Brazil: General Data Protection Law

« Back to Glossary Index

Brazil’s General Data Protection Law (LGPD) was enacted in August 2018 and came into effect in September 2020. The LGPD is Brazil’s first comprehensive data protection law and is closely modeled on the European Union’s General Data Protection Regulation (GDPR). The LGPD applies to all businesses and organizations that process personal data in Brazil, regardless of where the data is processed or where the business is based.

Under the LGPD, personal data is defined as any information that relates to an identified or identifiable individual, such as name, identification number, location data, online identifiers, and health or financial data. The LGPD places significant obligations on businesses and organizations that process personal data, including:

  • Consent: Businesses and organizations must obtain explicit consent from individuals before processing their personal data. The consent must be specific, clear, and unambiguous.
  • Transparency: Businesses and organizations must provide individuals with clear and concise information about how their personal data will be processed. This includes information about the purposes of the processing, the legal basis for the processing, and any third parties that will have access to the data.
  • Data Subject Rights: Individuals have several rights under the LGPD, including the right to access their personal data, the right to request the correction or deletion of their personal data, and the right to revoke their consent for the processing of their personal data.
  • Data Protection Officer (DPO): Businesses and organizations that process large amounts of personal data must appoint a DPO to oversee their data protection efforts.
  • Data Breach Notification: Businesses and organizations must report any data breaches to the Brazilian Data Protection Authority (ANPD) and affected individuals within a reasonable timeframe.

The LGPD also imposes significant penalties for non-compliance. Businesses and organizations that violate the LGPD can be fined up to 2% of their annual revenue in Brazil or up to 50 million Brazilian Reais (approximately $9 million USD), whichever is greater.

In conclusion, Brazil’s General Data Protection Law (LGPD) is a comprehensive data protection law that closely follows the European Union’s General Data Protection Regulation (GDPR). The LGPD applies to all businesses and organizations that process personal data in Brazil and imposes significant obligations on them, including obtaining explicit consent from individuals, providing transparency about data processing, respecting data subject rights, appointing a Data Protection Officer, and reporting data breaches. Non-compliance can result in significant penalties, making it essential for businesses and organizations to comply with the LGPD.

Download this Resource