Understanding LGPD: Brazil's General Data Protection Law

Understanding LGPD: Brazil's General Data Protection Law
Photo by Mateus Campos Felipe / Unsplash

The Lei Geral de Proteção de Dados (LGPD) is Brazil's answer to the growing global concern for data privacy and security. Much like the General Data Protection Regulation (GDPR) in the European Union, the LGPD is designed to give individuals greater control over their personal data and to establish clear rules for businesses that collect and process this data.

What is the LGPD?

The LGPD was passed into law in August 2018 and came into effect in August 2020. It applies to any business, regardless of its location, that processes the personal data of individuals in Brazil. This includes businesses that offer goods or services to individuals in Brazil, or that collect and use data gathered in Brazil.

The law defines personal data as any information that can be used to identify an individual, including names, identification numbers, location data, and online identifiers. It also includes special categories of sensitive personal data, such as racial or ethnic origin, religious beliefs, political opinions, health or biometric data, and sexual orientation.

Key Provisions of the LGPD

Much like the GDPR, the LGPD is based on a set of principles that businesses must adhere to when processing personal data. These include:

  • Purpose: Personal data must be processed for legitimate, specific, and explicit purposes that have been informed to the data subject.
  • Adequacy: The data processed must be compatible with the purposes informed to the data subject.
  • Necessity: The processing of data must be limited to the minimum necessary to fulfill its purpose.
  • Free Access: Data subjects have the right to easy and free access to the data that a business holds about them.
  • Data Quality: Businesses must ensure the accuracy, clarity, relevance, and currency of the data they process.
  • Transparency: Businesses must provide clear, accurate, and easily accessible information about their data processing activities.
  • Security: Businesses must use technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or distribution.
  • Prevention: Businesses must adopt measures to prevent damage due to the processing of personal data.
  • Non-discrimination: Businesses cannot carry out data processing for unlawful or discriminatory purposes.
  • Accountability: Businesses must demonstrate their ability to comply with these principles and the rules of the LGPD.

Rights of Data Subjects under the LGPD

The LGPD grants several rights to data subjects, including the right to access their data, correct inaccuracies, anonymize, block or delete unnecessary or excessive data, port their data to another service or product provider, delete their data processed with their consent, obtain information about public and private entities with which the business has shared their data, and obtain information about the possibility of denying consent and the consequences of such denial.

Compliance with the LGPD

To comply with the LGPD, businesses must appoint a Data Protection Officer (DPO), who will be responsible for receiving complaints and communications from data subjects, providing explanations and adopting measures, receiving communications from the national authority, and training the business staff in data protection.

Businesses must also implement data protection practices and governance programs, which should include, among other things, the adoption of data protection policies, the insertion of clauses in contracts and terms of use, and the adoption of standards of interoperability for portability.


The LGPD represents a significant step forward for data protection in Brazil. It aligns the country with global standards for data privacy and security, and it provides a clear framework for businesses to follow. As with any comprehensive data protection law, compliance with the LGPD requires a thorough understanding of the law's provisions and a commitment to respecting the rights of data subjects.

While the LGPD shares many similarities with the GDPR, it also has its unique aspects. Businesses operating in multiple jurisdictions must ensure they understand and comply with each region's specific requirements. As data protection continues to evolve around the world, staying informed and adaptable is more important than ever.

Please note that this article is intended to provide a general overview of the LGPD and does not constitute legal advice. For detailed guidance on LGPD compliance, please consult with a legal expert in Brazilian data protection law.