Your Data Rights in Brazil Under the LGPD

What the LGPD is and who it protects

The Lei Geral de Proteção de Dados (LGPD), Federal Law No. 13.709/2018, is Brazil's general data protection law. It came into force in 2020 and sets out how organisations may collect, use, store, and share the personal data of people in Brazil. In structure and spirit it is close to the EU's GDPR, so if you have read about European data rights, much of the LGPD will feel familiar.

The law applies whenever personal data is processed in Brazil, when the processing aims to offer goods or services to people in Brazil, or when the data was collected in Brazil — regardless of where the organisation itself is based. That broad reach means many international companies fall under it.

The LGPD centres on you, the data subject (titular dos dados). It treats your personal data as something you retain meaningful control over, and it places clear obligations on the organisations that hold it.

• Personal data: any information relating to an identified or identifiable person.
• Sensitive data: information on health, biometrics, ethnicity, religion, politics, sexuality, and similar — given extra protection.
• Controller (controlador): the organisation that decides why and how your data is processed.

The rights the LGPD gives you

Article 18 of the LGPD lists the specific rights you can exercise over your own personal data. You can ask an organisation to confirm whether it processes your data at all, and to give you access to the data it holds. If something is wrong or out of date, you can ask for it to be corrected.

You can also request that unnecessary, excessive, or unlawfully handled data be anonymised, blocked, or deleted, and ask for your data to be ported to another provider. Where processing relies on your consent, you can withdraw that consent and ask for the data to be deleted, subject to the law's exceptions. You can additionally ask which public and private bodies your data has been shared with.

Requests are made directly to the organisation holding your data. Under the LGPD these requests are generally handled free of charge, and the controller is expected to respond within a reasonable period. Some organisations name a data protection officer (encarregado) as the point of contact for these requests.

• Confirmation that your data is being processed, and access to it.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymisation, blocking, or deletion of unnecessary or unlawfully processed data.
• Portability of your data to another service provider.
• Information about the public and private entities your data has been shared with.
• Withdrawal of consent, and information about the consequences of refusing it.

The ANPD and what to do if a request is ignored

Brazil's data protection regulator is the Autoridade Nacional de Proteção de Dados (ANPD). It oversees how the LGPD is applied, issues guidance, and can investigate organisations and apply penalties for non-compliance. If you have asked an organisation to act on one of your rights and it refuses, ignores you, or responds in a way you believe breaches the law, you can raise the matter with the ANPD.

A practical first step is to keep a clear record: the request you sent, the date, and any reply you received. A calm, specific, written request that names the right you are exercising under the LGPD tends to be easier for an organisation to act on — and easier for the ANPD to assess later if it comes to that.

This article is general information and not legal advice. The LGPD contains exceptions and conditions, and your situation may have specifics that matter. For advice on a particular case, consider speaking to a qualified professional familiar with Brazilian data protection law.

Frequently asked questions

Related terms

• GDPR (General Data Protection Regulation)
• Personal data
• Data protection regulator
• Data controller