Brazil General Data Protection Law
Comply with Brazil's LGPD
The General Personal Data Protection Law (LGPD) entered into force on September 18, 2020, although its enforcement provisions entered into effect on August 1, 2021. The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It is enforced by the Brazilian Data Protection Authority (ANPD), which provides guidance and clarity on the provisions of the LGPD. The LGPD has many similarities to the EU's General Data Protection Regulation (GDPR), granting certain data privacy rights to data subjects in Brazil and requiring organizations that process personal data to meet specific data protection obligations.
OneTrust's LGPD solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your LGPD program. Find out more about OneTrust's full suite of solutions here.
Visit our Brazil Jurisdiction Dashboard for further information on Brazil's Data Protection Landscape.
LGPD v. GDPR Benchmark
OneTrust DataGuidance and Baptista Luz Advogados have produced a free LGPD v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the LGPD to the GDPR. In the tab above, you can also leverage this information through our LGPD v. GDPR Comparison.
OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the General Personal Data Protection Law (LGPD). The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the GDPR.
You can access the latest version of the report here.
The LGPD and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- apply to the processing of natural persons' data as carried out by controllers and processors;
- provide special protection for the processing of sensitive personal data as well as for the processing of children's data;
- the rights individuals are entitled to, as well as the obligations controllers and processors are subject to; and
- apply to organizations that have a presence in the EU and Brazil respectively as well as to organizations that are not physically located, but which offer goods and services in the jurisdictions, or process personal data in these regions.
However, despite their similarities, the LGPD and the GDPR also differ sometimes in their approach, such as:
- the applicable legal basis when sensitive data is processed;
- the time period in which a data subject access request must be responded to, the information which must be included in the response, and limitations to the right; and
- the grounds and scope of the right to data portability.