Support Centre

Brazil

Summary

Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (LGPD)

Regulator: The structure of the Brazilian data protection authority (ANPD) was created by Presidential Decree No. 10,474 of 26 August 2020 (only available in Portuguese here) (the Decree). The Decree will come into force on the date of publication of the appointment of the ANPD's executive director in the Federal Official Gazette.

Summary: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (LGPD) was passed in 2018 and entered into effect on September 18, 2020, although its enforcement provisions did not come into effect until August 1, 2021. The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates novel requirements for the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments (DPIAs), data transfers, and data breaches.

The ANPD enforces the LGPD and provides guidance and clarity on its provisions. In addition, Law No. 12.965 of 23 April 2014 (only available in Portuguese here) (Marco Civil da Internet) has been in force since June 2014 and establishes principles, guarantees, rights, and duties relating to the use of the internet in Brazil.

News

Insights

November 2024

Brazil: Data transfers - A new regulation in Brazil with SCCs

The transfer of personal data across borders is an integral part of business operations and communication. International data transfer (IDT) encompasses the transmission of personal information from one country to another or an international organization.

The General Data Protection Law (LGPD) in Brazil provides a comprehensive legal framework to regulate such transfers, ensuring that the rights and protection of Brazilian citizens are upheld. The Brazilian IDT mechanisms are similar, but not identical to the ones established in the General Data Protection Regulation (GDPR) of the European Union. The Brazilian legal framework provides that IDTs are allowed in Brazil in multiple circumstances, such as to countries that provide an adequate level of protection, when using Standard Contractual Clauses (SCCs) defined by the data protection authority (DPA), specific contractual clauses, Binding Corporate Rules (BCRs), seals and certificates, and other lawful grounds as further detailed in this article.

On August 23, 2024, the Brazilian DPA (ANPD) issued Resolution No. 19/2024 to regulate some of the mechanisms that allow IDTs in Brazil, including the proceeding to acknowledge a country or organization as providing adequate protection, SCCs, specific contractual clauses, and BCRs. Other mechanisms of international transfer are not regulated by Resolution No. 19/2024.

Alan Campos Elias Thomaz, of Campos Thomaz Advogados, discusses how IDTs are regulated in Brazil and the mechanisms organizations may implement to comply with the LGPD.

January 2024

Brazil: ANPD publishes Resolution No. 04 regulating sanctions

In this Insight article, Ana Costa, from FTR Advogados, explores the impact of Resolution CD/ANPD No. 04, of February 24, 2023 (Resolution No. 04) on sanctions, dosimetry, and its broader implications for data privacy compliance under the Brazilian General Personal Data Protection Law (LGPD).

March 2023

Brazil: AI landscape and what to expect from the upcoming legislation

The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').

In this Insight article, Fabio Ferreira Kujawski and Ingrid Soares, from Mattos Filho Advogados, summarise the main findings of the AI Commission that shall guide the discussions in the Brazilian Congress about an upcoming federal statute for AI systems, whilst also analysing existing laws and regulations that currently impact the use and development of AI systems in Brazil.

September 2022

International: Legislative context of data protection – comparing Brazil and Chile

Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Samara Schuch and Debora Batista Araújo, from Schuch & Araújo Specialized Law Firm, provide a comparison between the frameworks in both Brazil and Chile, and discuss the challenges and successes of both.

August 2022

Brazil: ANPD's first approach on cookies under the LGPD

Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.

March 2022

Brazil: The first year of operation of the ANPD

The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'). This brought Brazil in line with other countries around the world with specific legislation for data protection, as well as a supervisory authority dedicated exclusively to subjects such as data protection, privacy, cybersecurity, and related matters.

This article addresses the first operational year of the ANPD in 2021, and analyses some of its main achievements.

February 2022

Brazil: ANPD regulation on applicability of LGPD to small processing agents

The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance. One such action was the ANPD's approval, on 28 January 2022, of Resolution CD/ANPD No. 2 of 27 January 2022 for a Regulation on the application of the LGPD to small processing agents1 ('the Resolution'), which entered into force on the date of its publication in the Official Gazette, 28 January 2022. This Insight article analyses the key aspects of the Resolution and what small processing agents must consider in ensuring that they comply with the requirements under the LGPD.

December 2021

Brazil: Children's data under the LGPD

The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil creates a new legal regime for children's personal data, with some sectors being particularly impacted. Patricia Peck Pinheiro, Marcelo Crespo, Camila Bruna do Nascimento, and Helen Batista Battaglini, from Peck Advogados, discuss this area and its nuances.

December 2021

Brazil: ANPD regulation on enforcement

Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted. Despite the sanctioning prerogatives of the ANPD entering into force on 1 August 2021, the Regulation is necessary for allowing the ANPD to act out this function. Alan Campos Elias Thomaz and Thaissa Lencastre Pinto, Founding Partner and Attorney respectively at Campos Thomaz Advogados, discuss the Regulation and its provisions.

August 2020

Brazil: Operationalising the LGPD: Data mapping & assessments

The advent of a comprehensive data protection law such as the incoming Law No. 13.709 of 14 August, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil requires organisations to react in order to meet its demands. Alan Campos Eliaz Thomas, Partner at AT | Advogados, breaks down some practical steps that can be taken to map data flows through an organisation and subsequently identify any legal gaps in how such data is handled in order to satisfy the provisions of the LGPD.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.