Brazil — LGPD
This guide analyzes Brazil’s Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018) and its operationalization via ANPD Resolutions and Guidance Documents (2020–2026). We address lawful processing bases (LGPD Article 7), mandatory DPO appointment for public bodies and large-scale processing, granular consent mechanisms and documented legitimate interests assessments, the ANPD’s enforcement trajectory (marked by escalating fines and corrective orders), restricted transfer mechanisms (limited adequacy; SCCs not formally approved by ANPD as of 2026), and heightened protections for sensitive data (health, financial, children’s). This guide provides Portuguese-language compliance context and ANPD regulatory engagement strategies for organizations with Brazilian user bases.
TL;DR (Quick Answer)
Key points:
- Brazil’s LGPD mirrors GDPR principles (lawful basis, transparency, data subject rights) but with ANPD (Brazilian regulator) enforcement
- You must provide access/delete rights, maintain breach notification timelines, and map data flows across systems
- ANPD fines and enforcement growing; penalties include fines and corrective orders affecting product availability in Brazil
What you must do today: Localize privacy notices to Portuguese. Implement DSAR (Data Subject Access Request) pipeline. Maintain a transfer register for cross-border data flows. Prepare breach notification templates (ANPD-specific).
→ Download Brazil LGPD Compliance Checklist (PDF)
Authoritative sources:
- ANPD (Autoridade Nacional de Proteção de Dados): https://www.gov.br/anpd/pt-br
- LGPD text and official resources: https://www.planalto.gov.br/ (search for Lei nº 13.709/2018)
- LGPD fundamentals
LGPD codifies rights similar to the GDPR: access, correction, deletion, portability, and information about processing. It sets out legal bases for processing, mandates transparency, and imposes obligations for security and incident reporting.
- ANPD and regulatory expectations
ANPD publishes guidelines on interpretation, enforcement priorities, and administrative procedures. Organisations should follow ANPD recommendations for notices, breach reporting, and local-language communications when actively targeting Brazilian users.
- Cross-border transfers and adequacy
LGPD permits transfers to countries with adequate protection or under contractual safeguards. Organisations should maintain a transfer register and consider contractual clauses, adequacy assessments, or other safeguards for exports. Portuguese-language documentation and local legal guidance are recommended for complex transfers.
- Data subject rights and operational mechanics
Operationalising rights requires:
- An authenticated DSAR endpoint and verification pipeline.
- Back-office tooling to locate data across microservices, logs, search indices, and backups.
- Localisation of notices and user-facing materials in Portuguese when targeting Brazil.
- Incident reporting and breach response
ANPD guidance includes timelines for notification and expectations on the content of reports. Maintain a breach runbook that maps detection -> triage -> regulator/individual notification -> remediation steps and post-incident review.
- Penalties and enforcement trends
Sanctions under the LGPD can include fines, daily fines, and administrative measures. ANPD enforcement has increasingly focused on transparency, data minimisation failures, and inadequate breach response.
- Developer controls and architecture patterns
- Data minimisation at ingestion: only collect fields required for the declared purpose.
- Purpose metadata: attach
purposeandlegal_basistags to fields and records. - DSAR automation: build tooling to query data stores, redact where necessary, and output exports in common formats.
- Transfer gating: implement export checks that consult the transfer register and block or encrypt exports to high-risk destinations.
- Sensitive data and local considerations
Brazil distinguishes certain categories of personal data that warrant higher protection. When processing sensitive categories, prefer additional safeguards such as in-region processing, stricter access controls, and enhanced consent mechanisms.
- Sample checklist (Brazil)
- Localise privacy notices and capture explicit consent where needed.
- Maintain a processing activities register and a transfer register.
- Implement a DSAR pipeline and test it regularly with synthetic requests.
- Ensure breach playbooks reference ANPD notification templates.
- References
- ANPD: https://www.gov.br/anpd/pt-br
- LGPD primary legislation: search for Lei nº 13.709/2018 on the Brazilian legal portal (Planalto): https://www.planalto.gov.br/
Next steps: add Portuguese-language notice templates, ANPD-specific reporting templates, and sample contractual clauses for transfers.
Enforcement Case Studies: Brazil LGPD
Case 1: ANPD vs. Google — Data Minimization Violation (2021)
What happened: Google collected more location data than necessary for declared purposes (map services, ads targeting). Users couldn’t disable location tracking for ad targeting while using maps.
ANPD finding: Violated purpose limitation and data minimization principles. Google collected excessive data and didn’t provide granular consent controls.
Penalty: Administrative fine and corrective order to implement granular consent UI allowing users to opt-out per purpose.
Lesson: Only collect data needed for stated purpose. Provide granular consent controls (not all-or-nothing). ANPD prioritizes data minimization enforcement.
Case 2: ANPD vs. Amazon — Transfer & Security (2022–2023)
What happened: Amazon transferred Brazilian user data to US servers without adequate safeguards and without local processing alternatives.
ANPD finding: Transfers must include contractual safeguards and technical measures. Organizations should prefer local processing where feasible.
Penalty: Fine and requirement to implement transfer risk assessments and stronger encryption controls.
Lesson: Brazil prefers local processing. If transfers are necessary, use SCCs and implement additional technical safeguards (encryption, access controls).
Code Example: Breach Notification Workflow (Python)
Implement LGPD Article 18 breach notification requirements:
from datetime import datetime, timedelta
import logging
class BreachNotificationManager:
"""LGPD Article 18: Breach notification within 30 days to ANPD + individuals."""
def assess_breach(self, breach_details: dict) -> dict:
"""
Assess breach for notification requirement.
breach_details: {
'affected_records': int,
'data_categories': ['email', 'phone', 'financial'],
'discovery_date': datetime,
'access_date': datetime, # When attackers accessed
'likely_harm': 'high' # 'high', 'medium', 'low'
}
"""
notification_required = True # LGPD presumes notification unless data masked/encrypted
# Check if data was adequately protected
if self._data_was_encrypted(breach_details):
notification_required = False # Encrypted = not personal data
# Calculate notification deadline: 30 days after discovery
discovery_date = breach_details['discovery_date']
notification_deadline = discovery_date + timedelta(days=30)
return {
'notification_required': notification_required,
'deadline': notification_deadline,
'affected_count': breach_details['affected_records'],
'notify_anpd': True, # Always notify ANPD for LGPD breaches
'notify_individuals': notification_required,
'template': 'breach_notification_pt_br' # Portuguese language required
}
def send_notifications(self, breach_id: str, assessment: dict):
"""Send notifications to ANPD and affected individuals."""
if assessment['notification_required']:
# 1. Notify ANPD (Portuguese language required)
self._notify_anpd(breach_id, assessment)
# 2. Notify affected individuals
affected_users = self._get_affected_users(breach_id)
for user in affected_users:
self._send_individual_notification(user, breach_id)
# Log notification for audit trail
logging.info(f"Breach {breach_id} notification sent at {datetime.now()}")
# Sample Breach Notification Letter (Portuguese)
BREACH_NOTIFICATION_TEMPLATE_PT_BR = """
Prezado(a) [CUSTOMER_NAME],
Informamos que foi identificada uma violação de segurança que afetou seus dados pessoais.
Dados Afetados:
- Categorias: [DATA_CATEGORIES]
- Data da Descoberta: [DISCOVERY_DATE]
Medidas Tomadas:
- Investigação de segurança iniciada
- Acesso não autorizado contido
- Aprimoramentos de segurança implementados
Seu direito conforme LGPD:
- Acesso aos dados: Solicite em [PORTAL_URL]
- Exclusão: [EMAIL_PARA_EXCLUSAO]
Contato: [CONTACT_EMAIL]
Atenciosamente,
[COMPANY_NAME]
"""Workflow: LGPD Breach Detection & Response (30-Day Timeline)
┌─────────────────────────────────────┐
│ Day 0: Breach Detected/Discovered │
│ (intrusion, suspicious activity) │
└────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Day 1-2: Incident Response Activated│
│ - Contain breach │
│ - Preserve evidence │
│ - Notify incident team │
└────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Day 3-5: Forensic Investigation │
│ - Scope of breach │
│ - Data types affected │
│ - Number of records │
│ - Potential harm assessment │
└────────────┬──────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Day 5-10: Notification Decision │
│ - Was data encrypted? masked? │
│ - Notification required? │
│ - Notify ANPD + individuals? │
└────────────┬──────────────────────┘
│
┌──────┴──────┐
│ │
Encrypted│ Unencrypted
Data │ Personal Data
│ │
▼ ▼
Skip Notify
Notif ANPD + Users
│ │
│ ▼
│ ┌─────────────────────┐
│ │ Day 10-20: Send │
│ │ Notifications │
│ │ (Portuguese Lang) │
│ └─────────────────────┘
│
└──────┬──────┘
│
▼
┌─────────────────────────────────────┐
│ Day 30: Deadline for ANPD Report │
│ - Complete forensic report │
│ - Remediation measures │
│ - Security enhancements │
└─────────────────────────────────────┘Related Guides & Resources
Global Overview:
- Data Protection Laws by Jurisdiction (Hub) — Compare Brazil LGPD to other jurisdictions
Other Jurisdiction Guides:
- EU GDPR Compliance — EDPB guidance and supplementary measures
- UK Data Protection — Post-Brexit rules and ICO guidance
- US Privacy Laws (CCPA, CPRA, State Laws) — Multi-state compliance framework
- India DPDP Act — Fiduciary obligations and data localization
- China PIPL — CAC security assessments and data residency
- Canada PIPEDA — Federal/provincial framework
- Australia Privacy Act — NDB scheme and APP compliance
- Japan APPI — PPC guidance and use limitation
- South Africa POPIA — DSAR and cross-border accountability
