LGPD

Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Law)

Law No. 13.709/2018Enforced — Fully enforceable with penalties since 1 August 2021

Brazil's General Data Protection Law establishes comprehensive data protection rules for all public and private sector organisations processing personal data. Modelled after the GDPR, it mandates consent-based processing, data subject rights, Data Protection Impact Assessments, and breach notification obligations, with extraterritorial application to any entity targeting Brazilian residents.

Articles

Chapters

BRL 50M

Max Fine

Aug 2021

Enforced

Implementation Timeline

14 August 2018

Law 13.709 enacted by National Congress

28 December 2018

ANPD (enforcement authority) created

16 August 2020

LGPD becomes enforceable

1 August 2021

ANPD begins applying penalties and sanctions

Who's In Scope

Public Sector

All Brazilian government agencies
Public bodies processing personal data

Private Sector

All companies of any size
No revenue or size threshold — applies universally

International Entities

Foreign organisations processing data of Brazilian residents
Entities targeting Brazilian market regardless of location

Key Requirements

Art. 7-8

Consent & Legal Basis

Obtain informed consent before processing, identify one of ten lawful processing bases for each activity.

Art. 17-18

Data Subject Rights

Provide access, correction, deletion, anonymisation, portability, and information about sharing to individuals upon request.

Art. 32

Data Protection Impact Assessments

Conduct DPIAs for high-risk processing activities as determined by ANPD.

Art. 33-34

Breach Notification

Notify ANPD and affected data subjects of security incidents within a reasonable timeframe.

Art. 28-31

Processor Contracts

Establish written contracts between controllers and processors defining processing obligations, security requirements, and liability.

Penalties & Enforcement

Administrative Fines

Up to 2% of revenue, capped at BRL 50M (~EUR 9M)

Per infraction, based on Brazilian annual revenue

Non-Monetary Sanctions

Public disclosure of violation

Data deletion orders, processing bans, warning notices

Enforcement Progression

Escalating tiers

Warnings → fines → daily fines → publicising → blocking → deletion → prohibition

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for LGPD.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your LGPD compliance posture and build a practical roadmap.

Get Started