NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

LGDP - Lei Geral de Proteção de Dados Pessoais

type
Regulation
Jurisdiction
Full Name
LGDP - Lei Geral de Proteção de Dados Pessoais (Lei Nº13.709, de 14 de agosto de 2018)
Official Name
Lei Nº13.709, de 14 de agosto de 2018

Description

Description
Source

LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil's comprehensive data protection law that establishes rules for collecting, processing, storing, and sharing personal data. Enacted in 2018 and effective since September 2020, it closely mirrors the EU's GDPR in many aspects while incorporating unique Brazilian elements.

The law represents Brazil's first comprehensive framework for personal data protection, applying to both public and private sectors. It aims to protect individual privacy rights while enabling business innovation and digital transformation.

Key aspects include strict consent requirements, data subject rights, mandatory breach notifications, and significant penalties for non-compliance. The law applies to any organization processing Brazilian residents' data, regardless of where the organization is located.

Objectives and Scope

  • Territorial Scope:

    • Applies to data processing within Brazil
    • Covers processing of Brazilian residents' data worldwide
    • Applies regardless of data storage location
  • Material Scope:

    • Personal data processing by:
      • Public entities
      • Private companies
      • Individuals (with commercial purpose)

Key Requirements

  1. Legal Bases for Processing:

    • Article 7 defines 10 legal bases including:
      • Consent
      • Legal obligation
      • Legitimate interests
      • Protection of life or physical safety
  2. Data Subject Rights:

    • Access to data
    • Correction of inaccurate data
    • Data portability
    • Deletion of unnecessary data
    • Information about shared data
  3. Security Requirements:

    • Article 46 mandates:
      • Technical and organizational measures
      • Security controls
      • Breach notification procedures

Technical and Operational Requirements

  1. Data Protection Officer:

    • Mandatory appointment of DPO
    • Public disclosure of DPO contact information
    • Interface between controller, subjects, and ANPD
  2. Security Measures:

    • Article 47 requires:
      • Encryption
      • Access controls
      • Incident response plans
      • Regular security assessments

Compliance Mechanisms

  1. Penalties:

    • Fines up to 2% of revenue or R$50 million
    • Warnings
    • Data processing suspension
    • Publicity of violations
  2. Oversight:

    • National Data Protection Authority (ANPD)
    • Regulatory guidance
    • Enforcement actions

Implementation Timeline

  1. Original Timeline:

    • Law enacted: August 2018
    • Effective: September 2020
    • Enforcement began: August 2021
  2. Compliance Deadlines:

    • Article 65 established 18-month adaptation period
    • Progressive implementation based on company size
    • Ongoing regulatory guidance from ANPD

The LGPD represents a significant shift in Brazil's data protection landscape, requiring substantial operational changes for organizations while providing enhanced privacy rights for individuals.

Projects Following this Regulation

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page