The Lei Geral de Proteção de Dados (LGPD) is Brazil’s national data protection law that regulates how organizations collect, use, store, and share personal data. Inspired by the European GDPR, the LGPD establishes rules for lawful data processing and grants individuals rights over their personal information.
LGPD
Key facts about LGPD
- Full name: Lei Geral de Proteção de Dados (General Data Protection Law)
- Country: Brazil
- Effective date: September 2020
- Regulator: ANPD (Autoridade Nacional de Proteção de Dados)
- Scope: Applies to organizations processing personal data in Brazil
- Similar framework: Inspired by the EU General Data Protection Regulation (GDPR)
What is LGPD?
The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law that regulates how organizations collect, process, store, and share personal data.
The law applies to both public and private organizations that process personal data in Brazil or offer products or services to individuals located in Brazil.
LGPD establishes rules for responsible data processing and provides individuals with rights regarding their personal information.
LGPD meaning
LGPD stands for Lei Geral de Proteção de Dados, which translates to General Data Protection Law.
The regulation was introduced to create a consistent framework for protecting personal data in Brazil. It defines how organizations may collect and process personal data and establishes responsibilities for organizations that handle personal information.
Like other modern privacy regulations, the LGPD focuses on transparency, accountability, and protecting individuals’ control over their personal data.
Scope of the LGPD
The LGPD has a broad scope and can apply to organizations both inside and outside Brazil.
The law may apply when:
- Personal data is processed within Brazil
- Products or services are offered to individuals in Brazil
- Personal data is collected from individuals located in Brazil
Because of this territorial scope, many international companies must consider LGPD requirements when operating in Brazil.
LGPD lawful bases for data processing
Similar to the General Data Protection Regulation (GDPR), the LGPD requires organizations to have a lawful basis for processing personal data.
Examples of lawful bases under the LGPD include:
- Consent from the individual
- Compliance with a legal obligation
- Execution of contracts
- Protection of life or physical safety
- Legitimate interests of the organization
These legal bases determine when and how organizations may process personal information.
Data subject rights under LGPD
The LGPD provides individuals with several rights regarding their personal data.
These rights include the ability to:
- Confirm whether an organization processes their personal data
- Access personal information held by an organization
- Correct inaccurate or outdated data
- Request anonymization or deletion of data in certain circumstances
- Request data portability to another service provider
- Revoke previously given consent
- Obtain information about data sharing with third parties
These rights are similar to data subject rights under GDPR, although terminology and procedures may vary.
The role of the ANPD
The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil’s national data protection authority responsible for overseeing the LGPD.
The ANPD is responsible for:
- Issuing regulatory guidance
- Supervising compliance with the LGPD
- Investigating complaints and incidents
- Applying sanctions when violations occur
The authority plays a central role in interpreting and enforcing Brazil’s data protection framework.
LGPD vs GDPR
The LGPD was strongly influenced by the General Data Protection Regulation (GDPR) but includes some differences.
Legal bases
The LGPD includes several lawful bases for data processing, some of which differ from those defined under GDPR.
Breach notification
LGPD requires organizations to report security incidents within a reasonable timeframe, while GDPR specifies a 72 hour reporting window in certain cases.
Penalties
Although both laws allow for financial penalties, the structure and limits of fines differ between the two frameworks.
LGPD vs GDPR comparison
Category | LGPD (Brazil) | GDPR (European Union) |
|---|---|---|
Full name | Lei Geral de Proteção de Dados | General Data Protection Regulation |
Region | Brazil | European Union |
Effective date | September 2020 | May 2018 |
Regulator | ANPD (Autoridade Nacional de Proteção de Dados) | National Data Protection Authorities in each EU member state |
Scope | Applies to organizations processing data in Brazil or offering goods or services to individuals in Brazil | Applies to organizations processing data of individuals located in the EU |
Legal bases for processing | 10 lawful bases, including consent, legal obligation, legitimate interest, research studies, and credit protection | 6 lawful bases including consent, contract, legal obligation, vital interests, public task, and legitimate interest |
Data subject rights | Access, correction, anonymization, deletion, portability, and revocation of consent | Access, rectification, erasure, restriction, portability, objection, and automated decision protections |
Breach notification | Must notify the ANPD within a reasonable time | Must notify the supervisory authority within 72 hours in certain cases |
Maximum fines | Up to 2 percent of company revenue in Brazil, capped at R$ 50 million per violation | Up to €20 million or 4 percent of global annual turnover |
Penalties under LGPD
Organizations that violate the LGPD may face administrative sanctions.
Possible penalties include:
- Financial fines of up to 2 percent of a company’s revenue in Brazil
- A maximum penalty cap of R$ 50 million per violation
- Public notices of violations
- Restrictions on data processing activities
Sanctions depend on the nature and severity of the violation.
Related privacy terms
Commonly asked questions
LGPD stands for Lei Geral de Proteção de Dados, Brazil’s General Data Protection Law.
The LGPD came into force in September 2020, with enforcement measures gradually implemented afterward.
Yes. The LGPD was influenced by the European GDPR and shares many similar principles, including lawful data processing and individual privacy rights.
The Autoridade Nacional de Proteção de Dados (ANPD) is responsible for enforcing Brazil’s data protection law.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
Find out more about Adam