Brazil Data Privacy Regulations
Overview
The LGPD is Brazil's overarching data privacy law, heavily modeled after the EU GDPR.It establishes 10 legal bases for data processing and creates sweeping rights for data subjects in Brazil.
Processing carried out in Brazil, for the purpose of offering goods/services to individuals in Brazil, or data collected in Brazil.
Key Rules & Obligations
Breach Notification
Within a "reasonable time period" (ANPD guidance suggests 2 working days).
Maximum Penalties
Up to 2% of the company’s revenue in Brazil for the prior year, capped at R$50 million per infraction.
Data Transfers
Allowed only to countries with adequate protection, via standard contractual clauses, or specific legal mechanisms.
Individual Rights
- •Confirmation of processing
- •Access to data
- •Correction
- •Anonymization/blocking/deletion
- •Portability
- •Revocation of consent
Enforcement Authority
Autoridade Nacional de Proteção de Dados (ANPD)
Contact: General contact form via Gov.br portal
Notable Breaches in Brazil
| Company | Year | Records Exposed | Regulation Violated |
|---|---|---|---|
| Ministério da Saúde | 2021 | Unknown | LGPD |
| Serasa Experian | 2021 | 223,000,000 | LGPD / Consumer Protection |
Official Sources
- ANPD Official SiteVerified: 2024-03-01
Frequently Asked Questions
Is LGPD the same as GDPR?
Very similar. However, the LGPD outlines 10 legal bases for processing data compared to the GDPR's 6, adding bases for credit protection and health protection among others.
Who regulates data privacy in Brazil?
The Autoridade Nacional de Proteção de Dados (ANPD) enforces the LGPD and issues administrative sanctions.
How do I report a data breach in Brazil?
Controllers must report significant breaches to the ANPD within two working days of assessing the incident.
Last updated: March 5, 2026
Notice an error? Report a correction