Back to ContentLGPD

LGPD: Compliance for Brazilian Companies

Step by step to adapt your Brazilian company to the General Data Protection Law.

December 15, 202511 min readBy Jônata Guimarães
LGPD: Compliance for Brazilian Companies
Share

Introduction to LGPD

The General Data Protection Law (Law No. 13,709/2018) establishes rules on the collection, storage, processing and sharing of personal data in Brazil.

Legal Bases for Processing

LGPD provides 10 legal bases for processing personal data:

  1. Consent: free, informed and unequivocal manifestation
  2. Legal obligation compliance: regulatory requirement
  3. Public policy execution: by public administration
  4. Studies by research body: with anonymization when possible
  5. Contract execution: at the request of the data subject
  6. Regular exercise of rights: in judicial or administrative proceedings
  7. Protection of life: of the data subject or third party
  8. Health protection: by health professionals
  9. Legitimate interest: of the controller or third party
  10. Credit protection: according to relevant legislation

Data Subject Rights

Data subjects have the right to:

  • Confirmation of processing existence
  • Access to data
  • Correction of incomplete or outdated data
  • Anonymization, blocking or deletion
  • Portability
  • Deletion of data processed with consent
  • Information about sharing
  • Information about possibility of not consenting
  • Consent revocation

Compliance Steps

1. Initial Diagnosis

  • Personal data mapping
  • Data flow identification
  • Analysis of legal bases used

2. Governance Structuring

  • DPO appointment
  • Internal policy definition
  • Privacy committee creation

3. Documentary Compliance

  • Privacy policy
  • Terms of use
  • Contracts with processors
  • Processing records

4. Technical Implementation

  • Security measures
  • Access controls
  • Audit logs
  • Incident response procedures

5. Training

  • Team training
  • Data protection awareness
  • Operational procedures

6. Continuous Monitoring

  • Periodic audits
  • Documentation updates
  • Response to data subject requests

Sanctions

ANPD may apply:

  • Warning
  • Simple fine of up to 2% of revenue (limited to R$50 million)
  • Daily fine
  • Publication of the infraction
  • Data blocking or deletion
  • Processing suspension or prohibition

Conclusion

LGPD compliance is a process that requires careful planning and execution. With the right structure, your company will be protected and compliant.

Jônata Guimarães

Jônata Guimarães

Lawyer · Digital Law

Practice areas: GDPR, LGPD and digital contracts, operating in Portugal and Brazil.

Related Articles

View all articles on LGPD

Need Legal Advice?

Get in touch to discuss how I can help your business with GDPR, LGPD and digital contract matters.

Open chat
WhatsApp (initial contact — no document sharing)
Open chat
WhatsApp (initial contact — no document sharing)