Data Privacy

Brazil’s primary and most comprehensive data protection law is the General Data Protection Law (13,709/2018), known locally as the Lei Geral de Proteção de Dados (LGPD).

The LGPD establishes a unified framework for the processing of personal data in both the public and private sectors, regardless of whether such processing occurs through physical or digital means. It:

• defines the rights of data subjects;
• sets out the principles and lawful bases for processing; and
• regulates:
• • international data transfers;
  • the duties of controllers and processors;
  • data breach notifications; and
  • the supervisory powers of the National Data Protection Agency (Agência Nacional de Proteção de Dados – ANPD).

Before the enactment of the LGPD, the protection of privacy and personal data in Brazil relied on a fragmented set of norms found in constitutional, civil, consumer and internet legislation. The 1988 Federal Constitution enshrines privacy, intimacy, honour and image as fundamental rights. The Consumer Protection Code (Federal Law 8,078/1990) introduced specific rules on the use of consumer databases:

• requiring that individuals be informed when their data is collected;
• prohibiting the retention of negative information for more than five years; and
• granting rights of access and correction.

The Access to Information Law (12,527/2011) further reinforced transparency principles and regulated access to information held by public authorities.

In the digital sphere, the Marco Civil da Internet (Federal Law 12,965/2014) laid down essential principles on privacy, net neutrality and data retention obligations for internet service providers, thereby paving the way for the comprehensive framework subsequently consolidated by the LGPD.

Yes. In addition to the LGPD and the general framework, specific sectors in Brazil are subject to laws and regulations that directly impact data protection.

In the banking sector, financial institutions regulated by the Brazilian Central Bank (BCB) must comply with the Banking Secrecy Act (Supplementary Law 105/2001), which mandates the confidentiality of credit and debit transactions of users, except in certain circumstances such as where disclosure is authorised by:

• law;
• judicial orders; or
• the consent of the client.

In recent years, the Open Finance framework, introduced by BCB Joint Resolution 1/2020 and subsequent amendments, has allowed the sharing of customer financial data among authorised institutions, always conditioned upon the explicit consent of the data subject. Complementary resolutions, such as BCB Resolution 342/2023, added specific obligations on reporting data breaches within the Pix payment system; while BCB Resolution 304/2023 established requirements for outsourcing data processing and storage abroad, ensuring supervisory cooperation and continuity of services.

In the health sector, the Medical Ethics Code (CFM Resolution 2,217/2018) prohibits healthcare professionals from disclosing patient information unless:

• legally required;
• justified by cause; or
• expressly authorised by the patient in writing.

Federal Law 13,787/2018 also regulates the handling of electronic medical records, including rules on their storage and confidentiality.

The Superior Electoral Court has issued several resolutions governing the use of personal data in electoral campaigns. For example, Resolution 23,732/2024, which amended Resolution 23,610/2019:

• expressly requires political parties, candidates and application providers to comply with the LGPD when processing personal data; and
• introduces additional obligations concerning the use, storage and security of voter information in the context of elections.

Brazil is a signatory to several multilateral instruments that impact the regulation of data privacy and cybersecurity. Most notably, in April 2023, Brazil ratified the Convention on Cybercrime of the Council of Europe (Budapest Treaty) through Presidential Decree 11,491/2023.

At the regional level, Brazil participates in Mercosur discussions concerning data protection and cross-border transfers of personal data, although no binding regional framework equivalent to the General Data Protection Regulation exists within Mercosur to date. Nevertheless, cooperation in the area of digital trade and data governance has become an increasing focus of Mercosur negotiations.

The principal authority responsible for enforcing data privacy legislation in Brazil is the ANPD.

The ANPD was originally created in 2018 through Executive Order MP 869/2018, later confirmed by Federal Law 13,853/2019, which amended the LGPD to establish its structure and powers. In 2025, the president of Brazil signed Executive Order MP 1317/2025, converting the ANPD into an autonomous regulatory agency with technical and decision-making independence.

The ANPD has a broad mandate. Its powers include the ability to regulate, supervise and enforce compliance with the LGPD. It may:

• issue regulations, guidelines and technical notes interpreting the law;
• conduct investigations and administrative proceedings;
• request information and documents from controllers and processors; and
• apply sanctions for non-compliance.

While the ANPD is the central authority, other bodies have also played a role in enforcing privacy rights in specific contexts. The Public Prosecutor’s Office at the state and federal levels and the secretary of consumer protection and defence have historically initiated actions and investigations based on consumer protection law and constitutional rights to privacy. Courts at both the individual and collective levels have also granted remedies for violations of privacy and misuse of personal data.

Industry standards and best practices play an important role in the Brazilian data protection regime by:

• complementing the statutory requirements of the LGPD; and
• shaping both compliance strategies and regulatory enforcement.

The LGPD actively encourages the adoption of best practices and governance mechanisms – such as privacy programmes, risk management frameworks and security protocols – as a way to demonstrate accountability (Article 50 of the LGPD). Under the LGPD, adherence to codes of conduct, seals and certifications approved by the ANPD can serve as guarantees of compliance, especially in contexts such as international data transfers.

In enforcement practice, the ANPD has begun to evaluate whether organisations implement robust:

• internal policies;
• training; and
• privacy by design/default measures.

Entities that demonstrate adoption are more likely to be viewed as compliant or, at minimum, as acting in good faith. This can directly impact the severity of sanctions in case of infractions.

The General Data Protection Law (LGPD) applies broadly to both natural persons and legal entities, whether governed by public or private law, that carry out the processing of personal data. The regime is intentionally comprehensive and captures a wide range of entities, regardless of size or sector.

The law applies to processing operations conducted within Brazilian territory, as well as to processing activities carried out abroad, where:

• the purpose is to offer or provide goods or services to individuals located in Brazil; or
• the personal data being processed was collected in Brazil.

This extraterritorial reach ensures that foreign entities that target Brazilian residents are also subject to the LGPD’s provisions.

Although the LGPD was designed as an omnibus law, it establishes specific circumstances in which its provisions do not apply.

The law does not govern personal data processing carried out exclusively for private and non-economic purposes, such as purely personal use by an individual. It also exempts processing undertaken for journalistic, artistic or academic purposes, thereby safeguarding freedom of expression, creativity and academic research. In addition, processing conducted for the purposes of public security, national defence, state security or the investigation and prosecution of criminal offences falls outside the LGPD’s scope. These activities are expected to be regulated by separate and specific legislation.

Beyond these material exemptions, the National Data Protection Agency (ANPD) has introduced a differentiated compliance regime for small-scale processing agents. Under Resolution CD/ANPD 2/2022, micro and small businesses, startups, non-profit organisations and certain natural persons acting as controllers or processors may benefit from simplified compliance obligations. These include, for example:

• the possibility of maintaining simplified records of processing activities;
• extended deadlines to respond to data subject requests and incident notifications; and
• the absence of a mandatory obligation to appoint a data protection officer.

Importantly, however, such entities remain bound by the core principles and legal bases of the LGPD and the ANPD retains discretion to require full compliance in situations involving higher risks or broader processing activities.

Yes. The LGPD may have extraterritorial scope of application in situations where:

• the processing activity is intended to offer or provide goods or services to individuals located in Brazil; or
• the personal data subject to processing has been collected within the Brazilian territory.

This broad territorial reach means that foreign companies with no physical presence in Brazil may nevertheless be subject to the LGPD if they target Brazilian residents or collect their personal data.

At the same time, the LGPD also carves out certain activities from its scope. It does not apply to the processing of personal data that originates outside Brazil and is not subsequently communicated, shared with Brazilian entities or internationally transferred to another country, provided that the country of origin ensures a level of data protection consistent with the LGPD (Article 4(IV) of the LGPD).

(a) Data processing

The General Data Protection Law (LGPD) defines ‘processing’ broadly as any operation carried out with personal data. This includes activities such as:

• collection;
• production;
• reception;
• classification;
• use;
• access;
• reproduction;
• transmission;
• distribution;
• processing;
• filing;
• storage;
• elimination;
• evaluation;
• control;
• modification;
• communication;
• transfer;
• dissemination; and
• extraction (Article 5(X) of the LGPD).

(b) Data processor

The ‘processor’ is the natural or legal person, under public or private law, that processes personal data on behalf of the controller and in accordance with the controller’s instructions (Article 5(VII) of the LGPD).

(c) Data controller

The ‘controller’ is the natural or legal person, under public or private law, that is responsible for making decisions regarding the processing of personal data (Article 5(VI) of the LGPD).

(d) Data subject

The ‘data subject’ is the natural person to whom the personal data refers (Article 5(V) of the LGPD).

(e) Personal data

‘Personal data’ is any information relating to an identified or identifiable natural person (Article 5(I) of the LGPD). Examples include an individual’s:

• name;
• identification number;
• address;
• contact information; and
• data that can indirectly identify them when combined with other information.

(f) Sensitive personal data

The LGPD establishes a specific category of sensitive personal data (Article 5(II) of the LGPD), which includes information about the following when linked to a natural person:

• racial or ethnic origin;
• religious belief;
• political opinion;
• trade union membership;
• religious, philosophical or political organisation membership;
• health;
• sex life; and
• genetic or biometric data.

This type of data is subject to stricter processing conditions.

(g) Consent

‘Consent’ is defined as the free, informed and unequivocal manifestation by which the data subject agrees to the processing of their personal data for a specific purpose (Article 5(XII) of the LGPD). Consent must be given in advance and can be revoked at any time, without retroactive effect.

In addition to the core concepts, the LGPD and subsequent National Data Protection Agency (ANPD) regulations introduce several other terms that are central to compliance and enforcement in Brazil, such as the following.

‘Database’: ‘Database’ is defined in the LGPD as a structured set of personal data established in one or several locations and maintained in either electronic or physical format (Article 5(IV) of the LGPD).

‘Data breach: This term was specifically defined in Resolution CD/ANPD 15/2024 as any confirmed adverse event involving personal data that compromises its:

• confidentiality;
• integrity;
• availability; or
• authenticity.

Examples include:

• unauthorised access; and
• accidental or unlawful destruction, loss, alteration or disclosure.
  

‘Data protection officer’ (DPO): A ‘DPO’ is an individual appointed by the controller or processor to act as the communication channel between the organisation, data subjects and the ANPD (Article 5(VIII) of the LGPD). While the appointment of a DPO is generally mandatory for most organisations, small-scale data processing agents, as mentioned in question 2.2, are subject to a differentiated regime, which allows them to comply simply by providing a contact channel for data subjects instead of formally designating a DPO.

‘Data sharing’: The LGPD defines ‘data sharing’ as the communication, dissemination, international transfer or interconnection of personal data or shared processing of personal data databases carried out:

• among public bodies and entities in the exercise of their legal competences;
• between such public bodies and private entities, on a reciprocal basis, with specific authorisation and for one or more processing purposes permitted by the public entity; or
• among private entities (Article 5(XVI0 of the LGPD).

‘Research body’: Under the LGPD, a ‘research body’ is defined as a body or entity of the direct or indirect public administration, or a non-profit private legal entity duly incorporated under Brazilian law and headquartered in Brazil, whose institutional mission or statutory purpose includes basic or applied research of a historical, scientific, technological or statistical nature (Article 5(XVIII) of the LGPD).

‘Small-scale data processing agents’: This term is used in Brazil to designate entities that qualify for a differentiated compliance regime under the LGPD, as established by Resolution CD/ANPD 2/2022. Entities falling under this category include:

• micro and small enterprises, including sole proprietorship limited liability companies and individual microentrepreneurs, as defined under Supplementary Law 123/2006;
• startups, as defined under Supplementary Law 182/2021, which are newly established businesses characterised by innovation in business models, products or services;
• non-profit private legal entities; and
• natural persons or unincorporated entities that assume the role of controller or processor.

The General Data Protection Law (LGPD) does not establish a general obligation for controllers or processors to register with the National Data Protection Agency (ANPD) or with any other governmental body.

According to question 4.1, there is currently no process for the registration of data controllers or processors with the ANPD.

Because the LGPD does not require controllers or processors to register with the ANPD, there is no public register of data processing activities in Brazil.

The General Data Protection Law (LGPD) establishes a closed list of 10 lawful bases for processing general personal data (Article 7):

• Consent: The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Compliance with a legal or a regulatory obligation: Processing is necessary to enable the controller to comply with statutory or regulatory duties.
• Processing by the public administration with public policy purposes: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Research purposes: Processing is necessary to carry out studies by research entities, provided that, whenever possible, personal data is anonymised.
• Contractual needs: Processing is necessary:
• • for the performance of a contract to which the data subject is a party; or
  • to take steps at the request of the data subject prior to entering into a contract.
• For judicial, administrative, or arbitration proceedings: Processing that is necessary for the regular exercise of rights in the context of legal, regulatory or arbitral disputes.
• Protection of life or physical safety: Processing that is necessary to safeguard the life or physical integrity of the data subject or of third parties.
• Health protection: Processing that is conducted by health professionals, health services or sanitary authorities to protect health.
• Legitimate interests; Processing that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the rights and freedoms of the data subject are not infringed.
• Protection of credit: A Brazil-specific basis that allow controllers to process personal data for credit protection activities, including the assessment of creditworthiness.

Beyond these 10 lawful bases, the processing of sensitive personal data is governed by a distinct regime under Article 11 of the LGPD, which imposes stricter conditions. Such processing is permitted only in the following circumstances:

• with the specific and explicit consent of the data subject;
• to comply with a legal or regulatory obligation, considering that processing is necessary to ensure the controller’s adherence to statutory or regulatory requirements;
• for the execution of public policies;
• for research purposes, provided that the anonymisation of personal data is applied whenever possible;
• for judicial, administrative or arbitration proceedings, considering that processing is necessary for the regular exercise of rights in the context of a dispute;
• to protect life or physical safety;
• for the protection of health; and
• for the prevention of fraud and security, considering that the processing is necessary to protect the data subject in processes of identification and authentication within electronic systems.

The LGPD is grounded in a set of foundational principles that apply to all processing of personal data:

• regardless of whether the data is general or sensitive; and
• irrespective of whether the processing is conducted internally or outsourced to third parties.

These principles are listed in Article 6 of the LGPD and are enforced by the National Data Protection Agency (ANPD) and by the courts. The principles include the following:

• Purpose limitation:
• • Processing must be carried out for legitimate, specific, explicit and informed purposes; and
  • Data cannot be further processed in a manner that is incompatible with those purposes.
• Adequacy: Processing must be compatible with the purposes communicated to the data subject, in accordance with the context of the processing.
• Data minimisation: Processing must be limited to the minimum necessary to achieve the intended purpose, covering only relevant and proportional data.
• Free access: Data subjects must have guaranteed access to information about:
• • the form and duration of the processing; and
  • the completeness of their personal data.
• Accuracy: Controllers must ensure that personal data is accurate, clear, relevant and up to date in light of the purpose of the processing.
• Transparency: Processing must be carried out with clear, precise and easily accessible information provided to data subjects about the processing and the respective controllers.
• Integrity: Controllers and processors must adopt technical and administrative measures to protect personal data from:
• • unauthorised access; and
  • accidental or unlawful destruction, loss, alteration, communication or dissemination.
• Prevention: Proactive measures must be taken to prevent the occurrence of damages in the processing of personal data.
• Non-discrimination: Processing cannot be carried out for unlawful or abusive discriminatory purposes.
• Accountability: Controllers and processors must be able to demonstrate the adoption of effective measures that are capable of proving compliance with the LGPD and data protection norms.

Beyond compliance with lawful bases and the overarching principles of the LGPD, organisations must observe additional requirements and are encouraged to adopt best practices that demonstrate accountability and proactive compliance.

Controllers must maintain records of processing activities (Article 37 of the LGPD), detailing:

• the purposes of the data processing;
• the categories of data subjects and data;
• sharing; and
• retention periods.

Small-scale data processing agents may use simplified templates but are not exempt from this duty. Where processing may present significant risks to civil liberties or fundamental rights, controllers must conduct a data protection impact assessment (Article 38 of the LGPD). The ANPD may request such an assessment at any time to assess the risk mitigation measures adopted.

In addition, the LGPD expressly endorses the concepts of data protection by design and by default (Article 46(2º)). This requires that controllers:

• integrate privacy and security considerations into the development of products, services and systems from the outset (by design); and
• configure them to the highest privacy settings by default, limiting the collection and processing of data to what is strictly necessary.

The General Data Protection Law (LGPD) permits the transfer of personal data to third parties, provided that the processing is:

• grounded in a lawful basis under Article 7 (or Article 11 for sensitive data); and
• consistent with the general principles of purpose, adequacy, necessity, transparency and security.

Controllers remain primarily responsible for ensuring compliance with the LGPD, even when processing activities are carried out by third parties. This accountability extends to the adoption of appropriate technical, administrative and contractual measures to safeguard the data subject’s rights. When a processor is engaged:

• the processing must follow the controller’s documented instructions; and
• the parties should clearly allocate responsibilities through contractual terms.

When the personal data involved qualifies as sensitive personal data:

• stricter safeguards apply under Article 11 of the LGPD; and
• controllers must be able to demonstrate that one of the limited lawful bases for sensitive data processing is satisfied.

The LGPD governs international data transfers in Articles 33–36, permitting Brazilian personal data to be transferred abroad only in specific situations so that the level of protection afforded by the law is not diminished.

Transfers are lawful when:

• made to countries or international organisations recognised by the National Data Protection Agency (ANPD) as providing an adequate level of protection;
• the controller can demonstrate sufficient guarantees of compliance with the LGPD, such as through:
• • contractual clauses;
  • ANPD-approved standard contractual clauses (SCCs);
  • binding corporate rules (BCRs); or
  • certified seals, certificates, and codes of conduct;
• required for international legal cooperation, the protection of life or physical safety or the implementation of public policies;
• authorised by the ANPD; or
• arising from international agreements.

The detailed framework for these mechanisms was established by Resolution CD/ANPD 19/2024, which:

• sets out procedures for:
• • adequacy decisions; and
  • the approval of SCCs and BCRs; and
• introduces a risk-based approach to ensure that transfers to non-adequate jurisdictions still preserve LGPD standards.

The destination is decisive. If the receiving country has adequacy status, transfers may proceed without further safeguards. If not, controllers must adopt one of the authorised mechanisms or rely on exceptional legal grounds provided in Article 33.

Beyond the conditions expressly provided in the LGPD for domestic and international transfers, controllers and processors are expected to comply with broader principles of accountability, transparency and integrity. Transfers, therefore, must always respect the purpose limitation, data minimisation and necessity requirements set out in Articles 6 and 7 of the LGPD.

The General Data Protection Law (LGPD) grants data subjects a comprehensive set of rights, largely inspired by international standards such as the GDPR, aimed at ensuring transparency, control and accountability in the processing of personal data. Under Article 18, data subjects may:

• confirm the existence of processing and obtain access to their personal data;
• request the correction of incomplete, inaccurate or outdated data;
• request the anonymisation, blocking or deletion of unnecessary, excessive or unlawfully processed data;
• request the portability of their data to another service or product provider, subject to National Data Protection Agency (ANPD) regulation and trade/industrial secrets;
• request the deletion of personal data processed based on consent, except where retention is legally permitted;
• obtain information about data sharing, including the public and private entities with which the controller has shared their data;
• be informed about the possibility of withholding consent and the consequences of doing so;
• withdraw consent at any time, through a simple and free procedure; and
• request a review of decisions made solely based on automated processing, including profiling that affects their interests.

Certain exemptions apply. Controllers may deny or limit the exercise of rights when processing is indispensable for:

• compliance with a legal or regulatory obligation;
• the implementation of public policies;
• research purposes (with anonymisation when possible);
• the regular exercise of rights in judicial, administrative or arbitral proceedings; or
• the protection of life and physical safety.

Data subjects may exercise their rights directly with the controller responsible for processing their personal data through the channels made available, which typically include:

• electronic platforms;
• dedicated email addresses; and
• physical service channels.

The law requires that the procedure be:

• simple;
• free of charge; and
• easily accessible.

Controllers must respond to requests within 15 days of the request.

If the controller does not provide an adequate response, the data subject may escalate the matter to the ANPD, which has the authority to investigate and enforce compliance. In addition, the LGPD does not prevent data subjects from seeking judicial relief, including injunctions and compensation for damages, under:

• the Constitution;
• the Civil Code; and
• the Consumer Protection Code.

First, data subjects may seek administrative remedies before the ANPD. The agency has the power to:

• receive complaints;
• investigate non-compliance;
• order corrective measures; and
• impose sanctions that range from warnings and daily fines to the suspension or prohibition of processing activities.

Second, data subjects may pursue judicial remedies directly before the judiciary. Lawsuits may be brought individually or as part of collective claims, which are often pursued by consumer associations, public prosecutors or other representative entities, given the overlap between data protection and consumer rights.

Yes. Under the General Data Protection Law (LGPD), controllers must designate a data protection officer (DPO) (Article 41 of the LGPD). Processors are not subject to the same obligation, although the appointment of a DPO is regarded as a recommended best practice.

Failure by a controller to appoint a DPO may expose the organisation to administrative sanctions under the LGPD. These range from warnings and corrective measures to monetary fines of up to 2% of the company’s revenue in Brazil, capped at BRL 50 million per violation.

The LGPD does not prescribe formal qualifications, certifications or professional background requirements for the role.

The DPO’s minimum responsibilities under the LGPD are:

• receiving complaints and communications from data subjects, providing timely and appropriate responses and facilitating the exercise of their rights under the law;
• acting as the primary communication channel with the National Data Protection Agency (ANPD), including handling:
• • inquiries;
  • inspections; and
  • requests for information;
• advising and guiding the organisation’s employees and contractors on practices and procedures to be adopted for the protection of personal data; and
• carrying out other tasks as determined by the controller or subsequently established by the ANPD through regulation.

Yes. The LGPD does not prohibit outsourcing and the ANPD has confirmed that organisations may designate either an internal employee or an external service provider to perform the role. This flexibility has made outsourcing common practice, particularly for small and medium-sized entities that lack in-house expertise.

When the function is outsourced, the organisation remains the ultimate controller of personal data and continues to bear full responsibility for compliance with the LGPD. Accordingly, it is essential that the outsourcing arrangement clearly defines the DPO’s:

• responsibilities;
• reporting lines; and
• scope of authority.

Best practice requires that the contract includes:

• confidentiality obligations;
• service-level expectations; and
• mechanisms to ensure the DPO’s independence in carrying out their tasks.

The LGPD is built on an accountability model, meaning that controllers and processors must be able to demonstrate compliance through proper records and documentation. Therefore, data processing agents must keep records of all personal data processing operations, describing:

• categories of data;
• the purposes of the processing;
• data subjects;
• recipients;
• security measures; and
• retention periods.

These records must be made available to the ANPD upon request.

In addition, where processing may pose high risks to civil liberties and fundamental rights, controllers must prepare a data protection impact assessment:

• detailing the processing activities;
• assessing risks; and
• setting out mitigation measures.

The ANPD may request such an assessment as part of its supervisory actions.

Beyond record-keeping, governance measures and the appointment of a DPO, the LGPD requires data processing agents to adopt appropriate administrative and technical safeguards to ensure the security of personal data. These safeguards must protect against:

• unauthorised access; and
• accidental or unlawful destruction, loss, alteration or disclosure.

The ANPD expects the level of protection to be proportionate to both:

• the sensitivity of the data; and
• the risks associated with the processing activity.

Under the General Data Protection Law (LGPD), both controllers and processors are legally required to implement technical and administrative security measures to protect personal data from:

• unauthorised access;
• accidental or unlawful destruction, loss, alteration or communication; and
• any form of improper or unlawful processing (Article 46 of the LGPD).

In addition, in line with Resolution CD/ANPD 15/2024, which governs breach notification procedures, organisations are expected to:

• have mechanisms for monitoring, detecting and responding to security incidents; and
• maintain records of incidents.

Yes. The LGPD requires controllers to notify both the National Data Protection Agency (ANPD) and affected data subjects of any security incident that may pose significant risk or damage to individuals (Article 48 of the LGPD). Processors must promptly inform the controller once they become aware of an incident, but the notification duty to the ANPD lies with the controller.

According to Resolution CD/ANPD 15/2024, which regulates incident notification procedures, the notification must include, at a minimum:

• a description of the nature and circumstances of the incident;
• the categories and approximate number of data subjects affected;
• the categories and volume of personal data involved;
• the risks to the rights and freedoms of the data subjects;
• the technical and security measures used for data protection (subject to commercial secrecy);
• the remedial measures adopted or planned to mitigate the effects; and
• the contact details of the DPO or another designated point of contact.

These notifications must be submitted to the ANPD through its electronic platform. Where full information is not immediately available, a preliminary notification should be made within the deadline, followed by a final detailed report once the facts are clarified. The general timeframe set by the ANPD is three business days from confirmation of the incident, though exceptions apply where immediate harm to data subjects is likely.

If the incident poses relevant risk or damage, affected individuals must also be informed in clear, simple and easily understandable language. The notice should specify:

• the nature of the incident;
• the data affected; and
• the measures that they can take to protect themselves.

Where an incident does not present significant risk or damage, formal notification to the ANPD is not strictly required. However, organisations:

• are expected to document all incidents internally; and
• may opt for voluntary notification as a good-faith measure, particularly if uncertainty exists about the potential impacts.

Failure to notify when risk exists can result in sanctions, including:

• warnings;
• fines; and
• suspension of processing activities.

There are no special rules on the processing of employee personal data in Brazil. Such data is fully governed by the General Data Protection Law (LGPD), with employers acting as controllers and required to process it in accordance with the principles discussed in this Q&A.

Yes. Employee surveillance is permitted in Brazil but is limited by the LGPD and labour legislation.

Employers may monitor corporate tools, such as email, internet access and work devices, provided that the monitoring is:

• proportionate;
• transparent; and
• restricted to professional purposes.

Secret or excessive surveillance is prohibited.

Video surveillance in the workplace is also allowed for legitimate security or operational reasons, but it:

• must not cover private areas (eg, restrooms or changing rooms); and
• should be clearly disclosed to employees.

It is good practice to require that any sharing of employee data with service providers (eg, payroll processors, health insurers or benefits platforms) be governed by clear contractual safeguards, ensuring that the processor (third-party provider):

• complies with the LGPD; and
• uses the data strictly for the agreed purposes.

The General Data Protection Law (LGPD) does not contain provisions that expressly regulate cookies. However, the use of cookies is considered a type of personal data processing where they can identify, or can be reasonably linked to, an individual. In such cases, their collection and use must comply with the general rules of the LGPD.

Likewise, the LGPD does not set out specific rules for cloud computing, but the use of cloud services constitutes personal data processing and therefore must comply with the general principles and obligations of the law.

One of the most recent and significant developments in marketing is the sanctioning of Federal Law 15,211/2025, known as the Estatuto Digital da Criança e do Adolescente. This statute:

• modernises the protection of children and adolescents in digital environments; and
• explicitly interfaces with data protection norms.

Digital platforms, applications and services accessible to children must:

• adopt privacy by design measures;
• ensure age verification; and
• provide parental controls.

The law prohibits or severely restricts the use of minors’ data for behavioural advertising, requiring companies to adopt higher transparency standards and prioritise the best interests of the child, in line with both the LGPD and consumer protection norms.

Privacy disputes in Brazil are typically heard before the National Data Protection Agency (ANPD) and the civil courts, with the choice of forum depending on whether the focus is:

• administrative enforcement;
• damages; or
• collective protection.

In Brazil, data privacy disputes usually arise from:

• improper or excessive data collection;
• lack of transparency;
• unauthorised sharing of personal data with third parties;
• data leaks or security incidents; and
• unlawful marketing practices, including:
• • unsolicited communications; or
  • targeted advertising without consent.

Increasingly, disputes also involve:

• employee surveillance;
• profiling; and
• the misuse of sensitive personal data such as health or biometric information.

There is no steady jurisprudence in such cases and resolution will depend on the nature of the cause and the forum chosen.

Yes. Several notable cases and enforcement actions have already taken place under the General Data Protection Law and through the ANPD. In 2025, the ANPD issued a series of sanctioning decisions against public agencies for:

• failure to notify data breaches in accordance with Article 48; and
• non-compliance with security obligations under Article 49.

To date, most published sanctions have been directed at public sector entities.

2025 marked a turning point for Brazil, with the country moving from the implementation phase of the General Data Protection Law to a stage of active enforcement. Institutionally, the National Data Protection Agency (ANPD) was elevated to the status of a regulatory agency by Presidential Executive Order 1,317/2025, granting it greater functional, administrative and financial autonomy. This reform strengthens the ANPD’s ability to:

• conduct structured supervision;
• impose sanctions; and
• carry out sector-wide inspections.

Looking ahead, the next 12 months will be defined by the consolidation of this new role. As an autonomous regulator, the ANPD is expected to:

• expand inspection programmes;
• issue sector-specific guidance; and
• coordinate more closely with consumer protection authorities.

Although congressional review of the executive order remains a formal step, the ANPD’s autonomy is already in effect in practice, shaping a more assertive and predictable regulatory environment.

Tips: Organisations should:

• start with data mapping;
• ensure that each processing activity has a lawful basis; and
• embed privacy by design/default into systems.

It is essential to:

• appoint a data protection officer;
• adopt clear breach response plans;
• update contracts with processors; and
• train staff.

Ongoing monitoring of National Data Protection Agency (ANPD) guidance and enforcement trends is also key.

Sticking points: The main challenges include:

• the General Data Protection Law’s (LGPD) extraterritorial scope;
• stricter rules for sensitive personal data; and
• complex international transfers under Resolution CD/ANPD 19/2024.

Small-scale agents under Resolution CD/ANPD 2/2022 often underestimate their duties but must still comply with the LGPD’s principles and maintain adequate safeguards.