LGPD
Lei Geral de Protecao de Dados (Law No. 13.709/2018)
The LGPD is Brazil's comprehensive data protection law, which took effect in September 2020 with administrative sanctions enforceable from August 2021. Modeled closely on the EU GDPR, it establishes legal bases for processing, data subject rights, and accountability obligations. It is enforced by the ANPD, which became an independent regulatory agency.
Who it applies to
Any natural person or public or private legal entity that processes the personal data of individuals located in Brazil, regardless of where the organization is based, including processing aimed at offering goods or services in Brazil.
Identity requirements
- Establish a valid legal basis for processing, with explicit, specific, and informed consent required for many operations
- Honor data subject rights including access, correction, deletion, portability, and information about data sharing
- Appoint a Data Protection Officer (Encarregado) to act as the contact point with data subjects and the ANPD
- Adopt technical and administrative security measures to protect personal data from unauthorized access and incidents
- Notify the ANPD and affected data subjects of security incidents that may create relevant risk or harm
- Use approved transfer mechanisms (such as ANPD standard contractual clauses or adequacy) for international data transfers
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent must be free, informed, and specific, requiring granular consent capture and management in customer identity flows. |
| Identity governance (IGA) | Controllers must control and document who accesses personal data and on what legal basis, supporting access reviews and least privilege. |
| Audit, logging & accountability | Organizations must demonstrate compliance and may need records of processing activities and security controls for the ANPD. |
| Breach notification | Security incidents posing relevant risk must be reported to the ANPD and affected individuals within a reasonable timeframe. |
| Data residency & cross-border transfer | International transfers require an approved mechanism such as adequacy or ANPD standard contractual clauses. |
Penalties
Violations can lead to warnings, daily fines, and administrative fines of up to 2 percent of the company group's revenue in Brazil, capped at 50 million reais per infraction.
LGPD: frequently asked questions
- When did the LGPD take effect and when did fines start?
- The LGPD took effect in September 2020, and the ANPD's authority to impose administrative sanctions began on 1 August 2021.
- Does the LGPD apply to companies based outside Brazil?
- Yes. It applies extraterritorially to any organization that processes the data of individuals in Brazil or that processes data to offer goods or services in Brazil.
- Who enforces the LGPD?
- The Autoridade Nacional de Protecao de Dados (ANPD) enforces the LGPD as an independent regulatory agency with technical and decision-making autonomy.