Brazil • LGPD

Lei Geral de Proteção de Dados

The General Data Protection Law (LGPD) is a federal law in Brazil designed to unify 40 existing laws to regulate processing of the personal data of individuals.

It was passed on September 18 2020 and was backdated, coming into effect on August 16 2020. Penalties became enforceable on August 1 2021.

Who Does it Affect


A LGPD se aplica a qualquer pessoa jurídica, seja pública ou privada, que realize coleta e o tratamento de dados, ou seja, que realize qualquer atividade em que se utilizem dados pessoais, seja através do meio físico ou digital.

Toda operação de tratamento de dados realizada em território nacional ou por pessoa localizada no Brasil deverá observar as regras da LGPD, com exceção ao tratamento de dados realizados para fins exclusivamente particulares e não econômicos, jornalísticos, artísticos, acadêmicos, de segurança pública, de defesa nacional, de segurança de Estado, de investigação ou repressão de infrações penais, aos quais as diretrizes da LGPD não serão aplicadas.


The LGPD does not apply where the processing of personal data:

  • Is carried out by a natural person exclusively for private and non-economic purposes
  • Is done solely for journalistic, artistic and/or academic purposes
  • Is conducted solely for the purposes of public safety, national defence, national security, or the investigation and prosecution of criminal offences
  • Originates outside of Brazil and is not subject to communication or sharing with Brazilian data processors or subject to international transfer to a country other than the country of origin (provided that the country of origin provides an adequate level of data protection

Consumer rights

To confirm whether their data is indeed being processed

Any data being processed about them

Of any incomplete, inaccurate or out-of-date data

Any unnecessary or excessive data or data processed in non-compliance with the LGPD should be anonymized, blocked or deleted.

Data should be portable to other service or product providers.

Of any data that was previously processed with the consent of the data subject. There are some exceptions to this as listed in Article 16 of the LGPD. These mainly relate to legal and regulatory obligations, research, transfer of data and exclusive use.

And which entities it has been shared with both private and public.

Should a data subject refuse to give consent what consequences may they face because of this.

As provided for in Article 8 of the LGPD, consent may be revoked at any time by express request of the data subject. This must be able to be done through a free of charge procedure.

Find out more about how Value Privacy can help your business stay on top of privacy laws.

You can also get in touch with us any time with any queries you have

Don’t forget you can keep up with us here as well