LGPD (Lei Geral de Proteção de Dados)

Brazil's comprehensive data protection law, effective from 2020, that regulates personal data processing and establishes data subject rights. LGPD closely mirrors GDPR's structure and principles while incorporating Brazilian legal traditions. It applies to organizations processing personal data in Brazil, offering goods or services to Brazilian individuals, or processing data collected in Brazil. LGPD establishes legal bases for processing, grants extensive data subject rights, requires data protection impact assessments, mandates data breach notification, creates the ANPD (National Data Protection Authority), and imposes significant penalties up to 2% of Brazilian revenue capped at 50 million reais. Key concepts include data controllers and processors, sensitive personal data, international transfers, and accountability. Organizations operating in Brazil or processing Brazilian personal data must comply with LGPD requirements, appoint data protection officers when required, implement appropriate security, and register with ANPD.