Skip to Main Content
Main Menu

General Personal Data Protection Act (LGPD)

Brazil’s LGPD protects the rights of individuals when it comes to processing of personal or sensitive data, including on digital platforms.

Are you subject to the LGPD?

The LGPD applies to any public or privacy individual or company with personal or sensitive data processing activities carried out in Brazil. This includes the collection of personal data, regardless of where the company is geographically located.

Obligations under LGPD

Organizational privacy requirements

LGPD requires organizations to appoint a person in charge of processing personal data, training employees regarding the protection of personal data and privacy. This person also ensures vendor contracts include instructions regarding the processing of personal data.

Individual rights

The LGPD includes the following data subject rights: access; confirm data processing; correct inaccurate information; review decisions made about them that uses only automated processes and the criteria used to make the decision.

Consent & transparency

Organizations must enable data subjects with consent to processing in a way that avoids use of dark patterns. Consents must easily be revoked. Individuals must be informed in a clear, precise, and easily accessible form about the processing of their personal information and who is doing the processing.

Security incident process

The law requires companies to adopt technologies such as encryption to protect personal data from unauthorized access, disclosure, destruction, and misuse. There are also data breach notification requirements requiring data protection authorities and affected individuals to be notified of a breach.


Brazil LGPD Accountability Handbook

In this Handbook, we will show how an accountability approach to privacy management can produce compliance outcomes for LGPD as well as other regulations such as GDPR and CCPA.


  • When did the LGPD take effect?

    The law came into effect in September 2020 and began enforcement on August 1, 2021.

  • What are the LGPD’s Data Security rules?

    To protect personal data from unauthorized access, damage, loss, and unlawful processing, organizations are to adopt technical and administrative measures.

  • What are the LGPD’s rules for international data transfers?

    There are nine ground rules to be able to transfer personal data to a third party outside of Brazil according to the LGPD. Some of these safeguards include execution of a public policy or guaranteeing data subject rights using different mechanisms such as contractual clauses, global corporate rules, or with a certificate.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top