Brazil's LGPD:
A Practical Guide for Foreign Companies
Brazil's General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD) applies to any company that processes data belonging to individuals located in Brazil, regardless of where that company is based. If you operate in Brazil or serve Brazilian customers, you are subject to it.
Get in TouchExtraterritorial reach: The LGPD applies to any company, wherever located, that processes data of individuals in Brazil or offers goods or services to Brazil.
Similar to GDPR but different: The LGPD shares the same framework as the EU's GDPR but differs in important ways on scope, legal bases, enforcement and international transfers.
Enforcement is active: Brazil's data protection authority, the ANPD, has issued its first sanctions and enforcement activity is increasing. Fines can reach 2% of Brazilian revenues up to R$50 million per violation.
International transfers are regulated: Sending personal data from Brazil to other countries requires a valid legal mechanism under ANPD Resolution 19/2024.
Brazil's LGPD is modelled on the GDPR, but companies familiar with European data protection cannot assume the rules are the same.
Brazil's General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) came into force on 18 September 2020, with penalty provisions effective from 1 August 2021. It was the country's first comprehensive data protection framework. Before it, Brazil had only sector-specific rules covering health, banking and a few other areas.
The LGPD was explicitly inspired by the EU's GDPR and shares the same conceptual architecture: controllers, processors, data subjects, legal bases for processing, data subject rights and a supervisory authority. Companies with GDPR compliance programs will find much that is familiar.
However, the LGPD differs from the GDPR in several important respects, particularly on scope of extraterritorial application, the number and structure of legal bases for processing, international data transfer mechanisms and the enforcement powers of Brazil's National Data Protection Authority (ANPD).
For foreign companies operating in Brazil or processing data of Brazilian individuals, a careful gap analysis between existing GDPR compliance and the specific requirements of the LGPD is essential. This guide covers the key points. For the full technical detail, see our articles at LawsofBrazil.
Does the LGPD apply to foreign companies?
The LGPD applies to your company if…
The LGPD applies regardless of where the company is based or where the data is stored, as long as any of the following conditions are met:
- Data processing is carried out in Brazil
- The purpose of processing is to offer goods or services to Brazil
- The data belongs to individuals located in Brazil
- The data was collected in Brazil
Exceptions: when the LGPD does not apply
The LGPD does not apply to data processing carried out:
- By individuals for personal, non-business purposes
- Solely for journalistic, artistic or academic purposes
- For public security, national defence or criminal investigations by government entities
- Where data originates outside Brazil, is not shared with Brazilian agents and the country of origin offers equivalent protection
Key roles under the LGPD
The LGPD distinguishes between:
Controller: decides how and why personal data is processed
Operator: processes data on behalf of the controller (equivalent to a GDPR processor)
Owner: the individual to whom the data relates
ANPD: the national supervisory authority responsible for enforcement
Sensitive personal data
The LGPD identifies a category of sensitive personal data that is subject to stricter rules. This includes data on racial or ethnic origin, religious or political opinion, union membership, health or sexual life, genetic data and biometric data. Processing of sensitive data requires a specific legal basis and is subject to heightened compliance obligations.
When can personal data be processed?
The LGPD provides 10 legal bases for the processing of personal data (compared to 6 under the GDPR). Each processing activity must be justified by one of these bases. Consent is just one option, and not always the most appropriate one.
Consent
Free, informed and unequivocal consent from the data subject for a specific purpose. Sharing data with third parties requires separate, specific consent.
Legal obligation
Processing necessary to comply with a legal or regulatory obligation of the controller.
Public policy
Processing by public bodies for the execution of public policies set out in law or regulations.
Research
Studies carried out by research bodies, wherever possible using anonymised data. Note: journalistic and artistic activities appear in the LGPD as grounds for non-application of the law, not as a processing legal basis.
Contract performance
Processing necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the data subject's request.
Exercise of rights
Processing necessary for the exercise of rights in judicial, administrative or arbitration proceedings.
Vital interests
Processing necessary to protect the life or physical safety of the data subject or a third party.
Health
Processing carried out by health professionals or health entities, subject to professional secrecy obligations.
Legitimate interests
Processing based on the legitimate interests of the controller or a third party, provided these do not override the data subject's fundamental rights. This basis requires a documented balancing test.
Credit protection
Processing necessary for credit protection, including in the context of credit bureaus and reference agencies.
Rights of individuals under the LGPD
Confirmation & access
The right to confirm whether data is being processed and to access the data held.
Correction
The right to correct incomplete, inaccurate or outdated data.
Anonymisation or deletion
The right to have unnecessary, excessive or non-compliant data anonymised, blocked or deleted.
Portability
The right to receive personal data in a structured, machine-readable format and transfer it to another service provider.
Deletion of consent-based data
The right to request deletion of data processed on the basis of consent, subject to legal exceptions.
Information on sharing
The right to be informed of which public and private entities the controller has shared data with.
Refusal of consent
The right to be informed of the consequences of refusing to provide consent.
Withdrawal of consent
The right to withdraw consent at any time, without prejudice to the lawfulness of processing carried out before the withdrawal.
Objection
The right to object to processing carried out on a legal basis other than consent, where there is non-compliance with the LGPD.
LGPD vs GDPR: key differences for companies already GDPR-compliant
Companies with existing GDPR compliance programs should not assume full LGPD compliance. The table below highlights the most important differences to address. For the full comparative analysis by Vanessa Borges and Fabiano Deffenti, see our article at LawsofBrazil.
| Topic | LGPD (Brazil) | GDPR (EU) |
|---|---|---|
| Extraterritorial scope | Applies where data belongs to individuals in Brazil or is collected in Brazil; does not extend to all processing of Brazilian citizens abroad | Broader scope: applies to any processing of EU residents' data regardless of where the company is located |
| Legal bases | 10 legal bases for processing personal data | 6 legal bases for processing personal data |
| International transfers | Regulated by ANPD Resolution 19/2024; mechanisms include adequacy decisions, standard contractual clauses and binding corporate rules | Chapter V of GDPR; broader range of mechanisms including codes of conduct and certification |
| Supervisory authority | ANPD: relatively new, enforcement is increasing but still developing | Each EU member state has its own DPA; enforcement varies significantly by country |
| Binding corporate rules (BCRs) | Recognised but less mature framework than the GDPR system | Well-established BCR approval process across EU DPAs |
| Data Protection Officer | Equivalent role is the "DPO" (Encarregado): required for all controllers | DPO required only in specific circumstances (large-scale processing, public authorities, sensitive data) |
| Maximum penalty | 2% of Brazilian revenues (prior year), up to R$50 million per violation | 4% of global annual turnover or €20 million, whichever is higher |
What the ANPD can do
Maximum fine per violation
The LGPD sets a maximum fine of 2% of the company's revenue in Brazil in its last financial year, up to R$50 million per violation. The ANPD issued its first public sanction in October 2023 (a R$14,400 fine) and enforcement activity has been increasing since.
Daily penalties for ongoing violations
In addition to per-violation fines, the ANPD can impose daily fines for ongoing non-compliance, up to the same R$50 million cap. This makes prolonged non-compliance significantly more expensive than a one-off violation.
Public disclosure of violations
The ANPD can publicly disclose the infringement after a decision is issued. This reputational sanction can be particularly damaging for companies operating in consumer-facing industries or regulated sectors.
Blocking or deletion of personal data
The ANPD can order the partial or complete blocking of databases and the deletion of personal data, a potentially severe operational sanction for companies whose services depend on data processing.
LGPD: Common questions from foreign companies
Does the LGPD apply to foreign SaaS companies?
Yes. If your SaaS platform is used by individuals located in Brazil, or if you offer services to the Brazilian market, the LGPD applies to your processing of their personal data, regardless of where your servers are located or where your company is incorporated.
Do foreign companies need a Brazilian DPO (Encarregado)?
The LGPD requires all controllers to appoint a DPO (Encarregado de Dados). Unlike the GDPR, this requirement is not limited to large-scale processing or sensitive data. It applies broadly. The DPO does not need to be based in Brazil, but must be publicly identifiable and contactable by data subjects and the ANPD.
When can personal data be transferred out of Brazil?
International transfers are permitted if the destination country provides an adequate level of protection, or if a valid transfer mechanism is in place, such as standard contractual clauses or binding corporate rules, as regulated by ANPD Resolution 19/2024. Transfers without a valid mechanism expose the controller to enforcement risk.
What are the main LGPD penalties?
The ANPD can impose fines of up to 2% of the company's Brazilian revenues (prior year), capped at R$50 million per violation. It can also impose daily fines for ongoing non-compliance, publicly disclose violations and order the blocking or deletion of personal data. Enforcement has been increasing since the ANPD's first sanction in October 2023.
What documents should a foreign company update first to comply with the LGPD?
The priority documents are: a data processing inventory (mapping what data you hold, where and why); a privacy notice for Brazilian users; data processing agreements with operators (vendors); a DPO appointment; and an international data transfer mechanism if personal data is sent outside Brazil. If you already have GDPR documentation, a gap analysis against the LGPD is the most efficient starting point.
Is the LGPD the same as Brazil's GDPR?
The LGPD is often described as Brazil's GDPR equivalent, and it shares the same conceptual framework. However, there are important differences, particularly the 10 legal bases for processing (vs 6 in the GDPR), the broader DPO requirement, a narrower extraterritorial scope and different international transfer rules. GDPR compliance does not automatically mean LGPD compliance.
Last updated: March 2026. This page reflects the LGPD as in force under Law 13,709/2018 and ANPD regulations including Resolution 19/2024.
Data privacy expertise: acting for multinationals with international data transfers
Vanessa Borges is an associate at D&Q Lawyers with a focus on data privacy, corporate law and international matters. Before joining the firm, Vanessa worked for the world's largest search engine company, representing and advising clients on data security, privacy, civil liability on the internet and deceptive practices on social media platforms, giving her direct, practical experience of how data protection issues arise in real-world digital operations.
Vanessa holds an LLM from Penn State Law (Pennsylvania, USA) and a law degree from Mackenzie University in São Paulo. She is co-author, with Fabiano Deffenti, of our article on Brazil's international data transfer regulations compared with the GDPR, published on LawsofBrazil.
D&Q Lawyers assists companies with LGPD compliance programs, data protection impact assessments, privacy policies, DPO services, international data transfer agreements and regulatory matters before the ANPD.
Meet the Full TeamNeed LGPD compliance support?
We assist foreign and domestic companies with all aspects of LGPD compliance, from gap analyses and policy drafting to DPO services and ANPD matters. Initial enquiries are always welcome.
This page is a summary only and does not constitute legal advice. For the full technical background, visit LawsofBrazil.
