Brazil General Data Protection Law
Comply with Brazil's LGPD
The General Personal Data Protection Law (LGPD) entered into force on September 18, 2020, although its enforcement provisions entered into effect on August 1, 2021. The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It is enforced by the Brazilian Data Protection Authority (ANPD), which provides guidance and clarity on the provisions of the LGPD. The LGPD has many similarities to the EU's General Data Protection Regulation (GDPR), granting certain data privacy rights to data subjects in Brazil and requiring organizations that process personal data to meet specific data protection obligations.
OneTrust's LGPD solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your LGPD program. Find out more about OneTrust's full suite of solutions here.
Visit our Brazil Jurisdiction Dashboard for further information on Brazil's Data Protection Landscape.
LGPD v. GDPR Benchmark
OneTrust DataGuidance and Baptista Luz Advogados have produced a free LGPD v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the LGPD to the GDPR. In the tab above, you can also leverage this information through our LGPD v. GDPR Comparison.
On December 1, 2023, the Brazilian data protection authority (ANPD) published its Technical Note No. 19/2023, containing its monitoring report in respect to the period from February 2022 to February 2023, as part of its Annual Monitoring Plan.
The Brazilian data protection authority (ANPD) released, on November 13, 2023, a technical note analyzing the publishing of microdata related to the national school census and the National High School Exam by the National Institute of Educational Studies and Research Anísio Teixeira (Inep) for research purposes, following a preliminary evaluatio
The Brazilian data protection authority (ANPD) released, on November 10, 2023, a technical note that examines the Safe Stadium Project's compliance with the General Personal Data Protection Law (LGPD).
On November 6, 2023, the Brazilian data protection authority (ANPD) opened its draft Resolution on data protection officers (DPOs) (the draft Resolution) for public consultation.
On November 7, 2023, the Brazilian data protection authority (ANPD) released an activity report in celebration of the three years since the beginning of its operations, in 2020.
In particular, the report highlights:
On November 1, 2023, the draft bill PLP 234/2023 was introduced to Parliament and proposed to establish the Brazilian Ecosystem of Data Monetization (the Ecosystem), as well as changes to Law No. 13.709 of 14 August 2018 (LGPD).
On October 23, 2023, the National Consumer Secretariat (Senacon) notified Raia Drogasil S.A., a drugstore chain, to provide clarifications regarding the processing of consumers' sensitive personal data, including health data, following a news article alleging that Raia Drogasil was profiting off consumers' personal data.
On October 24, 2023, the Brazilian data protection authority (ANPD) published its technical note No. 16 analyzing Bill No. 2338 of 2023, which seeks to regulate artificial intelligence (AI) and is currently in debate in the Senate.
On October 3, 2023, the Brazilian data protection authority (ANPD) opened its regulatory sandbox pilot program, focused on artificial intelligence (AI) and data protection, for public contribution.
On September 26, 2023, the Central Bank of Brazil (BCB) approved Resolution BCB nº 342 (the Resolution), which altered the Regulation annexed to Resolution BCB nº 1 of August 12, 2020, and introduced new requirements for financial institutions dealing with security breaches that affect the instant payment system (Pix) platform's components or in
On June 23, 2023, the Brazilian data protection authority (ANPD) signed a technical note in which it analyzed the processing of children's personal data by Bytedance Brasil Tecnologia Ltda. and TikTok Pte. Ltd.
The Brazilian Data Protection Authority (ANPD) released, on August 22, 2023, its report on the regulatory agenda for 2023 to 2024. The report contains 20 priority themes for its reference period and provides an overview of ongoing projects and accomplishments, reflecting the ANPD's commitment to safeguarding data privacy.
The Brazilian Data Protection Authority (ANPD) released, on August 18, 2023, its first Monitoring Cycle Report. The report includes the ANPD's activity report for 2022, as well as an action proposal for 2023.
Activity report for 2022
The Brazilian Data Protection Authority (ANPD) released, on August 16, 2023, its preliminary study on the legal basis of legitimate interest and is requesting public comments on the same.
The Brazilian Data Protection Authority (ANPD) released, on August 15, 2023, a draft Resolution on International Transfers of Personal Data and Model Standard Contractual Clauses and is requesting public comments on the same.
Scope
On August 9, 2023, the Brazilian Senate announced that a special commission would be created to debate the Bill to regulate artificial intelligence.
The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').
Over two years on from the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') entering into force, the regulatory framework for the enforcement of its provisions continues to take shape.
Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In this report, OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (LGPD).
Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.
The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD').
The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance.
The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted.
OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the General Personal Data Protection Law (LGPD). The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the GDPR.
You can access the latest version of the report here.
Key highlights
The LGPD and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- apply to the processing of natural persons' data as carried out by controllers and processors;
- provide special protection for the processing of sensitive personal data as well as for the processing of children's data;
- the rights individuals are entitled to, as well as the obligations controllers and processors are subject to; and
- apply to organizations that have a presence in the EU and Brazil respectively as well as to organizations that are not physically located, but which offer goods and services in the jurisdictions, or process personal data in these regions.
However, despite their similarities, the LGPD and the GDPR also differ sometimes in their approach, such as:
- the applicable legal basis when sensitive data is processed;
- the time period in which a data subject access request must be responded to, the information which must be included in the response, and limitations to the right; and
- the grounds and scope of the right to data portability.