Brazil’s Lei Geral de Proteção de Dados (LGPD)

LGPD was passed in 2018 but didn’t go into effect until September 2020 and is the world’s third largest data privacy regulation. It takes inspiration from GDPR and CCPA but enforces less severe violation penalties. LGPD is modeled to protect data-holder rights, as well as ensure ethical data extraction and transfer. Companies that collect data while in Brazil and companies outside the country extracting data from Brazil must comply with LGPD. The statutory data protection law is authorized by the National Data Protection Authority in the Federal Republic of Brazil.

Why LGPD Is So Important

Brazil has more than 138 million online users. It’s the largest internet-consuming market in Latin America. LGPD unifies 40 pre-existing privacy laws, helping to refine its privacy protection laws for the safety of its people and businesses.

What’s Included in LGPD

What’s Included in LGPD

LGPD contains 65 distinct data protection and processing articles divided across 10 chapters:

  • DotChapter 1 includes preliminary provisions (Articles 1 – 6)
  • DotChapter 2 deals with processing of personal data (Articles 7 – 16)
  • DotChapter 3 defines data subject's rights (Articles 17 – 22)
  • DotChapter 4 states the rules and accountability related to processing activities (Articles 23 – 32)
  • DotChapter 5 relates to international data transfer (Articles 33 – 36)
  • DotChapter 6 deals with personal data processing agents (Articles 37 – 45)
  • DotChapter 7 encompasses safety and good practices (Articles 46 – 51)
  • DotChapter 8 defines administrative sanctions enforced to enable monitoring (Articles 52 – 54)
  • DotChapter 9 covers the National Data Protection Authority (ANPD) and National Data Protection Council and Privacy (Articles 55 – 59)
  • DotChapter 10 lists final and transitional provisions (Articles 60 – 65)

Consumer/Subject Rights under LGPD

Article 18 outlines basic online consumer/subject rights in front of the controller, including:

  • DotRight to meaningful notice
  • DotRight to know from businesses what data is being processed
  • DotRight to modify incorrect or incomplete personal data
  • DotRight to a copy of existing data from a data processing system
  • DotRight to block/anonymize/delete non-compliant personal data
  • DotRight to delete their personal data
  • DotRight to explicitly consent to personal data collection and what the consequences for denying consent will be
  • DotRight to revoke consent
Consumer/Subject Rights under LGPD
Protection Eligibility under LGDP

Protection Eligibility under LGDP

Article 3 talks about the application of data within the geographical boundaries of Brazil:

  • DotThere may be any data exchange for business purposes, i.e. selling/buying products or services in Brazil.
  • DotWhoever resides in Brazil and exchanges data for business and other purposes is protected under this Act.
  • DotThe entire exchange of data in and outside Brazilian borders might be by any person, business entity, group, or association. All such parties must consider the subjection of LGPD while storing, processing, and exchanging data.
  • DotThe business is not required to have a physical HQ in Brazil. The only thing required for protection under LGPD is that the data’s subject be in Brazil.

About Consent

  • DotArticle 5 considers consent as an unambiguous, free, or informed expression. The data subject must agree to this expression that implies and confirms their cases of processing the given data for a well-defined purpose.
  • DotArticle 8 mandates obtaining, or re-obtaining if need be, proof of consent. This article also states that the data processor must have a revocation slip if the consent is revoked.
About Consent
LGPD Exceptions

LGPD Exceptions

Article 4 defines situations when or where LGPD does not apply. This includes when personal data gets handled or processed by:

  • DotA natural person for non-economic or private goals
  • DotJournalists, artists, or academia for their professional purposes
  • DotExclusive purpose for national defense, public safety, legal investigation, state security, and prosecution of criminal offenses
  • DotOutside Brazil’s defined geographical boundaries, not shared with Brazilian subjects, and exchanged communication with other countries. (However, the data's point of origin must still have a data protection law there.)

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.


We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.


©2021 All Rights Reserved. AnnexCloud