Verify Issued Certificates
Client Portal
Request a quote

LGPD (Brazil)

LGPD (Lei Geral de Proteção de Dados Pessoais - General Data Protection Law)

LGPD (Lei Geral de Proteção de Dados Pessoais – General Data Protection Law) is Brazil’s data protection law, which came into effect on September 18, 2020. Similar to the GDPR (General Data Protection Regulation) in the European Union, the LGPD regulates how personal data is collected, processed, stored, and shared by businesses and organizations operating in Brazil. It was created to protect the privacy and data rights of Brazilian citizens while promoting transparency and accountability among businesses that handle personal data.

Key provisions of the LGPD include:

  1. Consumer Rights:

    • Right to Access: Individuals have the right to request access to their personal data held by organizations.
    • Right to Correction: Individuals can request corrections of inaccurate or incomplete data.
    • Right to Deletion: Consumers can request the deletion of their data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
    • Right to Data Portability: Consumers have the right to transfer their data to another service provider in a structured, commonly used, and machine-readable format.
    • Right to Withdraw Consent: Consumers can withdraw consent for processing their personal data at any time, which could affect how businesses continue using that data.
    • Right to Object: Consumers can object to the processing of their personal data in specific situations, such as when it is used for marketing purposes.

  2. Data Processing Principles: The LGPD requires that personal data be processed in accordance with specific principles, including:

    • Transparency: Organizations must provide clear and accessible information about the processing of personal data.
    • Purpose Limitation: Data must be collected for specific, legitimate purposes and not processed beyond those purposes.
    • Data Minimization: Organizations should only collect and process the minimum amount of data necessary for the intended purpose.
    • Accuracy: Data should be kept accurate and updated.
    • Security: Organizations must implement appropriate technical and organizational measures to safeguard personal data against security breaches.

  3. Data Protection Officers (DPO):

    • Under the LGPD, certain organizations are required to appoint a Data Protection Officer (DPO), who is responsible for overseeing the organization’s data protection strategy and ensuring compliance with the law.

  4. Data Processing Activities:

    • Businesses are required to specify the legal basis for processing personal data. This could include obtaining consent, fulfilling contracts, complying with legal obligations, or pursuing legitimate interests.

  5. Data Breach Notification:

    • Organizations are obligated to notify both the Brazilian data protection authority (ANPD – Autoridade Nacional de Proteção de Dados) and affected individuals within a reasonable time frame if there is a data breach that poses risks to the rights and freedoms of individuals.

  6. Enforcement and Penalties:

    • The ANPD (National Data Protection Authority) is the body responsible for enforcing the LGPD and overseeing compliance. The ANPD can issue fines of up to 2% of a company’s revenue in Brazil, up to a maximum of R$ 50 million (approximately USD $10 million) per violation.
    • The law also allows for warnings, orders to cease non-compliant activities, and sanctions such as temporary or permanent bans on data processing.

  7. Exemptions:

    • The LGPD does not apply to certain types of data processing, such as data processing by individuals for personal or household purposes, or data processed for journalistic, artistic, or academic purposes.

  8. International Data Transfers:

    • The LGPD establishes rules for the transfer of personal data across borders. Personal data can be transferred to other countries as long as those countries provide an adequate level of data protection. The law also allows for transfers to countries that have specific data protection agreements or when the transfer is necessary for certain purposes (e.g., compliance with a contract).

  9. Impact on Businesses:

    • Companies operating in Brazil or processing personal data of Brazilian citizens are required to comply with the LGPD, regardless of where the company is located. This can have implications for international companies as well. Businesses must implement comprehensive data protection measures and review their data processing activities to ensure compliance.

The LGPD aims to give individuals greater control over their personal data while encouraging organizations to adopt stronger data protection practices. By aligning with global standards, such as the GDPR, the law is designed to help build trust between consumers and businesses, enhance data security, and promote responsible data handling practices.

Subscribe to our newsletter

Get monthly news, articles, videos, and more about Privacy-Led Marketing and legal compliance.
By clicking on “subscribe “, I confirm that I want to subscribe to the ApexCertify newsletter. I agree that my data may be used for updates and information related to the services and products offered by ApexCertify. I can revoke this consent at any time by clicking the unsubscribe link or by emailing [email protected]. See Privacy Policy for more details.

Company

Resources

Regulations

©2025 ApexCertify. International Certification & Academy. All rights reserved.