Upgrade to a premium account to save this to your customizable Workspace
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Brazil General Data Protection Law
Comply with Brazil's General Data Protection Law ('LGPD')
The LGPD entered into force on 18 September 2020, although its enforcement provisions entered into effect on 1 August 2021. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It will be enforced by the Brazilian data protection authority ('ANPD') which, when established, is expected to provide important guidance and clarity on the provisions of the LGPD.
The LGPD has many similarities to the EU's GDPR, granting certain data privacy rights to data subjects in Brazil and requiring organisations that process personal data to meet specific data protection obligations.
OneTrust's LGPD solutions are backed by AI, robotic automation and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your LGPD program.
Find out more about OneTrust's full suite of solutions here.
Operationalising the LGPD
OneTrust DataGuidance, in collaboration with its network of Brazilian privacy experts, are producing a series of articles examining the core operational aspects for organisations to consider.
Read Part One - DSARs & breach notification requirements
Read Part Two - Data mapping & assessments
Read Part Three - Consent and other lawful bases
Read Part Four - Vendor risk management
Read Privacy policies under the LGPD
Read LGPD v. GDPR
Read LGPD v. CCPA
LGPD v. GDPR Benchmark
OneTrust DataGuidance and Baptista Luz Advogados have produced a free LGPD v. GDPR Report, which you can download here, and which assists organisations in understanding and comparing key provisions of the LGPD comparative to the GDPR. You can also leverage this information through our LGPD v. GDPR Comparison in the tab above.
Brazil Privacy Landscape Overview
Watch our Brazil Overview video to understand the state of privacy in Brazil in today.
The Brazilian data protection authority ('ANPD') published, on 23 March 2023, its list of sanctioning proceedings awaiting conclusion.
The Brazilian data protection authority ('ANPD') announced, on 17 March 2023, that it had published a technical note on the applicability of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') to deceased persons.
The Brazilian data protection authority ('ANPD') published, on 27 February 2023, its finalised resolution on the application of the administrative sanctions following a public consultation on the same.
The Brazilian data protection authority ('ANPD') published, on 16 January 2023, a summary of its progress on its 2021-2022 regulatory agenda in the second half of 2022.
The Brazilian data protection authority's ('ANPD') Inspection General Coordination published, on 23 December 2022, a new form for sending security incident reports by data controllers to the ANPD. In particular, the ANPD noted that the new form must be used for security incidents from 1 January 2023 onwards.
The Senate announced, on 1 December 2022, the approval of the new draft regulatory framework on artificial intelligence ('AI') by the Commission of Jurists established for the AI Framework.
The Brazilian data protection authority ('ANPD') announced, on 8 November 2022, that it had approved its regulatory agenda for the biennium 2023-2024.
The Brazilian data protection authority ('ANPD') released, on 4 November 2022, a draft record of personal data processing activities ('ROPA') template for small processing agents and is requesting public comments on the same.
The Brazilian data protection authority ('ANPD') published, on 18 October 2022, Guidance on Cookies and Personal Data Protection. In particular, the guidance seeks to identify positive and negative practices associated with the use of cookie policies and cookie banners.
The Chamber of Deputies announced, on 11 October 2022, that it had approved Provisional Measure No. 1,124/22, which transforms the ANPD into an agency of a special nature, granting administrative autonomy to the body.
The Federal Communications Commission ('FCC') announced, on 26 September 2022, that it had signed Memoranda of Understanding ('MoU') with the Brazilian National Telecommunications Agency ('Anatel') and the Romanian National Authority for Management and Regulation in Communications ('ANCOM').
The Brazilian data protection authority ('ANPD') announced, on 29 August 2022, that it is seeking opinions on high-risk processing and issued a questionnaire for this purpose. In particular, the ANPD outlined that Article 4 of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
The Ministry of Justice and Public Security ('MJSP') announced, on 23 August 2022, that its National Consumer Secretariat ('Senacon') had issued, on the same date, a decision in which it imposed a fine of BRL 6.6 million (approx. €1,290,000) to Facebook, Inc. following the unlawful sharing of personal data of Brazilians.
The Brazilian data protection authority ('ANPD') released, on 16 August 2022, a draft resolution on the application of the administrative sanctions.
The Chamber of Deputies announced, on 12 August 2022, Bill 1515/22 which regulates the application of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
The Brazilian data protection authority ('ANPD') announced, on 5 August 2022, that it is accepting public comments on its regulatory agenda for the biennium 2023-2024.
The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').
Over two years on from the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') entering into force, the regulatory framework for the enforcement of its provisions continues to take shape.
Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices.
Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices.
Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.
Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices.
The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD').
The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance.
The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
LGPD v GDPR
GDPR Benchmark
This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:
- Scope
- Definitions and legal basis
- Rights
- Enforcement
Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.
Scope Benchmark
- title
- Personal scope
- Territorial scope
- Material scope
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Definitions and Legal Basis Benchmark
- title
- Personal data
- Pseudonymisation
- Controller and processor
- Children
- Research
- Legal Basis
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Rights Benchmark
- title
- Right to deletion
- Right to be informed
- Right to object
- Right to access
- Right not to be subject to discrimination
- Right to data portability
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Enforcement Benchmark
- title
- Monetary penalties
- Supervisory authority
- Civil remedies
Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
