Lei Geral de Proteção de Dados (LGPD)
View Law TextNeed Help with LGPD Compliance?
Get expert guidance on implementing LGPD requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law that regulates the processing of personal data in Brazil, whether by public or private organizations.
Key Facts
- Effective since September 18, 2020
- Enforced by National Data Protection Authority (ANPD)
- Applies to any processing of personal data in Brazil
Key Principles
Purpose Limitation
Personal data must be processed for legitimate, specific, explicit and informed purposes.
Requirements
- Clear definition of processing purposes
- Documentation of purposes
- Inform data subjects of purposes
- Limit processing to stated purposes
- Regular purpose reviews
Examples
- Privacy notices stating specific purposes
- Purpose inventory documentation
- Regular audits of processing activities
- Purpose compatibility assessments
Adequacy
Processing must be compatible with its purposes, considering the context and scope of processing.
Requirements
- Processing compatibility assessment
- Context evaluation
- Scope definition
- Regular reviews
- Documentation of assessments
Examples
- Processing impact assessments
- Context documentation
- Scope limitation procedures
- Regular compatibility reviews
Necessity
Processing should be limited to the minimum necessary data for its purposes.
Requirements
- Data minimization practices
- Necessity assessments
- Regular data reviews
- Documentation of necessity
- Data deletion procedures
Examples
- Data collection forms review
- Minimization procedures
- Regular data audits
- Deletion schedules
Compliance Requirements
Data Protection Officer
Organizations must appoint a DPO to oversee LGPD compliance and serve as a communication channel.
Implementation Steps
- Appoint qualified DPO
- Publish DPO contact information
- Define DPO responsibilities
- Establish communication channels
- Document DPO activities
Required Documentation
- DPO appointment letter
- DPO qualifications
- Contact information records
- Activity reports
- Communication logs
Data Protection Impact Assessment
Conduct impact assessments for processing activities that may present risks.
Implementation Steps
- Identify high-risk processing
- Assess potential impacts
- Evaluate safeguards
- Document findings
- Implement recommendations
Required Documentation
- Impact assessment reports
- Risk evaluations
- Mitigation measures
- Review schedules
- Implementation records
Records of Processing
Maintain detailed records of personal data processing activities.
Implementation Steps
- Document processing activities
- Map data flows
- Record legal bases
- Update regularly
- Monitor compliance
Required Documentation
- Processing inventory
- Data flow diagrams
- Legal basis register
- Update logs
- Compliance reports
Enforcement & Penalties
Administrative Sanctions
The National Data Protection Authority (ANPD) can impose various administrative sanctions for LGPD violations.
Penalty Categories
Example Cases
Individual Rights
Data subjects can seek individual remedies through courts.