SecurePrivacy Logo

Lei Geral de Proteção de Dados (LGPD)

View Law Text
Maximum Fine
R$50M or 2%
Scope
National
Regulator
ANPD
Enacted
2020

Need Help with Lei Geral de Proteção de Dados (LGPD) Compliance?

Get expert guidance on implementing LGPD requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law that regulates the processing of personal data in Brazil, whether by public or private organizations.

Key Facts

  • Effective since September 2020
  • Enforced by National Data Protection Authority (ANPD)
  • Applies to any processing of personal data in Brazil

Key Principles

Purpose Limitation

Personal data must be processed for legitimate, specific, explicit and informed purposes.

Requirements

  • Define clear processing purposes
  • Document purposes
  • Inform data subjects
  • Limit processing scope
  • Regular purpose reviews

Examples

  • Purpose documentation
  • Privacy notices
  • Processing records
  • Review procedures

Adequacy

Processing must be compatible with its purposes and proportional to needs.

Requirements

  • Assess data necessity
  • Evaluate proportionality
  • Document justification
  • Regular reviews
  • Update assessments

Examples

  • Necessity assessments
  • Proportionality tests
  • Documentation records
  • Review logs

Transparency

Clear and accessible information about processing activities.

Requirements

  • Provide clear privacy notices
  • Document processing activities
  • Enable access rights
  • Regular updates
  • Maintain records

Examples

  • Privacy policies
  • Processing records
  • Access procedures
  • Communication logs

Compliance Requirements

Data Protection Officer

Organizations must appoint a DPO to oversee LGPD compliance and serve as a communication channel.

Implementation Steps

  • Appoint qualified DPO
  • Publish DPO contact information
  • Define DPO responsibilities
  • Establish communication channels
  • Document DPO activities

Required Documentation

  • DPO appointment letter
  • Contact information records
  • Role description
  • Communication procedures
  • Activity logs

Records of Processing Activities

Maintain detailed records of personal data processing operations.

Implementation Steps

  • Document processing purposes
  • Map data flows
  • Identify legal bases
  • Record security measures
  • Regular updates

Required Documentation

  • Processing records
  • Data flow diagrams
  • Legal basis register
  • Security documentation
  • Update logs

Data Protection Impact Assessment

Conduct impact assessments for high-risk processing activities.

Implementation Steps

  • Identify high-risk processing
  • Assess potential impacts
  • Evaluate safeguards
  • Document findings
  • Implement recommendations

Required Documentation

  • Impact assessment reports
  • Risk evaluations
  • Mitigation measures
  • Implementation records
  • Review schedule

Enforcement & Penalties

Administrative Sanctions

The National Data Protection Authority (ANPD) can impose various administrative sanctions for LGPD violations.

Penalty Categories

Monetary Fines
Up to 2% of revenue or R$50M per violation
For violations of LGPD requirements
Data Processing Ban
Temporary or Permanent
Suspension of personal data processing activities
Publicity
Public Disclosure
Publication of violation and penalties imposed

Example Cases

Major Retailer
R$40 million
2023 - Unauthorized data sharing and insufficient security measures
Financial Institution
R$30 million
2023 - Failure to obtain proper consent and data breach

Individual Rights

Data subjects can seek individual remedies through courts.

Penalty Categories

Individual Claims
Case-specific
Compensation for material and moral damages
Class Actions
Collective damages
Group claims for widespread violations
Injunctive Relief
Court orders
Immediate cessation of violations

Example Cases

Consumer Class Action
R$15 million
2023 - Unauthorized data collection through mobile app
Individual Privacy Claim
R$500,000
2023 - Failure to honor deletion request