The LGPD terms a privacy team actually uses, defined in plain language by practitioners. For the full walkthrough, see the Brazil LGPD compliance guide.
Brazil's general data protection law, Law No. 13,709/2018. It governs how personal data is processed in Brazil, sets out the legal bases for processing, grants rights to data subjects, defines the roles of controller and processor, and establishes the ANPD as the enforcement authority.
Brazil's national data protection authority. The ANPD is a Brazilian federal authority, not an EU body. It supervises and enforces the LGPD, issues regulations and guidance, handles complaints, and applies administrative sanctions.
Under the LGPD, the agent who decides on the processing of personal data, the why and the how. The controller carries the primary obligations and answers for the purposes of the processing.
Under the LGPD, the agent who processes personal data on the controller's behalf and under the controller's instructions. A processor that begins deciding purposes on its own can be treated as a controller for that activity.
The person the controller appoints to act as the channel of communication between the controller, the data subjects, and the ANPD. The encarregado is the LGPD counterpart to the GDPR data protection officer, and contact details are published clearly.
The natural person to whom the personal data being processed relates. The titular holds the rights the LGPD grants, including access, correction, deletion, and portability.
Any information relating to an identified or identifiable natural person. This is the core category the LGPD protects.
A defined subset of personal data: racial or ethnic origin, religious conviction, political opinion, union or religious or philosophical organization membership, data concerning health or sex life, and genetic or biometric data tied to a person. The LGPD allows its processing only under a narrower set of bases.
Any operation carried out with personal data, including collection, use, access, reproduction, storage, sharing, transfer, and deletion. If you touch the data, you are processing it.
One of the grounds the LGPD requires before personal data can be processed. The law lists ten bases for ordinary personal data and a separate, narrower set for sensitive data. Processing without a valid basis is unlawful.
Under the LGPD, a free, informed, and unambiguous agreement by the data subject to the processing of their data for a specific purpose. It can be withdrawn at any time by an easy and free procedure. Consent is one legal basis among several, not the default.
A legal basis that allows processing for the legitimate interests of the controller or a third party, weighed against the rights and reasonable expectations of the data subject. Its flexibility is why the ANPD scrutinizes it more closely than the others.
The transfer of personal data out of Brazil. The LGPD permits it only through recognized routes, such as transfer to a country or organization with adequate protection as recognized by the ANPD, or where the controller proves adequate guarantees through ANPD-recognized instruments such as standard contractual clauses or global corporate rules.
The use of reasonable technical means to render data unable to be associated, directly or indirectly, with an individual. Data that is genuinely anonymized generally falls outside the scope of the LGPD.
Processing that removes the direct link between data and a specific person, so that re-identification requires separately held additional information. Pseudonymized data is still personal data under the LGPD.
The Relatório de Impacto à Proteção de Dados Pessoais, the LGPD's data protection impact assessment. It describes processing that may pose risks to civil liberties and fundamental rights, along with the safeguards and measures taken to mitigate that risk. It is the LGPD analogue to the GDPR DPIA.
A penalty the ANPD can apply for LGPD violations. The scale runs from a warning with a corrective deadline, through simple and daily fines, to publicizing the infraction and blocking or deleting the data. The fine can reach two percent of revenue in Brazil, capped at fifty million reais per infraction.
The principles that govern every processing activity under the LGPD, including purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability. A program can pass a checklist and still fail a principle.
A breach affecting personal data that may create relevant risk or harm to data subjects. The controller must communicate qualifying incidents to the ANPD and to the affected data subjects within a reasonable period.
The EU General Data Protection Regulation, the law the LGPD was modeled on. The two share structure and vocabulary, but they are separate regimes with different authorities, a different count of legal bases, and different sanction rules. Compliance with one does not equal compliance with the other.
Compliance Command Center turns these concepts into a defensible, ANPD-ready program, run by practitioners with the software carrying the structure.
See Compliance Command Center Read the guide