SecurePrivacy Logo

Lei Geral de Proteção de Dados (LGPD)

View Law Text
Maximum Fine
2% or R$50M
Scope
Brazil
Regulator
ANPD
Response Time
15 Days

Need Help with LGPD Compliance?

Get expert guidance on implementing LGPD requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law that regulates the processing of personal data in Brazil, whether by public or private organizations.

Key Facts

  • Effective since September 18, 2020
  • Enforced by National Data Protection Authority (ANPD)
  • Applies to any processing of personal data in Brazil

Key Principles

Purpose Limitation

Personal data must be processed for legitimate, specific, explicit and informed purposes.

Requirements

  • Clear definition of processing purposes
  • Documentation of purposes
  • Inform data subjects of purposes
  • Limit processing to stated purposes
  • Regular purpose reviews

Examples

  • Privacy notices stating specific purposes
  • Purpose inventory documentation
  • Regular audits of processing activities
  • Purpose compatibility assessments

Adequacy

Processing must be compatible with its purposes, considering the context and scope of processing.

Requirements

  • Processing compatibility assessment
  • Context evaluation
  • Scope definition
  • Regular reviews
  • Documentation of assessments

Examples

  • Processing impact assessments
  • Context documentation
  • Scope limitation procedures
  • Regular compatibility reviews

Necessity

Processing should be limited to the minimum necessary data for its purposes.

Requirements

  • Data minimization practices
  • Necessity assessments
  • Regular data reviews
  • Documentation of necessity
  • Data deletion procedures

Examples

  • Data collection forms review
  • Minimization procedures
  • Regular data audits
  • Deletion schedules

Compliance Requirements

Data Protection Officer

Organizations must appoint a DPO to oversee LGPD compliance and serve as a communication channel.

Implementation Steps

  • Appoint qualified DPO
  • Publish DPO contact information
  • Define DPO responsibilities
  • Establish communication channels
  • Document DPO activities

Required Documentation

  • DPO appointment letter
  • DPO qualifications
  • Contact information records
  • Activity reports
  • Communication logs

Data Protection Impact Assessment

Conduct impact assessments for processing activities that may present risks.

Implementation Steps

  • Identify high-risk processing
  • Assess potential impacts
  • Evaluate safeguards
  • Document findings
  • Implement recommendations

Required Documentation

  • Impact assessment reports
  • Risk evaluations
  • Mitigation measures
  • Review schedules
  • Implementation records

Records of Processing

Maintain detailed records of personal data processing activities.

Implementation Steps

  • Document processing activities
  • Map data flows
  • Record legal bases
  • Update regularly
  • Monitor compliance

Required Documentation

  • Processing inventory
  • Data flow diagrams
  • Legal basis register
  • Update logs
  • Compliance reports

Enforcement & Penalties

Administrative Sanctions

The National Data Protection Authority (ANPD) can impose various administrative sanctions for LGPD violations.

Penalty Categories

Monetary Fines
Up to 2% of revenue or R$50 million per violation
Daily fines for continuing violations
Operational Restrictions
Partial or total prohibition
Suspension or prohibition of processing activities
Publicity
Public disclosure
Publication of violation and penalties

Example Cases

Cyrela Brazil Realty
R$10 million
2022 - Unauthorized sharing of personal data
Banco Inter
R$8 million
2023 - Data breach affecting customer information

Individual Rights

Data subjects can seek individual remedies through courts.

Penalty Categories

Individual Claims
Case-specific
Compensation for material and moral damages
Class Actions
Collective damages
Group claims for widespread violations
Injunctive Relief
Court orders
Immediate cessation of violations

Example Cases

Consumer Class Action
R$5 million
2023 - Unauthorized data collection through mobile app
Individual Privacy Claim
R$500,000
2022 - Failure to honor deletion request