Lei Geral de Proteção de Dados (LGPD)
View Law TextNeed Help with Lei Geral de Proteção de Dados (LGPD) Compliance?
Get expert guidance on implementing LGPD requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law that regulates the processing of personal data in Brazil, whether by public or private organizations.
Key Facts
- Effective since September 2020
- Enforced by National Data Protection Authority (ANPD)
- Applies to any processing of personal data in Brazil
Key Principles
Purpose Limitation
Personal data must be processed for legitimate, specific, explicit and informed purposes.
Requirements
- Define clear processing purposes
- Document purposes
- Inform data subjects
- Limit processing scope
- Regular purpose reviews
Examples
- Purpose documentation
- Privacy notices
- Processing records
- Review procedures
Adequacy
Processing must be compatible with its purposes and proportional to needs.
Requirements
- Assess data necessity
- Evaluate proportionality
- Document justification
- Regular reviews
- Update assessments
Examples
- Necessity assessments
- Proportionality tests
- Documentation records
- Review logs
Transparency
Clear and accessible information about processing activities.
Requirements
- Provide clear privacy notices
- Document processing activities
- Enable access rights
- Regular updates
- Maintain records
Examples
- Privacy policies
- Processing records
- Access procedures
- Communication logs
Compliance Requirements
Data Protection Officer
Organizations must appoint a DPO to oversee LGPD compliance and serve as a communication channel.
Implementation Steps
- Appoint qualified DPO
- Publish DPO contact information
- Define DPO responsibilities
- Establish communication channels
- Document DPO activities
Required Documentation
- DPO appointment letter
- Contact information records
- Role description
- Communication procedures
- Activity logs
Records of Processing Activities
Maintain detailed records of personal data processing operations.
Implementation Steps
- Document processing purposes
- Map data flows
- Identify legal bases
- Record security measures
- Regular updates
Required Documentation
- Processing records
- Data flow diagrams
- Legal basis register
- Security documentation
- Update logs
Data Protection Impact Assessment
Conduct impact assessments for high-risk processing activities.
Implementation Steps
- Identify high-risk processing
- Assess potential impacts
- Evaluate safeguards
- Document findings
- Implement recommendations
Required Documentation
- Impact assessment reports
- Risk evaluations
- Mitigation measures
- Implementation records
- Review schedule
Enforcement & Penalties
Administrative Sanctions
The National Data Protection Authority (ANPD) can impose various administrative sanctions for LGPD violations.
Penalty Categories
Example Cases
Individual Rights
Data subjects can seek individual remedies through courts.