The LGPD is Brazil's general data protection law, Law No. 13,709/2018. If you process the personal data of people in Brazil, the law reaches you even when your company sits somewhere else. You process under one of ten legal bases, and consent is only one of them. Data subjects hold rights they can exercise directly against you. The controller (controlador) and processor (operador) carry defined roles, an encarregado answers for the program, and the ANPD enforces the law, with the power to fine up to two percent of revenue in Brazil, capped at fifty million reais per infraction. The LGPD borrows the GDPR's shape, but the two are separate laws.
A US fintech expands a payments product into São Paulo. A SaaS company signs its first enterprise customer in Brazil and starts holding employee records. A health platform adds Brazilian users. Each one runs into the same question: which privacy law applies here, and what does it require of us. The answer is the LGPD. The teams that get into trouble are usually the ones who assumed their GDPR program would carry over unchanged.
This guide is a practitioner's walk through the LGPD as it operates today: who it covers, the legal bases you process under, the rights you have to honor, the roles you have to staff, the authority that enforces it, the rules on moving data out of the country, and where it lines up with the GDPR and where it diverges.
What the LGPD is, and where it reaches
The LGPD, the Lei Geral de Proteção de Dados, is Brazil's comprehensive data protection statute. It governs how personal data is collected, stored, used, shared, and deleted, whether a private company does the processing or, under some specific rules, the public sector. Personal data under the law is any information relating to an identified or identifiable natural person.
Scope is the first thing to get right, and it is wide. The law applies when the processing happens inside Brazil, when the purpose of the processing is to offer goods or services to people in Brazil, or when the data was collected in Brazil. Where the company sits does not decide the question. An organization headquartered outside Brazil that targets people located in Brazil falls inside the law's scope. This is the territorial point that surprises foreign teams most.
The principles the whole law turns on
Before the mechanics, the LGPD sets out principles that every processing activity has to satisfy. The ANPD reasons through them, and they are worth knowing because a program can satisfy a checklist and still fail a principle.
| Principle | What it requires in practice |
|---|---|
| Purpose | Processing serves a specific, explicit, and legitimate purpose, made known to the data subject. |
| Adequacy and necessity | The processing fits the stated purpose, and the data collected is limited to what the purpose actually needs. |
| Free access and quality | Data subjects can consult their data easily, and the data is kept accurate, clear, and current. |
| Transparency | Clear, accessible information about the processing and the agents who carry it out. |
| Security and prevention | Technical and administrative measures that protect the data and prevent harm. |
| Non-discrimination and accountability | No processing for unlawful or abusive discriminatory ends, and the agent can demonstrate the measures it took to comply. |
The legal bases for processing
The LGPD does not let you process personal data simply because you want to. You need a legal basis, and the law lists ten of them for ordinary personal data. Consent is one of the ten. Many organizations lean too hard on it when a sturdier basis, such as contract or legal obligation, fits the activity better and holds up after the data subject changes their mind.
| Legal basis | When it tends to apply |
|---|---|
| Consent | The data subject gives a free, informed, and unambiguous agreement for a specific purpose. It can be withdrawn at any time. |
| Legal or regulatory obligation | Processing the controller must do to comply with a legal or regulatory duty, such as tax or recordkeeping rules. |
| Performance of a contract | Processing necessary to carry out a contract, or preliminary steps at the data subject's request. |
| Regular exercise of rights | Processing for the exercise of rights in judicial, administrative, or arbitration proceedings. |
| Protection of life | Processing to protect the life or physical safety of the data subject or a third party. |
| Protection of health | Processing for health protection, in a procedure carried out by health professionals or health entities. |
| Legitimate interest | Processing for the legitimate interests of the controller or a third party, balanced against the data subject's rights and reasonable expectations. |
| Credit protection | Processing for credit protection, including as set out in the relevant Brazilian legislation. |
| Public policy execution | Processing by the public administration to carry out public policies set in law or regulation. |
| Study by a research body | Processing for study by a research body, with anonymization where possible. |
Sensitive personal data, covered below, has its own narrower set of bases. The basis you pick decides what you can do with the data, what the data subject can demand back, and how the activity holds up when the ANPD asks. Treat the choice as a real decision, not a form to fill in.
Personal data and sensitive personal data
The law draws a line between two categories, and the line matters because the rules run stricter on one side.
Personal data is any information relating to an identified or identifiable natural person. Sensitive personal data is a defined subset: data on racial or ethnic origin, religious conviction, political opinion, union or religious or philosophical organization membership, data concerning health or sex life, and genetic or biometric data tied to a natural person. You may process sensitive data only under a tighter list of bases, with consent that is specific and highlighted, or, without consent, where the processing is indispensable for purposes the law names directly, such as a legal obligation, health protection by health professionals, or fraud prevention. A program that treats biometric or health data like ordinary contact details is exposed.
The rights of the data subject
The LGPD gives the titular, the data subject, a set of rights they can exercise against the controller, free of charge and on request. A working program has a defined channel to receive these requests, a way to verify the requester, and the operational ability to act across its systems.
| Right | What the data subject can ask for |
|---|---|
| Confirmation and access | Confirmation that processing exists, and access to the data being processed. |
| Correction | Correction of incomplete, inaccurate, or outdated data. |
| Anonymization, blocking, or deletion | Anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in noncompliance with the law. |
| Portability | Portability of data to another service or product provider, on request and subject to the ANPD's rules. |
| Deletion of consented data | Deletion of personal data processed with consent, subject to the law's retention exceptions. |
| Information on sharing | Information about the public and private entities the controller has shared the data with. |
| Information on not consenting | Information about the possibility of denying consent and the consequences of denial. |
| Withdrawal of consent | Withdrawal of consent at any time, by an easy and free procedure. |
| Review of automated decisions | The right to request review of decisions made solely on automated processing that affect the data subject's interests. |
The roles: controlador and operador
The LGPD assigns responsibility through two defined roles, and you have to map every data flow to one of them correctly. The controlador, the controller, is the agent who decides on the processing of personal data: the why and the how. The operador, the processor, is the agent who processes personal data on the controller's behalf, under the controller's instructions.
The controller carries the primary obligations and answers for the purposes of the processing. The processor has to follow the controller's instructions and is bound by its own duties under the law, including security. When a processor steps outside the instructions and starts deciding purposes on its own, the law can treat it as a controller for that activity. A contract or equivalent instrument connects the two and sets out the scope of the processing, and both can be liable for harm caused to data subjects. Map each flow to one of these roles before you build the controls, because the role determines the obligation.
The encarregado, Brazil's DPO
The LGPD requires the controller to appoint an encarregado, the person who serves as the channel of communication between the controller, the data subjects, and the ANPD. The encarregado is the Brazilian counterpart to the GDPR data protection officer, and the accountability model runs through this role.
The law names the duties directly. The encarregado receives complaints and communications from data subjects, provides clarifications and takes action, receives communications from the ANPD, advises employees on data protection practices, and handles the other duties the controller sets or the ANPD specifies. The ANPD has issued regulation that scales the requirement for smaller processing agents, so how you staff the role depends on the size and risk of the operation. You have to publish the encarregado's identity and contact details clearly and accessibly, usually on the controller's website.
The ANPD and enforcement
Enforcement belongs to the Autoridade Nacional de Proteção de Dados, the ANPD, Brazil's national data protection authority. The ANPD is a Brazilian federal authority, not an EU body and not a court. It supervises and enforces the LGPD, issues regulations and guidance that fill in the law's detail, handles complaints, and applies administrative sanctions.
The sanctions run on a scale the law lists. They include a warning with a deadline to take corrective action, a simple fine, a daily fine, publicizing the infraction, and the blocking or deletion of the personal data involved. The fine reaches up to two percent of the revenue of the company, group, or conglomerate in Brazil for the prior financial year, capped at fifty million reais per infraction. The ANPD weighs factors such as the seriousness of the violation, the good faith of the agent, the advantage gained, and the measures the agent took to mitigate harm. So a documented good-faith program is not just internal hygiene. It is part of how the ANPD sets the sanction.
International data transfer
The LGPD restricts the transfer of personal data out of Brazil, so an organization that moves data to servers or affiliates abroad needs a lawful basis for the transfer itself. The law sets out the permitted routes. They include transfer to a country or international organization the ANPD recognizes as providing an adequate level of protection, and transfer where the controller offers and proves adequate guarantees through instruments the ANPD recognizes, such as standard contractual clauses, specific contractual clauses, global corporate rules, or seals and certificates. The law also permits transfers in specific situations it names, including the data subject's specific consent to the transfer, international legal cooperation, protection of life, and the performance of a contract. The ANPD defines and approves these mechanisms. As of 2024 the ANPD has given those guarantees concrete form: Resolution CD/ANPD No. 19/2024 approved Brazil's own standard contractual clauses and made them mandatory for transfers that rely on the contractual route, with the grace period to incorporate them into existing contracts ending in August 2025. For any cross-border flow, identify which recognized route applies, use the approved clauses where the contractual route applies, and document it.
How the LGPD compares to the GDPR, at a high level
The LGPD was modeled on the GDPR, so the family resemblance is real and useful. They share the controller and processor structure, a data protection officer role, a list of data-subject rights, the requirement of a legal basis, and an accountability principle. A team that has done GDPR work will recognize the shape of the LGPD quickly.
The differences are where teams get caught. Treat the LGPD and the GDPR as two separate regimes that happen to share a vocabulary.
| Dimension | LGPD | GDPR |
|---|---|---|
| Authority | The ANPD, a Brazilian federal authority. | National supervisory authorities across the EU member states, coordinated under the EDPB. |
| Legal bases | Ten bases for ordinary personal data, including credit protection and protection of health. | Six lawful bases under Article 6. |
| Core terms | Controlador, operador, encarregado, titular. | Controller, processor, data protection officer, data subject. |
| Maximum fine | Up to two percent of revenue in Brazil, capped at fifty million reais per infraction. | Up to four percent of global annual turnover or twenty million euros, whichever is higher. |
| Transfer model | Adequacy and ANPD-recognized guarantee instruments, defined by Brazilian law and the ANPD. | Adequacy decisions and Article 46 safeguards, defined by EU law and the EDPB. |
A GDPR program gives you a strong head start on the LGPD, and it stops short of covering it. The legal bases differ, the authority differs, the sanction math differs, and Brazilian rules define the recognized transfer instruments. You still have to do the Brazil-specific work.
A readiness checklist
Run this before you decide your LGPD posture is sound.
- You have confirmed the law applies, on territorial grounds, to each product or service touching people in Brazil.
- Every processing activity has a documented legal basis from the ten, not a blanket reliance on consent.
- Sensitive personal data is identified and processed only under its narrower set of bases.
- Each data flow is mapped to controlador or operador, with contracts in place between them.
- An encarregado is appointed and their contact details are published clearly.
- There is a working channel to receive and act on data-subject requests, free of charge.
- International transfers ride on an ANPD-recognized route, identified and documented.
- Security measures and an incident-response path are in place, including communication to the ANPD and affected data subjects where required.
- Records demonstrate accountability: the measures taken to comply, ready to show the ANPD.
- Your GDPR program is mapped to the LGPD's differences, not assumed to cover them.
The LGPD rewards the same discipline every serious privacy regime does. Know your data, know why you hold it, give people the control the law promises them, and keep a record that shows your reasoning. A program built that way is the one that holds up when the ANPD looks.