LGPD
What is LGPD?
LGPDBrazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities.
The Lei Geral de Protecao de Dados (LGPD, Law No. 13,709/2018) is Brazil's comprehensive personal data protection law, modelled closely on the EU GDPR. Enacted in August 2018, its substantive provisions came into effect on 18 September 2020 and the administrative sanctions regime on 1 August 2021. LGPD applies extraterritorially to any processing of personal data carried out in Brazil, that targets data subjects in Brazil, or where the data was collected in Brazil. It defines ten lawful bases for processing, mandates appointment of a DPO (encarregado) for most controllers, recognises data-subject rights (access, correction, deletion, portability, revocation of consent) and requires notification of security incidents to the National Data Protection Authority (ANPD), which can impose fines up to 2% of Brazilian revenue (capped at BRL 50 million per infraction).
● Examples
- 01
A Brazilian retailer appointing an encarregado and publishing a public privacy notice in Portuguese.
- 02
A global SaaS provider mapping cross-border transfers from Brazil to comply with ANPD international-transfer rules.
● Frequently asked questions
What is LGPD?
Brazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities. It belongs to the Compliance & Frameworks category of cybersecurity.
What does LGPD mean?
Brazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities.
How does LGPD work?
The Lei Geral de Protecao de Dados (LGPD, Law No. 13,709/2018) is Brazil's comprehensive personal data protection law, modelled closely on the EU GDPR. Enacted in August 2018, its substantive provisions came into effect on 18 September 2020 and the administrative sanctions regime on 1 August 2021. LGPD applies extraterritorially to any processing of personal data carried out in Brazil, that targets data subjects in Brazil, or where the data was collected in Brazil. It defines ten lawful bases for processing, mandates appointment of a DPO (encarregado) for most controllers, recognises data-subject rights (access, correction, deletion, portability, revocation of consent) and requires notification of security incidents to the National Data Protection Authority (ANPD), which can impose fines up to 2% of Brazilian revenue (capped at BRL 50 million per infraction).
How do you defend against LGPD?
Defences for LGPD typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LGPD?
Common alternative names include: Lei Geral de Protecao de Dados, Brazilian General Data Protection Law, Lei 13.709/2018.
● Related terms
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 149
CCPA
The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.