ARTICLE
4 November 2025

Data Privacy Comparative Guide

Rayes e Fagundes Advogados

Contributor

Rayes e Fagundes Advogados logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Brazil, check out our comparative guides section to compare across multiple countries
Brazil Privacy
Felipe Leoni Carteiro Leite Moreira and Mariana Andrade

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Brazil's primary and most comprehensive data protection law is the General Data Protection Law (13,709/2018), known locally as the Lei Geral de Proteção de Dados (LGPD).

The LGPD establishes a unified framework for the processing of personal data in both the public and private sectors, regardless of whether such processing occurs through physical or digital means. It:

  • defines the rights of data subjects;
  • sets out the principles and lawful bases for processing; and
  • regulates:
    • international data transfers;
    • the duties of controllers and processors;
    • data breach notifications; and
    • the supervisory powers of the National Data Protection Agency (Agência Nacional de Proteção de Dados – ANPD).

Before the enactment of the LGPD, the protection of privacy and personal data in Brazil relied on a fragmented set of norms found in constitutional, civil, consumer and internet legislation. The 1988 Federal Constitution enshrines privacy, intimacy, honour and image as fundamental rights. The Consumer Protection Code (Federal Law 8,078/1990) introduced specific rules on the use of consumer databases:

  • requiring that individuals be informed when their data is collected;
  • prohibiting the retention of negative information for more than five years; and
  • granting rights of access and correction.

The Access to Information Law (12,527/2011) further reinforced transparency principles and regulated access to information held by public authorities.

In the digital sphere, the Marco Civil da Internet (Federal Law 12,965/2014) laid down essential principles on privacy, net neutrality and data retention obligations for internet service providers, thereby paving the way for the comprehensive framework subsequently consolidated by the LGPD.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Yes. In addition to the LGPD and the general framework, specific sectors in Brazil are subject to laws and regulations that directly impact data protection.

In the banking sector, financial institutions regulated by the Brazilian Central Bank (BCB) must comply with the Banking Secrecy Act (Supplementary Law 105/2001), which mandates the confidentiality of credit and debit transactions of users, except in certain circumstances such as where disclosure is authorised by:

  • law;
  • judicial orders; or
  • the consent of the client.

In recent years, the Open Finance framework, introduced by BCB Joint Resolution 1/2020 and subsequent amendments, has allowed the sharing of customer financial data among authorised institutions, always conditioned upon the explicit consent of the data subject. Complementary resolutions, such as BCB Resolution 342/2023, added specific obligations on reporting data breaches within the Pix payment system; while BCB Resolution 304/2023 established requirements for outsourcing data processing and storage abroad, ensuring supervisory cooperation and continuity of services.

In the health sector, the Medical Ethics Code (CFM Resolution 2,217/2018) prohibits healthcare professionals from disclosing patient information unless:

  • legally required;
  • justified by cause; or
  • expressly authorised by the patient in writing.

Federal Law 13,787/2018 also regulates the handling of electronic medical records, including rules on their storage and confidentiality.

The Superior Electoral Court has issued several resolutions governing the use of personal data in electoral campaigns. For example, Resolution 23,732/2024, which amended Resolution 23,610/2019:

  • expressly requires political parties, candidates and application providers to comply with the LGPD when processing personal data; and
  • introduces additional obligations concerning the use, storage and security of voter information in the context of elections.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Brazil is a signatory to several multilateral instruments that impact the regulation of data privacy and cybersecurity. Most notably, in April 2023, Brazil ratified the Convention on Cybercrime of the Council of Europe (Budapest Treaty) through Presidential Decree 11,491/2023.

At the regional level, Brazil participates in Mercosur discussions concerning data protection and cross-border transfers of personal data, although no binding regional framework equivalent to the General Data Protection Regulation exists within Mercosur to date. Nevertheless, cooperation in the area of digital trade and data governance has become an increasing focus of Mercosur negotiations.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The principal authority responsible for enforcing data privacy legislation in Brazil is the ANPD.

The ANPD was originally created in 2018 through Executive Order MP 869/2018, later confirmed by Federal Law 13,853/2019, which amended the LGPD to establish its structure and powers. In 2025, the president of Brazil signed Executive Order MP 1317/2025, converting the ANPD into an autonomous regulatory agency with technical and decision-making independence.

The ANPD has a broad mandate. Its powers include the ability to regulate, supervise and enforce compliance with the LGPD. It may:

  • issue regulations, guidelines and technical notes interpreting the law;
  • conduct investigations and administrative proceedings;
  • request information and documents from controllers and processors; and
  • apply sanctions for non-compliance.

While the ANPD is the central authority, other bodies have also played a role in enforcing privacy rights in specific contexts. The Public Prosecutor's Office at the state and federal levels and the secretary of consumer protection and defence have historically initiated actions and investigations based on consumer protection law and constitutional rights to privacy. Courts at both the individual and collective levels have also granted remedies for violations of privacy and misuse of personal data.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Industry standards and best practices play an important role in the Brazilian data protection regime by:

  • complementing the statutory requirements of the LGPD; and
  • shaping both compliance strategies and regulatory enforcement.

The LGPD actively encourages the adoption of best practices and governance mechanisms – such as privacy programmes, risk management frameworks and security protocols – as a way to demonstrate accountability (Article 50 of the LGPD). Under the LGPD, adherence to codes of conduct, seals and certifications approved by the ANPD can serve as guarantees of compliance, especially in contexts such as international data transfers.

In enforcement practice, the ANPD has begun to evaluate whether organisations implement robust:

  • internal policies;
  • training; and
  • privacy by design/default measures.

Entities that demonstrate adoption are more likely to be viewed as compliant or, at minimum, as acting in good faith. This can directly impact the severity of sanctions in case of infractions.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The General Data Protection Law (LGPD) applies broadly to both natural persons and legal entities, whether governed by public or private law, that carry out the processing of personal data. The regime is intentionally comprehensive and captures a wide range of entities, regardless of size or sector.

The law applies to processing operations conducted within Brazilian territory, as well as to processing activities carried out abroad, where:

  • the purpose is to offer or provide goods or services to individuals located in Brazil; or
  • the personal data being processed was collected in Brazil.

This extraterritorial reach ensures that foreign entities that target Brazilian residents are also subject to the LGPD's provisions.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

Although the LGPD was designed as an omnibus law, it establishes specific circumstances in which its provisions do not apply.

The law does not govern personal data processing carried out exclusively for private and non-economic purposes, such as purely personal use by an individual. It also exempts processing undertaken for journalistic, artistic or academic purposes, thereby safeguarding freedom of expression, creativity and academic research. In addition, processing conducted for the purposes of public security, national defence, state security or the investigation and prosecution of criminal offences falls outside the LGPD's scope. These activities are expected to be regulated by separate and specific legislation.

Beyond these material exemptions, the National Data Protection Agency (ANPD) has introduced a differentiated compliance regime for small-scale processing agents. Under Resolution CD/ANPD 2/2022, micro and small businesses, startups, non-profit organisations and certain natural persons acting as controllers or processors may benefit from simplified compliance obligations. These include, for example:

  • the possibility of maintaining simplified records of processing activities;
  • extended deadlines to respond to data subject requests and incident notifications; and
  • the absence of a mandatory obligation to appoint a data protection officer.

Importantly, however, such entities remain bound by the core principles and legal bases of the LGPD and the ANPD retains discretion to require full compliance in situations involving higher risks or broader processing activities.

2.3 Does the data privacy regime have extra-territorial application?

Yes. The LGPD may have extraterritorial scope of application in situations where:

  • the processing activity is intended to offer or provide goods or services to individuals located in Brazil; or
  • the personal data subject to processing has been collected within the Brazilian territory.

This broad territorial reach means that foreign companies with no physical presence in Brazil may nevertheless be subject to the LGPD if they target Brazilian residents or collect their personal data.

At the same time, the LGPD also carves out certain activities from its scope. It does not apply to the processing of personal data that originates outside Brazil and is not subsequently communicated, shared with Brazilian entities or internationally transferred to another country, provided that the country of origin ensures a level of data protection consistent with the LGPD (Article 4(IV) of the LGPD).

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

The General Data Protection Law (LGPD) defines 'processing' broadly as any operation carried out with personal data. This includes activities such as:

  • collection;
  • production;
  • reception;
  • classification;
  • use;
  • access;
  • reproduction;
  • transmission;
  • distribution;
  • processing;
  • filing;
  • storage;
  • elimination;
  • evaluation;
  • control;
  • modification;
  • communication;
  • transfer;
  • dissemination; and
  • extraction (Article 5(X) of the LGPD).

(b) Data processor

The 'processor' is the natural or legal person, under public or private law, that processes personal data on behalf of the controller and in accordance with the controller's instructions (Article 5(VII) of the LGPD).

(c) Data controller

The 'controller' is the natural or legal person, under public or private law, that is responsible for making decisions regarding the processing of personal data (Article 5(VI) of the LGPD).

(d) Data subject

The 'data subject' is the natural person to whom the personal data refers (Article 5(V) of the LGPD).

(e) Personal data

'Personal data' is any information relating to an identified or identifiable natural person (Article 5(I) of the LGPD). Examples include an individual's:

  • name;
  • identification number;
  • address;
  • contact information; and
  • data that can indirectly identify them when combined with other information.

(f) Sensitive personal data

The LGPD establishes a specific category of sensitive personal data (Article 5(II) of the LGPD), which includes information about the following when linked to a natural person:

  • racial or ethnic origin;
  • religious belief;
  • political opinion;
  • trade union membership;
  • religious, philosophical or political organisation membership;
  • health;
  • sex life; and
  • genetic or biometric data.

This type of data is subject to stricter processing conditions.

(g) Consent

'Consent' is defined as the free, informed and unequivocal manifestation by which the data subject agrees to the processing of their personal data for a specific purpose (Article 5(XII) of the LGPD). Consent must be given in advance and can be revoked at any time, without retroactive effect.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

In addition to the core concepts, the LGPD and subsequent National Data Protection Agency (ANPD) regulations introduce several other terms that are central to compliance and enforcement in Brazil, such as the following.

'Database': 'Database' is defined in the LGPD as a structured set of personal data established in one or several locations and maintained in either electronic or physical format (Article 5(IV) of the LGPD).

'Data breach: This term was specifically defined in Resolution CD/ANPD 15/2024 as any confirmed adverse event involving personal data that compromises its:

  • confidentiality;
  • integrity;
  • availability; or
  • authenticity.

Examples include:

  • unauthorised access; and
  • accidental or unlawful destruction, loss, alteration or disclosure.

'Data protection officer' (DPO): A 'DPO' is an individual appointed by the controller or processor to act as the communication channel between the organisation, data subjects and the ANPD (Article 5(VIII) of the LGPD). While the appointment of a DPO is generally mandatory for most organisations, small-scale data processing agents, as mentioned in question 2.2, are subject to a differentiated regime, which allows them to comply simply by providing a contact channel for data subjects instead of formally designating a DPO.

'Data sharing': The LGPD defines 'data sharing' as the communication, dissemination, international transfer or interconnection of personal data or shared processing of personal data databases carried out:

  • among public bodies and entities in the exercise of their legal competences;
  • between such public bodies and private entities, on a reciprocal basis, with specific authorisation and for one or more processing purposes permitted by the public entity; or
  • among private entities (Article 5(XVI0 of the LGPD).

'Research body': Under the LGPD, a 'research body' is defined as a body or entity of the direct or indirect public administration, or a non-profit private legal entity duly incorporated under Brazilian law and headquartered in Brazil, whose institutional mission or statutory purpose includes basic or applied research of a historical, scientific, technological or statistical nature (Article 5(XVIII) of the LGPD).

'Small-scale data processing agents': This term is used in Brazil to designate entities that qualify for a differentiated compliance regime under the LGPD, as established by Resolution CD/ANPD 2/2022. Entities falling under this category include:

  • micro and small enterprises, including sole proprietorship limited liability companies and individual microentrepreneurs, as defined under Supplementary Law 123/2006;
  • startups, as defined under Supplementary Law 182/2021, which are newly established businesses characterised by innovation in business models, products or services;
  • non-profit private legal entities; and
  • natural persons or unincorporated entities that assume the role of controller or processor.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The General Data Protection Law (LGPD) does not establish a general obligation for controllers or processors to register with the National Data Protection Agency (ANPD) or with any other governmental body.

4.2 What is the process for registration?

According to question 4.1, there is currently no process for the registration of data controllers or processors with the ANPD.

4.3 Is registered information publicly accessible?

Because the LGPD does not require controllers or processors to register with the ANPD, there is no public register of data processing activities in Brazil.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

The General Data Protection Law (LGPD) establishes a closed list of 10 lawful bases for processing general personal data (Article 7):

  • Consent: The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Compliance with a legal or a regulatory obligation: Processing is necessary to enable the controller to comply with statutory or regulatory duties.
  • Processing by the public administration with public policy purposes: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Research purposes: Processing is necessary to carry out studies by research entities, provided that, whenever possible, personal data is anonymised.
  • Contractual needs: Processing is necessary:
    • for the performance of a contract to which the data subject is a party; or
    • to take steps at the request of the data subject prior to entering into a contract.
  • For judicial, administrative, or arbitration proceedings: Processing that is necessary for the regular exercise of rights in the context of legal, regulatory or arbitral disputes.
  • Protection of life or physical safety: Processing that is necessary to safeguard the life or physical integrity of the data subject or of third parties.
  • Health protection: Processing that is conducted by health professionals, health services or sanitary authorities to protect health.
  • Legitimate interests; Processing that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the rights and freedoms of the data subject are not infringed.
  • Protection of credit: A Brazil-specific basis that allow controllers to process personal data for credit protection activities, including the assessment of creditworthiness.

Beyond these 10 lawful bases, the processing of sensitive personal data is governed by a distinct regime under Article 11 of the LGPD, which imposes stricter conditions. Such processing is permitted only in the following circumstances:

  • with the specific and explicit consent of the data subject;
  • to comply with a legal or regulatory obligation, considering that processing is necessary to ensure the controller's adherence to statutory or regulatory requirements;
  • for the execution of public policies;
  • for research purposes, provided that the anonymisation of personal data is applied whenever possible;
  • for judicial, administrative or arbitration proceedings, considering that processing is necessary for the regular exercise of rights in the context of a dispute;
  • to protect life or physical safety;
  • for the protection of health; and
  • for the prevention of fraud and security, considering that the processing is necessary to protect the data subject in processes of identification and authentication within electronic systems.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The LGPD is grounded in a set of foundational principles that apply to all processing of personal data:

  • regardless of whether the data is general or sensitive; and
  • irrespective of whether the processing is conducted internally or outsourced to third parties.

These principles are listed in Article 6 of the LGPD and are enforced by the National Data Protection Agency (ANPD) and by the courts. The principles include the following:

  • Purpose limitation:
    • Processing must be carried out for legitimate, specific, explicit and informed purposes; and
    • Data cannot be further processed in a manner that is incompatible with those purposes.
  • Adequacy: Processing must be compatible with the purposes communicated to the data subject, in accordance with the context of the processing.
  • Data minimisation: Processing must be limited to the minimum necessary to achieve the intended purpose, covering only relevant and proportional data.
  • Free access: Data subjects must have guaranteed access to information about:
    • the form and duration of the processing; and
    • the completeness of their personal data.
  • Accuracy: Controllers must ensure that personal data is accurate, clear, relevant and up to date in light of the purpose of the processing.
  • Transparency: Processing must be carried out with clear, precise and easily accessible information provided to data subjects about the processing and the respective controllers.
  • Integrity: Controllers and processors must adopt technical and administrative measures to protect personal data from:
    • unauthorised access; and
    • accidental or unlawful destruction, loss, alteration, communication or dissemination.
  • Prevention: Proactive measures must be taken to prevent the occurrence of damages in the processing of personal data.
  • Non-discrimination: Processing cannot be carried out for unlawful or abusive discriminatory purposes.
  • Accountability: Controllers and processors must be able to demonstrate the adoption of effective measures that are capable of proving compliance with the LGPD and data protection norms.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Beyond compliance with lawful bases and the overarching principles of the LGPD, organisations must observe additional requirements and are encouraged to adopt best practices that demonstrate accountability and proactive compliance.

Controllers must maintain records of processing activities (Article 37 of the LGPD), detailing:

  • the purposes of the data processing;
  • the categories of data subjects and data;
  • sharing; and
  • retention periods.

Small-scale data processing agents may use simplified templates but are not exempt from this duty. Where processing may present significant risks to civil liberties or fundamental rights, controllers must conduct a data protection impact assessment (Article 38 of the LGPD). The ANPD may request such an assessment at any time to assess the risk mitigation measures adopted.

In addition, the LGPD expressly endorses the concepts of data protection by design and by default (Article 46(2º)). This requires that controllers:

  • integrate privacy and security considerations into the development of products, services and systems from the outset (by design); and
  • configure them to the highest privacy settings by default, limiting the collection and processing of data to what is strictly necessary.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

The General Data Protection Law (LGPD) permits the transfer of personal data to third parties, provided that the processing is:

  • grounded in a lawful basis under Article 7 (or Article 11 for sensitive data); and
  • consistent with the general principles of purpose, adequacy, necessity, transparency and security.

Controllers remain primarily responsible for ensuring compliance with the LGPD, even when processing activities are carried out by third parties. This accountability extends to the adoption of appropriate technical, administrative and contractual measures to safeguard the data subject's rights. When a processor is engaged:

  • the processing must follow the controller's documented instructions; and
  • the parties should clearly allocate responsibilities through contractual terms.

When the personal data involved qualifies as sensitive personal data:

  • stricter safeguards apply under Article 11 of the LGPD; and
  • controllers must be able to demonstrate that one of the limited lawful bases for sensitive data processing is satisfied.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

The LGPD governs international data transfers in Articles 33–36, permitting Brazilian personal data to be transferred abroad only in specific situations so that the level of protection afforded by the law is not diminished.

Transfers are lawful when:

  • made to countries or international organisations recognised by the National Data Protection Agency (ANPD) as providing an adequate level of protection;
  • the controller can demonstrate sufficient guarantees of compliance with the LGPD, such as through:
    • contractual clauses;
    • ANPD-approved standard contractual clauses (SCCs);
    • binding corporate rules (BCRs); or
    • certified seals, certificates, and codes of conduct;
  • required for international legal cooperation, the protection of life or physical safety or the implementation of public policies;
  • authorised by the ANPD; or
  • arising from international agreements.

The detailed framework for these mechanisms was established by Resolution CD/ANPD 19/2024, which:

  • sets out procedures for:
    • adequacy decisions; and
    • the approval of SCCs and BCRs; and
  • introduces a risk-based approach to ensure that transfers to non-adequate jurisdictions still preserve LGPD standards.

The destination is decisive. If the receiving country has adequacy status, transfers may proceed without further safeguards. If not, controllers must adopt one of the authorised mechanisms or rely on exceptional legal grounds provided in Article 33.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Beyond the conditions expressly provided in the LGPD for domestic and international transfers, controllers and processors are expected to comply with broader principles of accountability, transparency and integrity. Transfers, therefore, must always respect the purpose limitation, data minimisation and necessity requirements set out in Articles 6 and 7 of the LGPD.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

The General Data Protection Law (LGPD) grants data subjects a comprehensive set of rights, largely inspired by international standards such as the GDPR, aimed at ensuring transparency, control and accountability in the processing of personal data. Under Article 18, data subjects may:

  • confirm the existence of processing and obtain access to their personal data;
  • request the correction of incomplete, inaccurate or outdated data;
  • request the anonymisation, blocking or deletion of unnecessary, excessive or unlawfully processed data;
  • request the portability of their data to another service or product provider, subject to National Data Protection Agency (ANPD) regulation and trade/industrial secrets;
  • request the deletion of personal data processed based on consent, except where retention is legally permitted;
  • obtain information about data sharing, including the public and private entities with which the controller has shared their data;
  • be informed about the possibility of withholding consent and the consequences of doing so;
  • withdraw consent at any time, through a simple and free procedure; and
  • request a review of decisions made solely based on automated processing, including profiling that affects their interests.

Certain exemptions apply. Controllers may deny or limit the exercise of rights when processing is indispensable for:

  • compliance with a legal or regulatory obligation;
  • the implementation of public policies;
  • research purposes (with anonymisation when possible);
  • the regular exercise of rights in judicial, administrative or arbitral proceedings; or
  • the protection of life and physical safety.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects may exercise their rights directly with the controller responsible for processing their personal data through the channels made available, which typically include:

  • electronic platforms;
  • dedicated email addresses; and
  • physical service channels.

The law requires that the procedure be:

  • simple;
  • free of charge; and
  • easily accessible.

Controllers must respond to requests within 15 days of the request.

If the controller does not provide an adequate response, the data subject may escalate the matter to the ANPD, which has the authority to investigate and enforce compliance. In addition, the LGPD does not prevent data subjects from seeking judicial relief, including injunctions and compensation for damages, under:

  • the Constitution;
  • the Civil Code; and
  • the Consumer Protection Code.

7.3 What remedies are available to data subjects in case of breach of their rights?

First, data subjects may seek administrative remedies before the ANPD. The agency has the power to:

  • receive complaints;
  • investigate non-compliance;
  • order corrective measures; and
  • impose sanctions that range from warnings and daily fines to the suspension or prohibition of processing activities.

Second, data subjects may pursue judicial remedies directly before the judiciary. Lawsuits may be brought individually or as part of collective claims, which are often pursued by consumer associations, public prosecutors or other representative entities, given the overlap between data protection and consumer rights.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Yes. Under the General Data Protection Law (LGPD), controllers must designate a data protection officer (DPO) (Article 41 of the LGPD). Processors are not subject to the same obligation, although the appointment of a DPO is regarded as a recommended best practice.

Failure by a controller to appoint a DPO may expose the organisation to administrative sanctions under the LGPD. These range from warnings and corrective measures to monetary fines of up to 2% of the company's revenue in Brazil, capped at BRL 50 million per violation.

8.2 What qualifications or other criteria must the data protection officer meet?

The LGPD does not prescribe formal qualifications, certifications or professional background requirements for the role.

8.3 What are the key responsibilities of the data protection officer?

The DPO's minimum responsibilities under the LGPD are:

  • receiving complaints and communications from data subjects, providing timely and appropriate responses and facilitating the exercise of their rights under the law;
  • acting as the primary communication channel with the National Data Protection Agency (ANPD), including handling:
    • inquiries;
    • inspections; and
    • requests for information;
  • advising and guiding the organisation's employees and contractors on practices and procedures to be adopted for the protection of personal data; and
  • carrying out other tasks as determined by the controller or subsequently established by the ANPD through regulation.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes. The LGPD does not prohibit outsourcing and the ANPD has confirmed that organisations may designate either an internal employee or an external service provider to perform the role. This flexibility has made outsourcing common practice, particularly for small and medium-sized entities that lack in-house expertise.

When the function is outsourced, the organisation remains the ultimate controller of personal data and continues to bear full responsibility for compliance with the LGPD. Accordingly, it is essential that the outsourcing arrangement clearly defines the DPO's:

  • responsibilities;
  • reporting lines; and
  • scope of authority.

Best practice requires that the contract includes:

  • confidentiality obligations;
  • service-level expectations; and
  • mechanisms to ensure the DPO's independence in carrying out their tasks.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

The LGPD is built on an accountability model, meaning that controllers and processors must be able to demonstrate compliance through proper records and documentation. Therefore, data processing agents must keep records of all personal data processing operations, describing:

  • categories of data;
  • the purposes of the processing;
  • data subjects;
  • recipients;
  • security measures; and
  • retention periods.

These records must be made available to the ANPD upon request.

In addition, where processing may pose high risks to civil liberties and fundamental rights, controllers must prepare a data protection impact assessment:

  • detailing the processing activities;
  • assessing risks; and
  • setting out mitigation measures.

The ANPD may request such an assessment as part of its supervisory actions.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Beyond record-keeping, governance measures and the appointment of a DPO, the LGPD requires data processing agents to adopt appropriate administrative and technical safeguards to ensure the security of personal data. These safeguards must protect against:

  • unauthorised access; and
  • accidental or unlawful destruction, loss, alteration or disclosure.

The ANPD expects the level of protection to be proportionate to both:

  • the sensitivity of the data; and
  • the risks associated with the processing activity.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Under the General Data Protection Law (LGPD), both controllers and processors are legally required to implement technical and administrative security measures to protect personal data from:

  • unauthorised access;
  • accidental or unlawful destruction, loss, alteration or communication; and
  • any form of improper or unlawful processing (Article 46 of the LGPD).

In addition, in line with Resolution CD/ANPD 15/2024, which governs breach notification procedures, organisations are expected to:

  • have mechanisms for monitoring, detecting and responding to security incidents; and
  • maintain records of incidents.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes. The LGPD requires controllers to notify both the National Data Protection Agency (ANPD) and affected data subjects of any security incident that may pose significant risk or damage to individuals (Article 48 of the LGPD). Processors must promptly inform the controller once they become aware of an incident, but the notification duty to the ANPD lies with the controller.

According to Resolution CD/ANPD 15/2024, which regulates incident notification procedures, the notification must include, at a minimum:

  • a description of the nature and circumstances of the incident;
  • the categories and approximate number of data subjects affected;
  • the categories and volume of personal data involved;
  • the risks to the rights and freedoms of the data subjects;
  • the technical and security measures used for data protection (subject to commercial secrecy);
  • the remedial measures adopted or planned to mitigate the effects; and
  • the contact details of the DPO or another designated point of contact.

These notifications must be submitted to the ANPD through its electronic platform. Where full information is not immediately available, a preliminary notification should be made within the deadline, followed by a final detailed report once the facts are clarified. The general timeframe set by the ANPD is three business days from confirmation of the incident, though exceptions apply where immediate harm to data subjects is likely.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

If the incident poses relevant risk or damage, affected individuals must also be informed in clear, simple and easily understandable language. The notice should specify:

  • the nature of the incident;
  • the data affected; and
  • the measures that they can take to protect themselves.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Where an incident does not present significant risk or damage, formal notification to the ANPD is not strictly required. However, organisations:

  • are expected to document all incidents internally; and
  • may opt for voluntary notification as a good-faith measure, particularly if uncertainty exists about the potential impacts.

Failure to notify when risk exists can result in sanctions, including:

  • warnings;
  • fines; and
  • suspension of processing activities.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

There are no special rules on the processing of employee personal data in Brazil. Such data is fully governed by the General Data Protection Law (LGPD), with employers acting as controllers and required to process it in accordance with the principles discussed in this Q&A.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Yes. Employee surveillance is permitted in Brazil but is limited by the LGPD and labour legislation.

Employers may monitor corporate tools, such as email, internet access and work devices, provided that the monitoring is:

  • proportionate;
  • transparent; and
  • restricted to professional purposes.

Secret or excessive surveillance is prohibited.

Video surveillance in the workplace is also allowed for legitimate security or operational reasons, but it:

  • must not cover private areas (eg, restrooms or changing rooms); and
  • should be clearly disclosed to employees.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

It is good practice to require that any sharing of employee data with service providers (eg, payroll processors, health insurers or benefits platforms) be governed by clear contractual safeguards, ensuring that the processor (third-party provider):

  • complies with the LGPD; and
  • uses the data strictly for the agreed purposes.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The General Data Protection Law (LGPD) does not contain provisions that expressly regulate cookies. However, the use of cookies is considered a type of personal data processing where they can identify, or can be reasonably linked to, an individual. In such cases, their collection and use must comply with the general rules of the LGPD.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Likewise, the LGPD does not set out specific rules for cloud computing, but the use of cloud services constitutes personal data processing and therefore must comply with the general principles and obligations of the law.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

One of the most recent and significant developments in marketing is the sanctioning of Federal Law 15,211/2025, known as the Estatuto Digital da Criança e do Adolescente. This statute:

  • modernises the protection of children and adolescents in digital environments; and
  • explicitly interfaces with data protection norms.

Digital platforms, applications and services accessible to children must:

  • adopt privacy by design measures;
  • ensure age verification; and
  • provide parental controls.

The law prohibits or severely restricts the use of minors' data for behavioural advertising, requiring companies to adopt higher transparency standards and prioritise the best interests of the child, in line with both the LGPD and consumer protection norms.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Privacy disputes in Brazil are typically heard before the National Data Protection Agency (ANPD) and the civil courts, with the choice of forum depending on whether the focus is:

  • administrative enforcement;
  • damages; or
  • collective protection.

12.2 What issues do such disputes typically involve? How are they typically resolved?

In Brazil, data privacy disputes usually arise from:

  • improper or excessive data collection;
  • lack of transparency;
  • unauthorised sharing of personal data with third parties;
  • data leaks or security incidents; and
  • unlawful marketing practices, including:
    • unsolicited communications; or
    • targeted advertising without consent.

Increasingly, disputes also involve:

  • employee surveillance;
  • profiling; and
  • the misuse of sensitive personal data such as health or biometric information.

There is no steady jurisprudence in such cases and resolution will depend on the nature of the cause and the forum chosen.

12.3 Have there been any recent cases of note?

Yes. Several notable cases and enforcement actions have already taken place under the General Data Protection Law and through the ANPD. In 2025, the ANPD issued a series of sanctioning decisions against public agencies for:

  • failure to notify data breaches in accordance with Article 48; and
  • non-compliance with security obligations under Article 49.

To date, most published sanctions have been directed at public sector entities.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

2025 marked a turning point for Brazil, with the country moving from the implementation phase of the General Data Protection Law to a stage of active enforcement. Institutionally, the National Data Protection Agency (ANPD) was elevated to the status of a regulatory agency by Presidential Executive Order 1,317/2025, granting it greater functional, administrative and financial autonomy. This reform strengthens the ANPD's ability to:

  • conduct structured supervision;
  • impose sanctions; and
  • carry out sector-wide inspections.

Looking ahead, the next 12 months will be defined by the consolidation of this new role. As an autonomous regulator, the ANPD is expected to:

  • expand inspection programmes;
  • issue sector-specific guidance; and
  • coordinate more closely with consumer protection authorities.

Although congressional review of the executive order remains a formal step, the ANPD's autonomy is already in effect in practice, shaping a more assertive and predictable regulatory environment.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Tips: Organisations should:

  • start with data mapping;
  • ensure that each processing activity has a lawful basis; and
  • embed privacy by design/default into systems.

It is essential to:

  • appoint a data protection officer;
  • adopt clear breach response plans;
  • update contracts with processors; and
  • train staff.

Ongoing monitoring of National Data Protection Agency (ANPD) guidance and enforcement trends is also key.

Sticking points: The main challenges include:

  • the General Data Protection Law's (LGPD) extraterritorial scope;
  • stricter rules for sensitive personal data; and
  • complex international transfers under Resolution CD/ANPD 19/2024.

Small-scale agents under Resolution CD/ANPD 2/2022 often underestimate their duties but must still comply with the LGPD's principles and maintain adequate safeguards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Felipe Leoni Carteiro Leite Moreira
Felipe Leoni Carteiro Leite Moreira
Photo of Mariana Andrade
Mariana Andrade
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More