Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) was enacted to regulate the collection and processing of personal data, providing comprehensive protections for Brazilian citizens. LGPD introduces privacy obligations similar to the GDPR, establishing rights for individuals to control their personal data and imposing responsibilities on organizations to ensure its protection. The law aims to strike a balance between innovation, economic growth, and individual privacy in Brazil’s growing digital economy.
Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) is a legal framework designed to regulate how personal data is collected, processed, and used, providing individuals greater control over their personal data. It closely mirrors the GDPR in terms of the rights and protections it offers to Brazilian residents
LGPD applies to any organization—within or outside of Brazil—that processes personal data of individuals located in Brazil, as well as to organizations offering goods or services to Brazilian residents or monitoring their behavior.
LGPD governs the processing of any personal data, which includes information that can identify an individual directly or indirectly, such as names, email addresses, national identification numbers, and sensitive data like racial or ethnic origin and health information.
LGPD came into force on August 16, 2020.
- Purpose Specification: Data should be collected and processed for specific, explicit, and legitimate purposes.
- Adequacy: Processing should be appropriate and consistent with the declared purposes.
- Transparency: Individuals should be fully informed about how their data will be used.
- Security: Organizations must adopt measures to ensure the security and confidentiality of personal data.
- Non-discrimination: Processing personal data must not be discriminatory or harmful to individuals.
The LGPD allows for fines up to 2% of a company’s revenue in Brazil, capped at R$50 million per infraction. Enforcement is handled by the National Data Protection Authority (ANPD).