標準簡介
LGPD 是由 巴西國家資料保護局 (ANPD) 發布的現行有效標準,常用於科技、金融銀行、零售、醫療健康、服務業等產業,並適用於巴西等市場。
本頁整理了 LGPD 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Broad Territorial Scope
Applies to any organization that processes personal data of individuals in Brazil, regardless of where the organization is located — similar to GDPR's extraterritorial reach.
Ten Legal Bases
Provides ten legal bases for data processing, including consent, contract, legal obligation, legitimate interests, credit protection, and protection of life — more than GDPR's six bases.
ANPD Enforcement
The ANPD has evolved from moderate to very active enforcement, with fines totaling approximately BRL 98 million between 2023 and 2025 across healthcare, finance, and technology sectors.
list_alt Core Principles
- Purpose — processing for legitimate, specific, and informed purposes
- Adequacy — compatibility with the stated purposes
- Necessity — limited to the minimum required
- Free access — guarantee of easy and free consultation
- Data quality — accuracy and up-to-date data
- Transparency — clear information about processing
- Security — technical and administrative measures to protect data
- Non-discrimination — prohibition of processing for discriminatory purposes
Who Needs to Comply?
Any public or private organization that processes personal data of individuals located in Brazil, or that collects data in Brazil, or that offers goods/services to individuals in Brazil — regardless of the organization's physical location.
Key Requirements
Legal Basis for Processing
Establish one of ten legal bases before processing personal data: consent, legal obligation, public policy, research, contract, exercise of rights, life protection, health protection, legitimate interest, or credit protection.
Data Protection Officer (DPO)
Appoint a Data Protection Officer (Encarregado) responsible for accepting complaints, providing guidance, and communicating with the ANPD. Contact information must be publicly available.
Data Subject Rights
Guarantee data subjects' rights including access, correction, anonymization, deletion, portability, information about sharing, and the ability to revoke consent.
International Data Transfers
Transfer personal data internationally only with adequate protections — Standard Contractual Clauses, binding corporate rules, adequacy decisions, or specific consent from the data subject.
Incident Reporting
Notify the ANPD and affected data subjects within a reasonable time of any security incident that may create risk or relevant harm. Provide details including the nature of data affected and mitigation measures taken.
Penalties & Enforcement
Administrative fines up to 2% of the company's revenue in Brazil for the preceding fiscal year, capped at BRL 50 million (approximately USD 10 million) per infraction. Daily fines may also apply. Non-monetary sanctions include public disclosure of violations, data deletion orders, and partial or total bans on data processing activities.