What Is the LGPD? A Beginner’s Guide to Brazil’s Data Protection Law

Overview of the LGPD

The LGPD (Lei Geral de Proteção de Dados Pessoais) is Brazil’s comprehensive privacy law governing the tratamento de dados pessoais—any operation performed on personal data—by public and private organizations. It applies to online and offline activities and can reach organizations outside Brazil when they offer goods or services to individuals in Brazil or process data collected in the country.

Under the LGPD, the controlador de dados (data controller) decides why and how data is processed, while processors act on the controller’s instructions. Personal data covers any information relating to an identified or identifiable natural person. The law also recognizes dados pessoais sensíveis (sensitive personal data), such as racial or ethnic origin, religious belief, political opinion, union or organization membership, health and sex life data, and genetic or biometric data.

At its core, the LGPD balances innovation with fundamental rights by setting principles for responsible processing, enumerating lawful bases, granting rights to data subjects, and empowering the national regulator to issue guidance and enforce compliance.

Key Principles of Data Protection

The LGPD is built on clear principles that should guide every stage of your data lifecycle—from collection to deletion. Embed these into policies, systems, and employee behavior.

• Good faith: Act honestly and fairly toward data subjects in all processing activities.
• Purpose: Collect data for specific, legitimate, and explicit purposes communicated to the data subject.
• Adequacy: Ensure processing is compatible with the informed purposes and the subject’s expectations.
• Necessity: Limit collection to the minimum data needed to achieve the stated purposes.
• Free access: Enable data subjects to consult how and for what their data is processed, simply and at no cost.
• Data quality: Keep data accurate, clear, relevant, and up to date.
• Transparency: Provide easily accessible, precise, and true information about processing practices.
• Security: Adopt technical and administrative measures to protect data from breaches, loss, or unauthorized access.
• Prevention: Proactively mitigate risks and prevent the occurrence of damages.
• Non-discrimination: Do not process data for unlawful or abusive discriminatory purposes.
• Accountability: Demonstrate effective governance and compliance, including documentation and audits.

Legal Bases for Data Processing

Every processing activity must rest on at least one legal basis. Selecting the correct basis, documenting your rationale, and communicating it clearly—especially when relying on consentimento do titular (data subject’s consent) or legitimate interests—are essential.

• Consent: Freely given, informed, and unambiguous consent from the data subject; withdrawal must be as easy as giving it.
• Legal or regulatory obligation: Processing needed to comply with Brazilian law or regulation.
• Public administration: Processing by public authorities to execute public policies set in laws and regulations.
• Research: Processing by research bodies for studies, preferably with anonymization where possible.
• Contract: Processing necessary for contracts or preliminary procedures requested by the data subject.
• Exercise of rights: Processing necessary to exercise rights in judicial, administrative, or arbitral procedures.
• Protection of life or physical safety: Processing to protect the life or physical safety of the data subject or a third party.
• Health: Processing by health professionals or services for health protection procedures.
• Legitimate interests: Processing to meet legitimate interests of the controller or third party, balanced against data subject rights and expectations, with transparency and safeguards.
• Credit protection: Processing necessary for credit protection.

Sensitive personal data

For dados pessoais sensíveis, the LGPD imposes stricter criteria, often requiring explicit consent or narrowly tailored alternatives (e.g., compliance with legal obligations, research with safeguards, protection of life, or health purposes by qualified professionals). Treat these categories with enhanced security and governance.

Rights of Data Subjects

Individuals (titulares) have robust rights and you must provide simple, timely mechanisms to exercise them. Design your processes to verify identity, route requests, and respond within applicable deadlines.

• Confirmation and access: Know whether processing occurs and access the data and key processing details.
• Correction: Rectify inaccurate, incomplete, or outdated data.
• Anonymization, blocking, or deletion: Apply to unnecessary or excessive data, or data processed in violation of the LGPD.
• Portability: Receive data in a structured format for transfer to another service, subject to ANPD regulation and trade secrets.
• Deletion of consent-based data: Erase data processed based on consent, unless another lawful basis requires retention.
• Information on sharing: Learn about public and private entities with whom the controller shared data.
• Information on consent choices: Understand the possibility and consequences of refusing consent.
• Revocation of consent: Withdraw consent at any time.
• Objection and automated decision review: Object to certain processing and request review of decisions solely based on automated processing that affect interests.
• Complaint: Petition the regulator if requests are not properly handled.

Sanctions for Non-Compliance

Failure to comply can trigger sanções administrativas LGPD, applied by the regulator based on severity, good-faith efforts, recurrence, and harm. Sanctions can be combined and escalate for repeated or serious violations.

• Warning with corrective measures.
• Single or daily fines up to 2% of Brazilian revenue, capped at BRL 50 million per infraction.
• Public disclosure of the violation after due investigation.
• Blocking or deletion of personal data related to the infraction.
• Partial suspension of the database or processing activities for a defined period.
• Partial or total prohibition of activities related to data processing.

Beyond administrative penalties, organizations may face civil claims, consumer protection actions, contractual liability, and reputational damage, making prevention and rapid remediation indispensable.

Role of the National Data Protection Authority

The Autoridade Nacional de Proteção de Dados (ANPD) supervises and fosters compliance. It issues regulations and guidance, interprets the LGPD, and promotes educational initiatives to build a culture of privacy.

• Regulatory guidance: Clarifies obligations, risk-based controls, and specific rules for sectors or small businesses.
• Supervision and enforcement: Conducts investigations, requests information, audits processing, and applies sanctions when warranted.
• Incident oversight: Receives security incident notifications and may order mitigation or communication to data subjects.
• International cooperation: Engages with other authorities and helps shape cross-border transfer mechanisms.
• Standards and best practices: Encourages model clauses, governance programs, and privacy-by-design approaches.

Practical Steps for LGPD Compliance

Use a structured roadmap to embed LGPD controls into your operations and demonstrate accountability from day one.

• Establish governance: Appoint an encarregado (DPO), define roles and escalation paths, and secure executive sponsorship.
• Map processing: Build an inventory of tratamento de dados pessoais, systems, data flows, third parties, and cross-border transfers.
• Classify data: Flag dados pessoais sensíveis, minors’ data, and high-risk uses requiring stronger safeguards.
• Select legal bases: Link each processing activity to a lawful basis and document legitimate interest assessments where used.
• Notices and consent: Publish clear privacy notices and manage consentimento do titular with granular choices and easy withdrawal.
• Third-party management: Execute data processing agreements, set security requirements, and monitor vendors and subprocessors.
• Security controls: Implement access controls, encryption, logging, and vulnerability management proportionate to risk.
• Rights operations: Create intake channels, verification steps, and response workflows; track deadlines and outcomes.
• Retention and minimization: Define purpose-based retention schedules; delete or anonymize data when no longer needed.
• Cross-border transfers: Use appropriate safeguards and document your transfer assessments and contracts.
• Training and culture: Educate staff on privacy principles, incident reporting, and secure handling of personal data.
• Incident response: Maintain a tested playbook for breach detection, containment, forensic analysis, and notification decisions.
• Impact assessments: Conduct a relatório de impacto à proteção de dados pessoais (RIPD) for high-risk processing and embed privacy by design.

Conclusion

The LGPD sets clear rules for responsible data use: follow its principles, choose valid legal bases, empower data subjects, and prove accountability. With strong governance and practical controls, you can reduce risk, build trust, and unlock data-driven value in Brazil.

FAQs.

What types of data does the LGPD protect?

The LGPD protects personal data—any information relating to an identified or identifiable natural person—processed by public or private entities. It also designates dados pessoais sensíveis (e.g., health, biometric, genetic, racial or ethnic origin, religious belief, political opinion, and membership data) for heightened protection. Anonymized data falls outside scope unless techniques allow re-identification.

How does the LGPD define legal bases for data processing?

Processing must rest on a lawful basis such as consentimento do titular, contract, legal or regulatory obligation, public policy execution, research, exercise of rights in proceedings, protection of life or physical safety, health purposes by qualified professionals, legitimate interests with safeguards, or credit protection. Sensitive data has stricter conditions, often requiring explicit consent or narrowly defined alternatives.

What rights do data subjects have under the LGPD?

Data subjects can request confirmation and access, correction, anonymization/blocking/deletion of unlawful or excessive data, portability, deletion of consent-based data, information on data sharing and consent consequences, consent revocation, objection in permitted cases, review of automated decisions, and the ability to petition the ANPD.

What penalties can organizations face for LGPD violations?

Sanctions range from warnings and mandated corrective actions to fines of up to 2% of Brazilian revenue (capped at BRL 50 million per infraction), public disclosure of the violation, blocking or deletion of affected data, suspension of databases or processing, and even prohibition of processing activities.