LGPD: Compliance for Brazilian Companies

Introduction to LGPD

The General Data Protection Law (Law No. 13,709/2018) establishes rules on the collection, storage, processing and sharing of personal data in Brazil.

Legal Bases for Processing

LGPD provides 10 legal bases for processing personal data:

1. Consent: free, informed and unequivocal manifestation
2. Legal obligation compliance: regulatory requirement
3. Public policy execution: by public administration
4. Studies by research body: with anonymization when possible
5. Contract execution: at the request of the data subject
6. Regular exercise of rights: in judicial or administrative proceedings
7. Protection of life: of the data subject or third party
8. Health protection: by health professionals
9. Legitimate interest: of the controller or third party
10. Credit protection: according to relevant legislation

Data Subject Rights

Data subjects have the right to:

• Confirmation of processing existence
• Access to data
• Correction of incomplete or outdated data
• Anonymization, blocking or deletion
• Portability
• Deletion of data processed with consent
• Information about sharing
• Information about possibility of not consenting
• Consent revocation

Compliance Steps

1. Initial Diagnosis

• Personal data mapping
• Data flow identification
• Analysis of legal bases used

2. Governance Structuring

• DPO appointment
• Internal policy definition
• Privacy committee creation

3. Documentary Compliance

• Privacy policy
• Terms of use
• Contracts with processors
• Processing records

4. Technical Implementation

• Security measures
• Access controls
• Audit logs
• Incident response procedures

5. Training

• Team training
• Data protection awareness
• Operational procedures

6. Continuous Monitoring

• Periodic audits
• Documentation updates
• Response to data subject requests

Sanctions

ANPD may apply:

• Warning
• Simple fine of up to 2% of revenue (limited to R$50 million)
• Daily fine
• Publication of the infraction
• Data blocking or deletion
• Processing suspension or prohibition

Conclusion

LGPD compliance is a process that requires careful planning and execution. With the right structure, your company will be protected and compliant.