Compliance Brazil

The LGPD governs the processing of personal data, including by digital means, by a natural person or a public or private legal entity, in order to protect the fundamental rights of freedom and privacy and the free development of the personality (Art. 1).

It applies whenever (Art. 3): the processing is carried out in Brazilian territory; the activity aims to offer goods or services to, or process data of, individuals located in Brazil; or the data was collected in Brazil.

Key definitions (Art. 5):

• Personal data: information relating to an identified or identifiable natural person.
• Sensitive data: data on racial/ethnic origin, religious belief, political opinion, union or religious/philosophical membership, health or sex life, genetic or biometric data.
• Controller: party responsible for decisions on processing; operator: party that processes on the controller's behalf; DPO (encarregado): the communication channel between controller, data subjects and the ANPD.

Principles (Art. 6): purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability — all in good faith.

Legal bases for processing (Art. 7): consent; compliance with a legal/regulatory obligation; execution of public policy; research; performance of a contract; exercise of rights in proceedings; protection of life; health protection; legitimate interest; and credit protection.

Sensitive data (Art. 11) may only be processed with specific consent or under the strict legal hypotheses. Children's and adolescents' data (Art. 14) must be processed in their best interest, with specific consent from a parent or legal guardian.

The data subject may, at any time and free of charge (Art. 18), request: confirmation of processing; access to the data; correction of incomplete, inaccurate or outdated data; anonymization, blocking or deletion of unnecessary or non-compliant data; portability; deletion of data processed with consent; information about shared use; and withdrawal of consent.

Data subjects also have the right to review decisions taken solely on automated processing that affect their interests (Art. 20).

International transfer of personal data is permitted (Art. 33) to countries or organizations with an adequate level of protection; where the controller offers guarantees through specific or standard contractual clauses, global corporate rules, or seals and codes of conduct; and in the other hypotheses expressly listed, including the data subject's specific and prominent consent.

Controllers and operators must keep records of processing operations (Art. 37) and adopt technical and administrative security measures to protect data from unauthorized access and accidental or unlawful incidents (Art. 46).

In the event of a security incident that may create risk or relevant damage, the ANPD and the affected data subjects must be notified within a reasonable time (Art. 48).

The controller must appoint a Data Protection Officer (DPO), whose contact details must be publicly disclosed (Art. 41).

The National Data Protection Authority (ANPD) oversees and enforces the law. Violations may result (Art. 52) in warnings, fines of up to 2% of revenue (capped at BRL 50 million per violation), public disclosure of the infraction, and blocking or deletion of the relevant data.