	Global Data Privacy Guide
	Brazil
	(Latin America) Firm Demarest Advogados Contributors Tatiana Campello Updated 10 Aug 2025
1. What is the key legislation?	The Brazilian General Personal Data Protection Law ("Law No. 13,709/2018"), published on August 15, 2018 (“LGPD”), came into force on September 18, 2020. Its administrative sanctions provisions have been in force since August 01, 2021. It is worth mentioning that, in addition to the provisions in the LGPD, general principles and provisions on data protection and privacy are also provided for in the Federal Constitution, the Brazilian Civil Code and other laws and regulations that address specific types of relationships, such as Law No. 12,965/14 and its Regulation on Decree No. 8,771/2016 (collectively referred to as the "Brazilian Internet Act"), the Consumer Protection Code and labor laws. The LGPD regulates the processing of personal data, including in digital media, by an individual or legal entity, seeking to protect the fundamental rights of freedom and privacy and the free development of an individual’s personality. It applies to the processing of personal data in the following situations: (i) any processing that takes place in Brazil; (ii) when products or services are offered in Brazil or when processing involves individuals located in Brazil; and (iii) when the data is collected in Brazil. The LGPD determines some applicability exceptions. For the purpose of the LGPD, “processing” means any operation of collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation, or control of information, modification, communication, transfer, diffusion, or extraction of personal data.
2. What are the key decisions applying that legislation?	Practical cases of sanctions and warnings issued by the Brazilian Data Protection Authority (“ANPD”) Small Business Fined BRL 14,400 (July 2023)¹ What happened? Shared WhatsApp contact lists of voters for the 2020 municipal election in Ubatuba/SP without la legal basis. Failed to appoint a Data Protection Officer (“DPO”), despite high-risk processing. Did not cooperate with the ANPD during the investigation. Sanctions: Warning for not appointing a DPO. Two simple fines of BRL 7,200 each (2% of estimated revenue), totaling BRL 14,400 (approximately USD 2,550.00). Why it matters: This was ANPD’s first sanction decision, notable for its symbolic fine and strict stance on small businesses. Public Authority Sanctioned for Sensitive Data Breach (October 2023)² What happened? A public body failed to ensure the security of systems processing personal data. A data breach affected approximately 300,000 data subjects, and the department did not clearly, adequately, or promptly notify them. The public body also failed to submit a Data Protection Impact Assessment ("DPIA") and did not ANPD’s response: Issued four warnings, one for each confirmed violation. Ordered corrective measures, including: Publishing a general security incident notice on its website for 90 days. Notifying directly all identified data subjects affected by the breach. Why it matters: Demonstrates ANPD’s strict enforcement, even in the public sector, especially regarding sensitive data. Large Companies Notified³ What happened? Between 2024 and 2025, at least 20 large companies were officially notified by the ANPD. Reasons for notification: Failure to formally appoint a DPO. Lack of clear and accessible communication channels for data subjects. Why it matters: Although these are not fines, the notifications serve as official warnings. They may escalate into sanctions if the companies fail to comply. [1] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-aplica-a-primeira-multa-por-descumprimento-a-lgpd [2] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-sanciona-mais-um-orgao-publico [3] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-fiscaliza-20-empresas-por-falta-de-encarregado-e-canal-de-comunicacao
1. How are “personal data” and “sensitive data” defined?	Personal data: information regarding an identified or identifiable natural person (Article 5, I of the LGPD) Sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to an individual (Article 5, II of the LGPD)
2. How is the defined data protected?	Personal data may only be processed if supported by one of the legal bases provided under the LGPD. In addition, processing agents shall adopt security, technical, and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing.
3. Who is subject to privacy obligations?	The LGPD provides for the processing of personal data, including digitally, by an individual or a legal entity of either public or private law.
4. How is “data processing” defined?	Processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction (Article 5, X of the LGPD).
5. What are the principles applicable to personal data processing?	The activities of processing of personal data must be carried out in good faith and subject to the following principles: (i) purpose; (ii) adequacy; (iii) necessity: (iv) free access; (v) data quality; (vi) transparency; (vii) security; (viii) prevention; (ix) nondiscrimination; and (x) accountability.
6. How is the processing of personal data regulated?	For the purposes of the LGPD, all personal data may only be processed if based on one of the legal hypotheses provided for in article 7⁴ (in the case of common personal data) or article 11 (in the case of sensitive personal data). [4] Article 7 - The processing of personal data may only be carried out in the following cases: upon the provision of consent by the data subject; or the fulfillment of a legal or regulatory obligation by the controller; by the public administration, for the processing and shared use of data necessary for the execution of public policy; for the performance of studies by a research body, ensuring, whenever possible, the anonymization of personal data; when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject; for the regular exercise of rights in judicial, administrative or arbitration proceedings; for the protection of the life or physical safety of the data subject or of a third party; for the protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authority; when necessary to meet the legitimate interests of the controller or a third party, except in the case of prevailing fundamental rights and freedoms of the data subject that require the protection of personal data; or for the protection of credit, including the provisions of the relevant legislation. Article 11. The processing of sensitive personal data may only occur in the following cases: when the data subject or his/her legal representative consents, in a specific and prominent manner, for specific purposes; without providing the consent of the data subject, in the cases in which it is indispensable for: compliance with a legal or regulatory obligation by the controller shared processing of data necessary for the execution, by the public administration, of public policy; conducting studies by a research body, ensuring, whenever possible, the anonymization of sensitive personal data; regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings; protection of the life or physical safety of the data subject or of a third party; health protection, exclusively, in a procedure performed by health professionals, health services or health authority; or guarantee of fraud prevention and security of the data subject, in the processes of identification and authentication of registration in electronic systems, safeguarding the data subject’s rights and except in the case of prevailing fundamental rights and freedoms of the data subject that require the protection of personal data.
7. How are storage, security and retention of personal data regulated?	The LGPD determines that any personal data must be eliminated when the processing of personal data ends, within the scope and technical limits of the activities. However, data retention is authorized for the following purposes: compliance with the legal or regulatory obligation by the controller; study by a research body, guaranteeing, whenever possible, the anonymization of personal data; transfer to a third party, provided that the data processing requirements provided by the LGPD are respected; exclusive use of the controller, provided that access by a third party is forbidden and the data is anonymized. Moreover, the controllers must: adopt security, technical, and administrative measures capable of protecting personal data from accidental or illegal situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing of personal data; communicate to the ANPD and to the data subject, within three business days, the occurrence of any security incident which could lead to significant risk or damage to the data subjects; adopt any measures determined by the ANPD to reverse or mitigate the effects of the incident.
8. What are the data subjects' rights under the data legislation?	(i) request confirmation of the data processing; (ii) request access to personal data held by the controller; (iii) request the rectification of incomplete, inaccurate or outdated personal data; (iv) request the anonymization, blocking or erasure of data considered unnecessary, excessive or non-compliant with data protection regulation; (v) request the portability of personal data; (vi) request the deletion of personal data processed upon the data subject’s consent, except in cases of legal exceptions; (vii) request information about public and private entities with which the controller has shared data; (viii) request information concerning the consequences of denying consent; (ix) withdraw consent; (x) lodge a complaint with the ANPD; (xi) request the review of decisions made solely based on automated processing.
9. What are the consent requirements for data subjects?	Under the LGPD, consent (free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose) must: be written (in a prominent way among the other clauses) or by another means that demonstrates the manifestation of the will of the data subject, in a free, informed and unequivocal way; specify the purpose of the processing of personal data (or any change of purpose); and contain information, in a prominent way, if the processing of personal data is a condition for the provision of a product/service or exercise of any right by the data subject. It is also important to note that: consent should relate to specific purposes and, therefore, generic authorization for the processing of personal data will not be valid; consent may be revoked at any time by means of an express statement by the data subject, through a free and facilitated procedure offered by the controller; the data subject may request deletion of personal data processed with his/her consent, except in the situations provided in the LGPD; in cases where the processing of personal data is based on consent, it will be null and void if the information provided to the data subject is misleading or abusive or has not previously been presented transparently, clearly, and unequivocally; and when the data subject has provided their specific and prominent consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from other purposes.
10. How is authorization for use of data handled?	The use of personal data will be authorized as long as it is based on one of the legal bases provided under the LGPD.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	International transfer of personal data is only allowed in the following cases: to countries or international organizations that provide a level of protection of personal data equivalent to the provisions of the LGPD; when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in the LGPD in the form of: (a) specific contractual clauses for a given transfer; (b) standard contractual clauses; (c) binding corporate rules; (d) regularly issued stamps, certificates and codes of conduct; when the transfer is necessary for international legal cooperation between public intelligence, investigative, and prosecutorial agencies, in accordance with the instruments of international law; when the transfer is necessary to protect the life or physical safety of the data subject or a third party; when the ANPD authorizes the transfer; when the transfer results in a commitment undertaken through international cooperation; when the transfer is necessary for the execution of a public policy or legal attribution of public service; when the data subject has given their specific and prominent consent for the transfer, with prior information on the international nature of the operation, clearly distinct from other purposes; or when it is necessary: (a) for compliance with a legal or regulatory obligation by the controller; (b) for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; and (c) for the regular exercise of rights in judicial, administrative or arbitration procedures.
12. How are data "incidents" and "breaches" defined?	Security incidents can be understood as unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any illegal or improper processing of personal data.
13. Are there any notification requirements for incidents and/or data breaches?	The controller must report to the ANPD and the data subject the occurrence of any security incident that may lead to significant risk or damage to the data subjects, considering the nature, category and volume of the personal data affected, as well as the potential impacts on the rights and interests of the data subjects. A security incident may lead to significant risk or damage to data subjects when there is potential to affect the interests and fundamental rights of data subjects significantly and, cumulatively, when it involves at least one of the following criteria: sensitive personal data; data on children, adolescents, or elderly people; financial data; system authentication data; data protected by legal, judicial, or professional secrecy; or large-scale data. A security incident that may significantly affect interests and fundamental rights will be defined, among other situations, as those in which the processing activity can impede the exercise of rights or the use of a service, as well as cause material or moral damage to data subjects, such as discrimination, violation of physical integrity, of the right to image and reputation, financial fraud or identity theft. The data controller must report a security incident to the ANPD within three working days from the date when the controller became aware that the incident affected personal data, except if a different deadline is provided for in specific legislation. Data subjects must also be informed within three working days. This information may be supplemented with reasoning, within 20 working days, counting from the date of preliminary communication. Security incident reporting must be carried out through an electronic form made available by the ANPD and must contain, at least: a description of the nature and category of personal data affected; the number of affected data subjects, informing, where applicable, the number of children, teenagers, or elderly people; the technical and security measures employed to protect personal data, adopted before and after the incident, in compliance with commercial and industrial secrets; risks related to the incident with identification of possible impacts on data subjects; reasoning for any delay, if the incident was not reported within three working days; the measures that have been or will be adopted to reverse or mitigate the effects of the incident on the data subjects; the date of occurrence of the incident, if it can be ascertained, and the date that the controller became aware of it; the information/details of the data protection officer or whoever represents the controller; identification of the controller and, if applicable, declaration that it is a small processing agent; the identification of the processor, when applicable; description of the incident, including the main cause, if it can be determined; and the total number of data subjects processed in the processing activities affected by the incident. The controller must maintain a record of the security incident, including those not communicated to the ANPD and the data subjects, for at least five years, counting from the date of registration, unless additional obligations that require a longer maintenance period are identified.
14. Who is/are the privacy regulator(s)?	The Brazilian Data Protection Authority (“ANPD”).
15. What are the consequences of a data breach?	A data breach may result in administrative sanctions for the processing agent, if a violation is confirmed following due process, as well as civil liability toward third parties and data subjects, reputational damage, and the obligation to notify the ANPD and the affected data subjects. This does not prevent other legal or administrative consequences.
16. How is electronic marketing regulated?	In Brazil, electronic marketing is regulated through a combination of legal frameworks that prioritize consumer protection and data privacy. Central to this regulation is the Brazilian Internet Act, which serves as the foundational law governing internet use in the country. It establishes principles such as net neutrality, freedom of expression, and the protection of personal data online. Under this law, companies must ensure transparency in data collection and usage in the online environment and respect their privacy rights. The LGPD, which establishes rules for processing personal data, is also relevant legislation for electronic marketing purposes. Electronic marketing should also observe sector-specific and self-regulatory standards, such as the Brazilian Advertising Self-Regulation Code (“CONAR”). Decree No. 7,962/2013 regulates the Consumer Defense Code concerning e-commerce transactions, but it does not govern e-marketing practices, such as spam emails, and Brazil does not have specific legislation in force governing anti-spam emails.
17. Are there sector-specific or industry-specific privacy requirements?	The LGPD establishes general rules for processing personal data. Still, several industries are subject to supplementary regulations that impose additional requirements depending on the nature of the activity, the type of data processed, and associated risks. Some examples include: the insurance and reinsurance sector, the banking sector, and the healthcare sector.
18. What are the requirements for appointing Data Protection Officers or similar roles?	The DPO must be formalized by a written instrument, dated and signed by the processing agent, specifying the duties and activities to be carried out. A Substitute DPO must also be appointed through a written instrument. The appointment document must be submitted to the ANPD upon request. Small Processing Agents exempt from appointing a DPO must provide a communication channel with the data subject. The appointment of a DPO by processors is optional and will be considered a policy of good governance practices The identity disclosure of the DPO and the Substitute DPO on the official website of the processing agent must include: (i) the full name (if an individual) or business name linked to the full name of the individual responsible (if a legal entity); and (ii) contact information to enable effective communication with data subjects and the ANPD. The DPO can be an individual (internally or externally contracted) or a legal entity. The DPO must be able to communicate clearly and precisely in Portuguese with data subjects and the ANPD. The DPO is not required to be registered with a specific organization or to have professional certification. The performance of the DPO’s activities will not make the DPO liable before the ANPD for compliance with the processing of personal data carried out by the controller.
19. What are the record-keeping and documentation obligations?	The controller and the processor must keep records of personal data processing operations carried out by them (“RoPA”), especially when based on legitimate interest. In some situations, the controller must prepare a data protection impact assessment (“DPIA”).
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	The DPIA is the documentation prepared by the controller that contains a description of the personal data processing that could pose risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate said risk. The ANPD may request a DPIA from the controller when processing is based on their legitimate interest. In addition, the ANPD may determine that the controller must prepare a DPIA, which must include personal data, sensitive data, and refer to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy.
21. What are the requirements for third-party vendor management and data sharing?	The processor must carry out the processing according to the instructions provided by the controller, who will verify compliance with their own instructions and the rules applicable to the subject and the situation at hand. The best practice is providing such instructions through an agreement. It is also recommended that an assessment be conducted before executing the agreement to better understand whether this third-party vendor can comply with data protection provisions.
22. What are the penalties and enforcement mechanisms for non-compliance?	Data processing agents that fail to comply with the rules provided in the LGPD are subject to the following administrative sanctions, to be applied by the ANPD: warning simple fine of up to 2% of a private legal entity’s group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50 million, per infraction; daily fine, subject to the total maximum as above; disclosure and publicization of the infraction once it has been duly ascertained and its occurrence has been confirmed; blocking of the personal data to which the infraction refers until its regularization; deletion of the personal data to which the infraction refers; partial suspension of the operation of the database related to the infraction for a maximum period of six months, extendable for the same period, until the normalization of the processing activity by the controller; suspension of the personal data processing activity related to the infraction for a maximum period of six months, extendable for the same period; and partial or total prohibition of activities related to data processing. The sanctions will be applied following an administrative procedure that will provide an opportunity for a full defense, in a gradual, single, or cumulative manner, in accordance with the peculiarities of the particular case. It should be noted that the (a) partial suspension of the operation of the database for six months; (b) suspension of the operation of the database for six months; and (c) partial or total prohibition of activities related to data processing sanctions shall be applied only after at least one (1) of the following sanctions have been imposed, for the same facts: (a) simple fine; (b) daily fine; (c) disclosure and publicization of the infraction; (d) blocking of the personal data to which the infraction refers; and (e) deletion of the personal data to which the infraction refers to and in the case of controllers subject to other agencies and entities with sanctioning powers, after those entities and agencies are heard.
23. What are the ongoing compliance and audit requirements?	Appointing a DPO and keeping the records of processing activities updated.
24. Are there any recent developments or expected reforms?	Strategic Trends and Priority Areas of the ANPD for 2025-2026: Data subject’s rights; Data Protection Impact Assessment (“DPIA”); Sharing of personal data with public authorities; Processing of personal data of children and adolescents; Sensitive, Biometric and Health Data; Technical/administrative security measures and minimum-security standards; Artificial Intelligence; Personal data aggregators; Processing of High-Risk Personal Data; Consent and Protection of Credit legal basis; Anonymization and pseudonymization; and Rules on best practices and governance.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The Brazilian General Personal Data Protection Law ("Law No. 13,709/2018"), published on August 15, 2018 (“LGPD”), came into force on September 18, 2020. Its administrative sanctions provisions have been in force since August 01, 2021.

It is worth mentioning that, in addition to the provisions in the LGPD, general principles and provisions on data protection and privacy are also provided for in the Federal Constitution, the Brazilian Civil Code and other laws and regulations that address specific types of relationships, such as Law No. 12,965/14 and its Regulation on Decree No. 8,771/2016 (collectively referred to as the "Brazilian Internet Act"), the Consumer Protection Code and labor laws.

The LGPD regulates the processing of personal data, including in digital media, by an individual or legal entity, seeking to protect the fundamental rights of freedom and privacy and the free development of an individual’s personality. It applies to the processing of personal data in the following situations: (i) any processing that takes place in Brazil; (ii) when products or services are offered in Brazil or when processing involves individuals located in Brazil; and (iii) when the data is collected in Brazil. The LGPD determines some applicability exceptions. For the purpose of the LGPD, “processing” means any operation of collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, disposal, evaluation, or control of information, modification, communication, transfer, diffusion, or extraction of personal data.

2. What are the key decisions applying that legislation?

Practical cases of sanctions and warnings issued by the Brazilian Data Protection Authority (“ANPD”)

Small Business Fined BRL 14,400 (July 2023)¹
- What happened?
  - Shared WhatsApp contact lists of voters for the 2020 municipal election in Ubatuba/SP without la legal basis.
  - Failed to appoint a Data Protection Officer (“DPO”), despite high-risk processing.
  - Did not cooperate with the ANPD during the investigation.
- Sanctions:
  - Warning for not appointing a DPO.
  - Two simple fines of BRL 7,200 each (2% of estimated revenue), totaling BRL 14,400 (approximately USD 2,550.00).
Why it matters:
- This was ANPD’s first sanction decision, notable for its symbolic fine and strict stance on small businesses.
Public Authority Sanctioned for Sensitive Data Breach (October 2023)²
- What happened?
  - A public body failed to ensure the security of systems processing personal data.
  - A data breach affected approximately 300,000 data subjects, and the department did not clearly, adequately, or promptly notify them.
  - The public body also failed to submit a Data Protection Impact Assessment ("DPIA") and did not
- ANPD’s response:
  - Issued four warnings, one for each confirmed violation.
  - Ordered corrective measures, including:
    - Publishing a general security incident notice on its website for 90 days.
    - Notifying directly all identified data subjects affected by the breach.
- Why it matters:
  - Demonstrates ANPD’s strict enforcement, even in the public sector, especially regarding sensitive data.
Large Companies Notified³
- What happened?
  - Between 2024 and 2025, at least 20 large companies were officially notified by the ANPD.
- Reasons for notification:
  - Failure to formally appoint a DPO.
  - Lack of clear and accessible communication channels for data subjects.
- Why it matters:
  - Although these are not fines, the notifications serve as official warnings.
  - They may escalate into sanctions if the companies fail to comply.

[1] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-aplica-a-primeira-multa-por-descumprimento-a-lgpd

[2] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-sanciona-mais-um-orgao-publico

[3] https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-fiscaliza-20-empresas-por-falta-de-encarregado-e-canal-de-comunicacao

1. How are “personal data” and “sensitive data” defined?

Personal data: information regarding an identified or identifiable natural person (Article 5, I of the LGPD)

Sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to an individual (Article 5, II of the LGPD)

2. How is the defined data protected?

Personal data may only be processed if supported by one of the legal bases provided under the LGPD. In addition, processing agents shall adopt security, technical, and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing.

3. Who is subject to privacy obligations?

The LGPD provides for the processing of personal data, including digitally, by an individual or a legal entity of either public or private law.

4. How is “data processing” defined?

Processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction (Article 5, X of the LGPD).

5. What are the principles applicable to personal data processing?

The activities of processing of personal data must be carried out in good faith and subject to the following principles: (i) purpose; (ii) adequacy; (iii) necessity: (iv) free access; (v) data quality; (vi) transparency; (vii) security; (viii) prevention; (ix) nondiscrimination; and (x) accountability.

6. How is the processing of personal data regulated?

For the purposes of the LGPD, all personal data may only be processed if based on one of the legal hypotheses provided for in article 7⁴ (in the case of common personal data) or article 11 (in the case of sensitive personal data).

[4] Article 7 - The processing of personal data may only be carried out in the following cases:

upon the provision of consent by the data subject;
or the fulfillment of a legal or regulatory obligation by the controller;
by the public administration, for the processing and shared use of data necessary for the execution of public policy;
for the performance of studies by a research body, ensuring, whenever possible, the anonymization of personal data;
when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;
for the regular exercise of rights in judicial, administrative or arbitration proceedings;
for the protection of the life or physical safety of the data subject or of a third party;
for the protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary authority;
when necessary to meet the legitimate interests of the controller or a third party, except in the case of prevailing fundamental rights and freedoms of the data subject that require the protection of personal data; or
for the protection of credit, including the provisions of the relevant legislation.

Article 11. The processing of sensitive personal data may only occur in the following cases:

when the data subject or his/her legal representative consents, in a specific and prominent manner, for specific purposes;
without providing the consent of the data subject, in the cases in which it is indispensable for:
1. compliance with a legal or regulatory obligation by the controller
2. shared processing of data necessary for the execution, by the public administration, of public policy;
3. conducting studies by a research body, ensuring, whenever possible, the anonymization of sensitive personal data;
4. regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings;
5. protection of the life or physical safety of the data subject or of a third party;
6. health protection, exclusively, in a procedure performed by health professionals, health services or health authority; or
7. guarantee of fraud prevention and security of the data subject, in the processes of identification and authentication of registration in electronic systems, safeguarding the data subject’s rights and except in the case of prevailing fundamental rights and freedoms of the data subject that require the protection of personal data.

7. How are storage, security and retention of personal data regulated?

The LGPD determines that any personal data must be eliminated when the processing of personal data ends, within the scope and technical limits of the activities.

However, data retention is authorized for the following purposes:

compliance with the legal or regulatory obligation by the controller;
study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
transfer to a third party, provided that the data processing requirements provided by the LGPD are respected;
exclusive use of the controller, provided that access by a third party is forbidden and the data is anonymized.

Moreover, the controllers must:

adopt security, technical, and administrative measures capable of protecting personal data from accidental or illegal situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing of personal data;
communicate to the ANPD and to the data subject, within three business days, the occurrence of any security incident which could lead to significant risk or damage to the data subjects;
adopt any measures determined by the ANPD to reverse or mitigate the effects of the incident.

8. What are the data subjects' rights under the data legislation?

(i) request confirmation of the data processing; (ii) request access to personal data held by the controller; (iii) request the rectification of incomplete, inaccurate or outdated personal data; (iv) request the anonymization, blocking or erasure of data considered unnecessary, excessive or non-compliant with data protection regulation; (v) request the portability of personal data; (vi) request the deletion of personal data processed upon the data subject’s consent, except in cases of legal exceptions; (vii) request information about public and private entities with which the controller has shared data; (viii) request information concerning the consequences of denying consent; (ix) withdraw consent; (x) lodge a complaint with the ANPD; (xi) request the review of decisions made solely based on automated processing.

9. What are the consent requirements for data subjects?

Under the LGPD, consent (free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose) must:

be written (in a prominent way among the other clauses) or by another means that demonstrates the manifestation of the will of the data subject, in a free, informed and unequivocal way;
specify the purpose of the processing of personal data (or any change of purpose); and
contain information, in a prominent way, if the processing of personal data is a condition for the provision of a product/service or exercise of any right by the data subject.

It is also important to note that:

consent should relate to specific purposes and, therefore, generic authorization for the processing of personal data will not be valid;
consent may be revoked at any time by means of an express statement by the data subject, through a free and facilitated procedure offered by the controller;
the data subject may request deletion of personal data processed with his/her consent, except in the situations provided in the LGPD;
in cases where the processing of personal data is based on consent, it will be null and void if the information provided to the data subject is misleading or abusive or has not previously been presented transparently, clearly, and unequivocally; and
when the data subject has provided their specific and prominent consent for the transfer, with prior information on the international character of the transaction, clearly distinguishing it from other purposes.

10. How is authorization for use of data handled?

The use of personal data will be authorized as long as it is based on one of the legal bases provided under the LGPD.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

International transfer of personal data is only allowed in the following cases:

to countries or international organizations that provide a level of protection of personal data equivalent to the provisions of the LGPD;
when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in the LGPD in the form of: (a) specific contractual clauses for a given transfer; (b) standard contractual clauses; (c) binding corporate rules; (d) regularly issued stamps, certificates and codes of conduct;
when the transfer is necessary for international legal cooperation between public intelligence, investigative, and prosecutorial agencies, in accordance with the instruments of international law;
when the transfer is necessary to protect the life or physical safety of the data subject or a third party;
when the ANPD authorizes the transfer;
when the transfer results in a commitment undertaken through international cooperation;
when the transfer is necessary for the execution of a public policy or legal attribution of public service;
when the data subject has given their specific and prominent consent for the transfer, with prior information on the international nature of the operation, clearly distinct from other purposes; or
when it is necessary: (a) for compliance with a legal or regulatory obligation by the controller; (b) for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; and (c) for the regular exercise of rights in judicial, administrative or arbitration procedures.

12. How are data "incidents" and "breaches" defined?

Security incidents can be understood as unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any illegal or improper processing of personal data.

13. Are there any notification requirements for incidents and/or data breaches?

The controller must report to the ANPD and the data subject the occurrence of any security incident that may lead to significant risk or damage to the data subjects, considering the nature, category and volume of the personal data affected, as well as the potential impacts on the rights and interests of the data subjects.

A security incident may lead to significant risk or damage to data subjects when there is potential to affect the interests and fundamental rights of data subjects significantly and, cumulatively, when it involves at least one of the following criteria:

sensitive personal data;
data on children, adolescents, or elderly people;
financial data;
system authentication data;
data protected by legal, judicial, or professional secrecy; or
large-scale data.

A security incident that may significantly affect interests and fundamental rights will be defined, among other situations, as those in which the processing activity can impede the exercise of rights or the use of a service, as well as cause material or moral damage to data subjects, such as discrimination, violation of physical integrity, of the right to image and reputation, financial fraud or identity theft.

The data controller must report a security incident to the ANPD within three working days from the date when the controller became aware that the incident affected personal data, except if a different deadline is provided for in specific legislation. Data subjects must also be informed within three working days.

This information may be supplemented with reasoning, within 20 working days, counting from the date of preliminary communication.

Security incident reporting must be carried out through an electronic form made available by the ANPD and must contain, at least:

a description of the nature and category of personal data affected;
the number of affected data subjects, informing, where applicable, the number of children, teenagers, or elderly people;
the technical and security measures employed to protect personal data, adopted before and after the incident, in compliance with commercial and industrial secrets;
risks related to the incident with identification of possible impacts on data subjects;
reasoning for any delay, if the incident was not reported within three working days;
the measures that have been or will be adopted to reverse or mitigate the effects of the incident on the data subjects;
the date of occurrence of the incident, if it can be ascertained, and the date that the controller became aware of it;
the information/details of the data protection officer or whoever represents the controller;
identification of the controller and, if applicable, declaration that it is a small processing agent;
the identification of the processor, when applicable;
description of the incident, including the main cause, if it can be determined; and
the total number of data subjects processed in the processing activities affected by the incident.

The controller must maintain a record of the security incident, including those not communicated to the ANPD and the data subjects, for at least five years, counting from the date of registration, unless additional obligations that require a longer maintenance period are identified.

14. Who is/are the privacy regulator(s)?

The Brazilian Data Protection Authority (“ANPD”).

15. What are the consequences of a data breach?

A data breach may result in administrative sanctions for the processing agent, if a violation is confirmed following due process, as well as civil liability toward third parties and data subjects, reputational damage, and the obligation to notify the ANPD and the affected data subjects. This does not prevent other legal or administrative consequences.

16. How is electronic marketing regulated?

In Brazil, electronic marketing is regulated through a combination of legal frameworks that prioritize consumer protection and data privacy. Central to this regulation is the Brazilian Internet Act, which serves as the foundational law governing internet use in the country. It establishes principles such as net neutrality, freedom of expression, and the protection of personal data online. Under this law, companies must ensure transparency in data collection and usage in the online environment and respect their privacy rights.

The LGPD, which establishes rules for processing personal data, is also relevant legislation for electronic marketing purposes.

Electronic marketing should also observe sector-specific and self-regulatory standards, such as the Brazilian Advertising Self-Regulation Code (“CONAR”).

Decree No. 7,962/2013 regulates the Consumer Defense Code concerning e-commerce transactions, but it does not govern e-marketing practices, such as spam emails, and Brazil does not have specific legislation in force governing anti-spam emails.

17. Are there sector-specific or industry-specific privacy requirements?

The LGPD establishes general rules for processing personal data. Still, several industries are subject to supplementary regulations that impose additional requirements depending on the nature of the activity, the type of data processed, and associated risks. Some examples include: the insurance and reinsurance sector, the banking sector, and the healthcare sector.

18. What are the requirements for appointing Data Protection Officers or similar roles?

The DPO must be formalized by a written instrument, dated and signed by the processing agent, specifying the duties and activities to be carried out.
A Substitute DPO must also be appointed through a written instrument.
The appointment document must be submitted to the ANPD upon request.
Small Processing Agents exempt from appointing a DPO must provide a communication channel with the data subject.
The appointment of a DPO by processors is optional and will be considered a policy of good governance practices
The identity disclosure of the DPO and the Substitute DPO on the official website of the processing agent must include: (i) the full name (if an individual) or business name linked to the full name of the individual responsible (if a legal entity); and (ii) contact information to enable effective communication with data subjects and the ANPD.
The DPO can be an individual (internally or externally contracted) or a legal entity.
The DPO must be able to communicate clearly and precisely in Portuguese with data subjects and the ANPD.
The DPO is not required to be registered with a specific organization or to have professional certification.
The performance of the DPO’s activities will not make the DPO liable before the ANPD for compliance with the processing of personal data carried out by the controller.

19. What are the record-keeping and documentation obligations?

The controller and the processor must keep records of personal data processing operations carried out by them (“RoPA”), especially when based on legitimate interest.

In some situations, the controller must prepare a data protection impact assessment (“DPIA”).

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

The DPIA is the documentation prepared by the controller that contains a description of the personal data processing that could pose risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate said risk.

The ANPD may request a DPIA from the controller when processing is based on their legitimate interest. In addition, the ANPD may determine that the controller must prepare a DPIA, which must include personal data, sensitive data, and refer to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy.

21. What are the requirements for third-party vendor management and data sharing?

The processor must carry out the processing according to the instructions provided by the controller, who will verify compliance with their own instructions and the rules applicable to the subject and the situation at hand.

The best practice is providing such instructions through an agreement.

It is also recommended that an assessment be conducted before executing the agreement to better understand whether this third-party vendor can comply with data protection provisions.

22. What are the penalties and enforcement mechanisms for non-compliance?

Data processing agents that fail to comply with the rules provided in the LGPD are subject to the following administrative sanctions, to be applied by the ANPD:

warning
simple fine of up to 2% of a private legal entity’s group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50 million, per infraction;
daily fine, subject to the total maximum as above;
disclosure and publicization of the infraction once it has been duly ascertained and its occurrence has been confirmed;
blocking of the personal data to which the infraction refers until its regularization;
deletion of the personal data to which the infraction refers;
partial suspension of the operation of the database related to the infraction for a maximum period of six months, extendable for the same period, until the normalization of the processing activity by the controller;
suspension of the personal data processing activity related to the infraction for a maximum period of six months, extendable for the same period; and
partial or total prohibition of activities related to data processing.

The sanctions will be applied following an administrative procedure that will provide an opportunity for a full defense, in a gradual, single, or cumulative manner, in accordance with the peculiarities of the particular case.

It should be noted that the (a) partial suspension of the operation of the database for six months; (b) suspension of the operation of the database for six months; and (c) partial or total prohibition of activities related to data processing sanctions shall be applied only after at least one (1) of the following sanctions have been imposed, for the same facts: (a) simple fine; (b) daily fine; (c) disclosure and publicization of the infraction; (d) blocking of the personal data to which the infraction refers; and (e) deletion of the personal data to which the infraction refers to and in the case of controllers subject to other agencies and entities with sanctioning powers, after those entities and agencies are heard.

23. What are the ongoing compliance and audit requirements?

Appointing a DPO and keeping the records of processing activities updated.

24. Are there any recent developments or expected reforms?

Strategic Trends and Priority Areas of the ANPD for 2025-2026:

Data subject’s rights;
Data Protection Impact Assessment (“DPIA”);
Sharing of personal data with public authorities;
Processing of personal data of children and adolescents;
Sensitive, Biometric and Health Data;
Technical/administrative security measures and minimum-security standards;
Artificial Intelligence;
Personal data aggregators;
Processing of High-Risk Personal Data;
Consent and Protection of Credit legal basis;
Anonymization and pseudonymization; and
Rules on best practices and governance.