Get privacy insights in your inbox.

Brazil

LGPD

Lei Geral de Protecao de Dados

The LGPD is Brazil's general data protection law that regulates the processing of personal data by individuals and organizations, establishing ten legal bases for processing and a national data protection authority (ANPD).

Source: IQWorks — iqworks.ai | Last updated: 2026-03-20

Effective

Sep 18, 2020

Jurisdiction

Brazil

Max Penalty

2% of company revenue in Brazil, capped at 50 million BRL per infraction

Enforced By

Autoridade Nacional de Protecao de Dados (ANPD)

Who Does LGPD Apply To?

Any processing of personal data carried out in Brazil, aimed at offering goods or services to individuals in Brazil, or where the personal data was collected in Brazil.

Key Requirements

Ten Legal Bases

Broader than GDPR, includes consent, legal obligation, contract execution, public policy, research, judicial proceedings, life protection, health protection, legitimate interest, and credit protection.

Data Protection Officer

All data controllers must appoint a DPO. The ANPD may issue regulations reducing this requirement for small businesses.

Privacy Impact Assessment

The ANPD may require data controllers to produce a privacy impact report for processing activities that pose risks to civil liberties.

International Data Transfers

Transfers to countries with adequate protection, standard contractual clauses, or with the data subject's specific consent.

Data Breach Notification

Controllers must notify the ANPD and data subjects within a reasonable time of a security incident that may cause significant risk or damage.

Data Processing Records

Controllers and processors must maintain records of processing activities, including the types of personal data collected, purpose, retention period, and security measures.

Individual Rights Under LGPD

Right to confirmation of processing
Right to access personal data
Right to correction of incomplete or inaccurate data
Right to anonymization, blocking, or deletion
Right to data portability
Right to deletion of data processed with consent
Right to information about sharing with third parties
Right to revoke consent

Frequently Asked Questions

What is LGPD?

The LGPD is Brazil's general data protection law that regulates the processing of personal data by individuals and organizations, establishing ten legal bases for processing and a national data protection authority (ANPD).

What are the penalties for LGPD non-compliance?

The maximum penalty under LGPD is 2% of company revenue in Brazil, capped at 50 million BRL per infraction. Enforcement is handled by Autoridade Nacional de Protecao de Dados (ANPD).

Who does LGPD apply to?

Any processing of personal data carried out in Brazil, aimed at offering goods or services to individuals in Brazil, or where the personal data was collected in Brazil.

When did LGPD take effect?

Lei Geral de Protecao de Dados was enacted in 2018 and became effective on September 18, 2020.

Compare LGPD

LGPD vs GDPR: Brazil and EU Privacy Regulations ComparedCCPA vs LGPD: California and Brazil Privacy Laws ComparedDPDPA vs LGPD: India and Brazil Privacy Laws Compared

Compliance Guides

LGPD Compliance Guide

Related Regulations

GDPR

European Union

DPDPA

India

CCPA/CPRA

California, United States

See also: LGPD (Lei Geral de Protecao de Dados) in the glossary

Automate LGPD Compliance

IQWorks helps organizations achieve and maintain LGPD compliance with AI-powered automation.

Request Demo