What is LGPD?
The Lei Geral de Proteção de Dados (LGPD — Brazil Law 13.709/2018) is Brazil’s comprehensive data protection statute, effective 18 September 2020 (administrative sanctions effective 1 August 2021). LGPD is largely modelled on GDPR with similar legal-basis structure, data subject rights, and extraterritorial scope, but adapted to Brazil’s constitutional and regulatory tradition. The Autoridade Nacional de Proteção de Dados (ANPD) is the supervisory authority, established as an autonomous federal agency in 2022.
Key LGPD elements
- Lawful bases (10 vs. GDPR’s 6): consent, contractual necessity, legal obligation, public administration, studies, vital interests, contractual performance preliminaries, legitimate interest, credit protection, and others.
- Data subject rights: access, correction, deletion, portability, anonymisation, automated decision review — closely tracks GDPR.
- Cross-border transfer: adequacy decisions, specific safeguards (SCCs, binding corporate rules), consent, performance of contract, judicial cooperation.
- DPO obligation: mandatory for most data controllers; ANPD has discretion to exempt SMEs.
- Extraterritorial reach: applies to processing offered to or affecting individuals in Brazil, regardless of processor location.
Sanctions (effective 2021)
- Up to BRL 50M per infringement or 2% of group Brazilian revenue (whichever lower).
- Warning, daily penalty, public disclosure of infringement, blocking/deletion of data, suspension of database, partial/full suspension of operations.
- ANPD increasingly active 2023+ with first significant fines.
Türk şirketleri için
Brezilya pazarına yönelen Türk şirketleri (özellikle e-ticaret, oyun, SaaS, içerik) LGPD’nin ülke dışı kapsamına tabidir. Türk-Brezilya veri akışında LGPD’nin yurt dışı transfer rejimi (Madde 33) Brezilya tarafına gönderilen veriyi etkiler; KVKK’nın yurt dışı transfer rejimi (Madde 9) Türkiye tarafından gönderilen veriyi etkiler — çift yönlü uyum gerek. Brezilya’da DPO atama gereksinimi Türk küçük/orta ölçek şirketler için ek yüktür; pratikte fractional DPO veya outsourced compliance hizmeti tercih edilir.
Do: appoint DPO for any Brazil-targeting service; map LGPD lawful basis per processing activity; align consent UX with LGPD specific consent standard (granular, withdrawable).
Don’t: rely solely on GDPR compliance documentation — LGPD has Brazil-specific provisions (10 lawful bases, ANPD enforcement priorities) that need separate analysis.