🇧🇷 Brazil
Informations
Extracts :
Extract :
"Article 3 sets out that the LGPD will apply if the personal data being processed belongs to a person who was in Brazil at the time of its collection."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The LGPD does not explicitly state whether it applies to natural persons, irrespective of their nationality or place of residence."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The LGPD only explicitly protects the personal data of natural persons. Therefore, legal persons' data is also not covered."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"However, the LGPD applies to data processing operations carried out in Brazil. The LGPD applies, irrespective of the location of an entity's headquarters, or the location of the data being processes, if the data being processed belongs to individuals located in Brazil or if the personal data being processed was collected in Brazil. "
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
No mention of the data controller's obligation/responsibility to Organizations with economic activities within the jurisdiction
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
The LGPD has extraterritorial application, being applicable to any individual or legal entity governed by
public or private law irrespective of the means, the country in which its headquarters is located, or the
country in which the data is located, provided (Article 4 (IV) of the LGPD):
• the processing operation is carried out in the national territory;
• the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; and
2022
Reference :
Brazil Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The GDPR provides requirements for specific processing situations including processing for journalistic purposes and academic, artistic, or literary expression."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"The LGPD defines a controller as the natural or legal person that is the charge of making decisions regarding the processing of personal data. The LGPD defines a processor as the natural person or legal entity, of public or private law, that processes personal data in the name of the controller."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Brazil Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"There are no specific legal bases to process personal data in order to pursue public interests. However, public administration can process personal data when necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments (Article 7(III) of the LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The ANPD will develop its own regulation on the criteria to apply and calculate any fines, which must be the object of public consultation."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"The LGPD establishes two types of monetary fines: simple and daily fines, both with the same limit of BRL 50,000,000 (approx. €7,978,300). A daily fine is normally used to enforce a previous decision."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"Depending on the violation, a simple fine of up to 2% of a private legal person's, group, or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 per infraction may be issued."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"According to the Brazilian Criminal Code, it is a criminal offense to invade third parties' information devices, whether or not such devices are connected to the internet, by means that aim to obtain, alter or destroy data or information without the express or implied authorization from the device owner or to install vulnerabilities to obtain illicit advantages. The crime is punishable by detention of three months to one year, plus a fine. This penalty also applies to anyone who makes, offers, distributes, sells or discloses a computer device or software aimed at enabling the conduct described above. Also, in the event that the invasion results in obtaining content from private electronic communications, industrial or trade secrets, confidential information or the unauthorized remote control of the device, the penalty is increased to imprisonment for six months to two years, plus a penalty. This latter penalty is also increased in the event that the data or information obtained is disclosed, traded or transmitted to third parties."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2020
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The LGPD provides individuals with a cause of action to seek civil damages (pecuniary or moral) for violation of privacy laws before the courts."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"According to the Brazilian Criminal Code, it is a criminal offense to invade third parties' information devices, whether or not such devices are connected to the internet, by means that aim to obtain, alter or destroy data or information without the express or implied authorization from the device owner or to install vulnerabilities to obtain illicit advantages. The crime is punishable by detention of three months to one year, plus a fine. This penalty also applies to anyone who makes, offers, distributes, sells or discloses a computer device or software aimed at enabling the conduct described above. Also, in the event that the invasion results in obtaining content from private electronic communications, industrial or trade secrets, confidential information or the unauthorized remote control of the device, the penalty is increased to imprisonment for six months to two years, plus a penalty. This latter penalty is also increased in the event that the data or information obtained is disclosed, traded or transmitted to third parties."
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Both the GDPR and the LGPD establish the requirement for a Data Protection Impact Assessment ('DPIA') to be performed in order to assess the risk of data processing activities to the rights and liberties of data subjects in specific circumstances."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"The LGPD does not explicitly state that pseudonymised data should be regarded as personal data, however, it could be interpretated as such, since the definition given indicates the possibility of reidentification."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"Under the LGPD, controllers must communicate to the ANPD and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
" Under the LGPD, controllers must communicate to the ANPD and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"There are no legal requirements for processors to notify a personal data breach. The notification obligation lies with the controller."
2024
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The LGPD outlines that a data subject can request the blocking of unnecessary or excessive data or data
processed in non-compliance with the provisions of the LGPD (Article 18(IV) of the LGPD).
Under the LGPD, the right to restriction is referred to as 'blocking' which the LGPD is defined as the temporary suspension of any processing operation, by means of retention of the personal data or the database (Article 5(XIII) of the LGPD).
Also, data subjects have the right to request the removal of its personal data which is processed under
the legal base of consent, with an exception applied to data stored for:
• compliance with legal or regulatory obligation by the controller;
• studies by a research body ensured, whenever possible, the anonymization of personal data;
and
• transfer to third parties, provided that in compliance with the data processing requirements
set forth LGPD"
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"A data subject has the right to the portability of their data, by the means of an express request, pur- suant with the regulations of the national authority, and subject to commercial and industrial secrets (Article 18(V) of the LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
The data subject has the right to request for the review of decisions made solely based on automated
processing of personal data affecting their interests, including decisions intended to define her/his personal,
professional, consumer, and credit profile, or aspects of her/his personality (Article 20 of the
LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
The LGDP specifies that data subjects have the right of access to information concerning the data processing
of their personal data (Article 9 of the LGPD). The LGPD does not explicitly refer to a difference
in requirements for the right to be informed when personal data is obtained directly from the data subject
or third party."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
The LGPD provides that data subjects have the right to obtain, at any time and by means of request, information
regarding the data subject's personal data that is being processed (Article 18 of the LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
The LGPD provides that data subjects have the right to the correction of incomplete, inaccurate, or outof-
date data, at any time and by means of request (Article 18(III) of the LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
This right is to be exercised upon the request and consent of the data subject (Article 18(VI) of the
LGPD)."
2021
Reference :
Brazil Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
" The LGPD does not establish a prior consultation process regarding DPIAs."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"The GDPR and the LGPD provide for the appointment of a data protection officer ('DPO')."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"As a best practice, it is considered important that the DPO has freedom in the carrying out their assign- ments. With regard to their professional qualifications, these must be defined by a value judgment made by the controller that indicates it, considering knowledge of data protection and information secu- rity at a level that meets the needs of the organisation's operation (Topic 6 (6.1)(72) of the Guidance).
Therefore, while the LGPD does not prevent the same DPO from acting on behalf of different organisa- tions, it is important that they are able to carry out their duties efficiently. Thus, before appointing a DPO, the controller must consider whether they will even be able to meet their demands and those of other organisations at the same time. Responsibility for the activities of processing personal data re- mains the responsibility of the controller or operator of data, as established in Article 42 of the LGPD (Topic 6 (6.1)(74) of the Guidance).
The DPO must also have adequate resources to carry out their activities, which may include Human Resources. Other features that should be considered are time (deadlines appropriate), finance and in- frastructure (Topic 6 (6.1)(73) of the Guidance)."
2022
Reference :
Brazil Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The LGPD defines the DPO's activities, which include: (i) accepting complaints and communications from data subjects, providing explanations and adopting measures; (ii) receiving communications from the supervisory authority, advising the entity's employees and contractors regarding data protection practices, and carrying out other duties as determined by the controller; (iii) orienting the entity's employees and contractors regarding practices to be taken in relation to personal data protection; and (iv) carrying out other duties as determined by the controller or set forth in complementary rules."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
"The LGPD does not explicitly mention whether a group of entities may appoint a single DPO."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The identity and contact information of the DPO must be publicly and clearly displayed, preferably on the controller's website."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
There is no comment by DataGuidance.
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the LGPD, all organisations regardless of their size, number of employees or type of data, need to comply with the record processing obligation. Nonetheless, exemptions can be established by the supervisory authority."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - BRA
Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Autoridade Nacional de Proteção de Dados (ANPD) | ANPD | Regulator | Govt authority/ministry | 2019 |
| National Telecommunications Agency (Anatel) | Regulator | Independant agency | 1997 | |
| Brazilian Administrative Council for Economic Defense (CADE) | Regulator | Independant agency | 1962 | |
| Ministry of Economy | Regulator | Ministry | 2019 | |
| Ministry of Science, Technology, Innovations and Communications (MCTIC) | Regulator | Ministry | 1985 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Personal Data Protection Law (LGPD) | General privacy/data protection law | 2018 | Active | 2021 | Data transfer? (2023), cookies |