行的處理、向巴西境內個人提供商品或服務的處理,或處理在巴西收集的個人數據,無論組織位於何處。

LGPD 有哪些法律依據?

expand_more

LGPD 規定了同意、法律或監管義務、公共政策執行、研究、合同履行、司法或行政程序、保護生命或健康、合法利益和信用保護等法律依據。敏感數據適用範圍更窄。

LGPD 是否要求數據保護負責人?

expand_more

控制者通常必須指定個人數據處理負責人,作爲與數據主體和 ANPD 溝通的渠道,具體還受監管指引和可能豁免影響。

數據主體有哪些權利?

expand_more

權利包括確認處理、訪問、更正、匿名化、阻止或刪除不必要或違法數據、可攜帶、瞭解共享情況、撤回同意,以及審查部分自動化決策。

發生安全事件後應做什麼?

expand_more

評估對數據主體的風險,記錄事實和緩解措施,在事件可能造成相關風險或損害時通知 ANPD 和受影響個人,並保留糾正措施證據。

官方文件

查看全部

實施時間線

gavel
2018年8月
LGPD enacted (Law No. 13,709/2018)
check_circle
2020年9月
LGPD entered into force
warning
2021年8月
Administrative sanctions provisions became enforceable
payments
2023年7月
ANPD issues first administrative fine
update
2025年8月
Grace period ends for Standard Contractual Clauses for international data transfers

相關分類