Your company just received its first Data Subject Access Request (DSAR) from a Brazilian customer. Your team scrambles to find the relevant data across five different systems. Two weeks later, you're still pulling spreadsheets together when you get a notification: you've missed the deadline. Under Brazil's LGPD, that's not just a compliance hiccup—it's grounds for a penalty of up to 2% of your Brazilian revenue.
This scenario plays out more often than you'd think. Brazil's Lei Geral de Proteção de Dados (LGPD) has one of the strictest DSAR deadlines in the world: 15 calendar days. That's half the time afforded under the EU's GDPR, and for mid-market companies processing Brazilian customer data, it's a challenge that demands proactive systems—not reactive scrambling.
Here's what you need to know about LGPD compliance if your company operates in Brazil or serves Brazilian customers, regardless of where your headquarters are located.
What Is LGPD and Who Must Comply?
The LGPD is Brazil's comprehensive data protection law, enacted in 2018 and effective since September 2020. Think of it as Brazil's answer to the GDPR—it establishes strict rules for how organizations collect, process, store, and share personal data.
The LGPD applies to any organization that:
- Processes personal data of individuals located in Brazil
- Offers goods or services to individuals in Brazil
- Has operations or a presence in Brazil
Critically, the law has extraterritorial reach. If you're a U.S.-based SaaS company with Brazilian customers, or a European e-commerce platform shipping to São Paulo, you're subject to LGPD—even if you have no physical presence in Brazil. This mirrors the GDPR's territorial scope, meaning companies already familiar with European data protection law will recognize the principles, though the implementation details differ.
The Autoridade Nacional de Proteção de Dados (ANPD)—Brazil's data protection authority—became operational in 2021 and has rapidly ramped up enforcement. Between 2023 and early 2025, the ANPD issued fines totaling BRL 98 million (approximately $20 million USD), targeting sectors including healthcare, finance, and AI-driven technology firms. The ANPD has transitioned from a moderately active enforcer to a very active one, signaling that the grace period for compliance is over.
The 15-Day DSAR Deadline: Brazil's Strictest Requirement
Under LGPD Article 18, data subjects have the right to obtain confirmation of whether their personal data is being processed and to access that data. When a Brazilian customer exercises this right, you have 15 consecutive calendar days to respond—not business days, not "reasonable time," but 15 calendar days including weekends and holidays.
Compare this to other major privacy laws:
| Law | DSAR Deadline |
|---|---|
| Brazil LGPD | 15 calendar days |
| EU GDPR | 30 days (extendable to 60) |
| California CPRA | 45 days (extendable to 90) |
| Canada PIPEDA | 30 days |
For mid-market companies—especially those managing customer data across CRMs, ticketing systems, marketing platforms, and cloud storage—15 days is tight. You can't afford to start mapping data locations after the request arrives. You need a Data Inventory that documents where personal data lives, who owns each system, and how to extract it quickly.
Need to calculate your exact DSAR deadline accounting for Brazilian holidays? Use the LGPD DSAR calculator to ensure you never miss a statutory deadline.
The 10 Legal Bases: More Than GDPR's Six
The LGPD establishes 10 legal bases for processing personal data, compared to GDPR's six. Understanding these bases is critical because every processing activity in your organization must map to one of them.
The 10 legal bases under LGPD Article 7 are:
- Consent – The data subject provides explicit consent for specific purposes.
- Compliance with a legal or regulatory obligation – Processing required by law.
- Execution of public policies – By public authorities for policy implementation.
- Studies by research entities – For academic or historical research.
- Execution of a contract – Processing necessary to fulfill a contract with the data subject.
- Exercise of rights in judicial, administrative, or arbitration proceedings – Legal defense.
- Protection of life or physical safety – Emergency situations.
- Protection of health – In procedures carried out by health professionals.
- Legitimate interests – Pursued by the controller or third parties, provided rights of the data subject are respected.
- Credit protection – For credit protection systems and similar.
The addition of "protection of health" and "credit protection" as standalone bases reflects Brazil's legal and economic context. For mid-market companies, the most commonly invoked bases are:
- Consent for marketing and non-essential features
- Execution of a contract for core service delivery
- Legitimate interests for analytics, fraud prevention, and business operations
Unlike GDPR, which allows "vital interests" broadly, LGPD splits this into "protection of life" and "protection of health," requiring more precise legal justification. Document which legal basis applies to each processing activity in your Data Inventory—this is essential for DSAR responses and ANPD audits.
ANPD Enforcement: No Longer a Grace Period
When the LGPD first took effect in 2020, enforcement was limited while organizations adapted. That era is over. The ANPD has published its Regulatory Agenda for 2025-2026, prioritizing enforcement in the following areas:
- Data subject rights (especially DSAR compliance)
- Data Protection Impact Assessments (DPIAs)
- Data sharing by government entities
- Minors' data processing
- Biometric data
- Artificial intelligence and algorithmic decision-making
In one high-profile action, the ANPD ordered Meta to suspend processing personal data for AI training under penalty of a daily fine of BRL 50,000. This signals the ANPD's willingness to impose operational restrictions—not just fines—when violations are severe.
For mid-market companies, this means:
- DSAR backlogs are no longer tolerated
- Data processing must have documented legal bases
- High-risk processing (AI, biometrics, children's data) requires DPIAs
- Cross-border transfers require approved mechanisms (more on this below)
Penalties: Up to 2% of Brazilian Revenue
LGPD penalties are structured to scale with the severity of the violation and the organization's revenue. Under Article 52, the ANPD can impose:
- Fines up to 2% of revenue in Brazil in the preceding fiscal year, capped at BRL 50 million (~$10 million USD) per infraction
- Daily fines for ongoing non-compliance
- Public disclosure of the violation (reputational damage)
- Blocking or deletion of personal data related to the infraction
- Partial or total suspension of database operations
The ANPD applies a tiered calculation methodology considering:
- The nature, gravity, and extent of the violation
- Whether the violation was intentional or negligent
- The organization's economic condition
- Repeat offenses
- The degree of harm caused to data subjects
- Whether the organization adopted compliance measures and remediation efforts
For a mid-market company with BRL 10 million in Brazilian revenue, a single violation could trigger a BRL 200,000 fine. But the real cost is often reputational: public disclosure, customer churn, and lost deals during due diligence.
Data Protection Officer Requirement
The LGPD does not mandate a Data Protection Officer (DPO) for all organizations—unlike GDPR, which has specific criteria triggering DPO appointment. However, Article 41 requires organizations to publish contact information for a privacy representative, and the ANPD has indicated it expects medium and large organizations to designate a DPO or equivalent privacy lead.
For mid-market companies, the practical guidance is:
- Designate a privacy point of contact (internal staff or external consultant)
- Publish this contact information in your privacy policy and on your website
- Ensure the contact can respond to ANPD inquiries and data subject requests
- The role does not need to be full-time, but it must be functional
Many mid-market companies designate a legal or compliance manager as the LGPD contact, supplemented by external counsel for complex issues.
Cross-Border Data Transfers: Standard Contractual Clauses Required
If you transfer personal data from Brazil to another country—such as storing Brazilian customer data in U.S.-based AWS servers or sharing data with a European parent company—you must comply with LGPD Chapter V on international data transfers.
Brazil has not issued adequacy decisions for other countries (unlike the EU's adequacy mechanism). Instead, transfers must rely on:
- Standard Contractual Clauses (SCCs) approved by the ANPD
- Specific contractual clauses submitted for ANPD approval
- Global corporate rules or binding codes of conduct
- Consent from the data subject for the specific transfer
- Necessary for legal obligations, contract execution, or public interest
The ANPD published Standard Contractual Clauses in 2024, modeled on EU SCCs. The grace period for implementing SCCs ended on August 23, 2025. From that date forward, international data transfers are only valid if SCCs are executed or another approved mechanism is in place.
For mid-market companies, this means:
- Map all cross-border data flows (vendors, cloud providers, parent companies)
- Execute SCCs with each recipient of Brazilian personal data
- Maintain a Data Transfer Register documenting transfer mechanisms
- Review vendor contracts to ensure LGPD-compliant transfer clauses
If you're already GDPR-compliant and using EU SCCs, the ANPD's SCCs are similar in structure, making dual compliance easier. But you must execute Brazil-specific SCCs—EU SCCs alone are not sufficient.
For a detailed comparison of LGPD and GDPR transfer mechanisms, see the Brazil LGPD law page and the Americas region hub.
Practical Compliance Steps for Mid-Market Companies
Here's a pragmatic roadmap for LGPD compliance, prioritized by impact and ANPD enforcement focus:
Step 1: Map Your Data (Data Inventory)
Create a centralized Data Inventory documenting:
- What personal data you collect (names, emails, payment info, behavior data)
- Why you collect it (legal basis for each processing activity)
- Where it's stored (CRM, database, cloud storage, third-party tools)
- Who has access (internal teams, vendors, processors)
- Retention periods (how long you keep each data category)
This is your foundation. Without it, you can't respond to DSARs in 15 days, and you can't demonstrate ANPD compliance.
Step 2: Document Legal Bases
For every processing activity, assign one of the 10 legal bases. For example:
- Customer account data: Execution of a contract
- Marketing emails: Consent (with opt-in records)
- Fraud detection: Legitimate interests
- Tax records: Legal obligation
When the ANPD asks, "Why are you processing this data?" your answer must reference a specific LGPD legal basis—not "we've always done it this way."
Step 3: Build a DSAR Response Process
Establish a documented process for handling DSARs:
- Intake: Create a web form or email address for DSAR submissions
- Verification: Confirm the requester's identity before disclosing data
- Data collection: Pull data from all systems in your inventory
- Response format: Provide data in a structured, commonly used format (PDF, CSV)
- Deadline tracking: Use a system that calculates the 15-day deadline accounting for Brazilian holidays
If you're managing multiple privacy laws, use the DSAR calculator to ensure you're applying the correct deadlines for each jurisdiction.
Step 4: Update Privacy Notices
Your privacy policy must comply with LGPD Article 9, clearly informing data subjects about:
- What data you collect and the legal basis for each category
- How you use the data
- How long you retain it
- Whether you share it with third parties
- How to exercise LGPD rights (access, correction, deletion)
- Contact information for your privacy representative
Avoid generic templates copied from GDPR policies—LGPD has specific disclosure requirements (like the 10 legal bases) that differ from GDPR.
Step 5: Execute Standard Contractual Clauses
If you transfer data internationally:
- Execute ANPD-approved SCCs with all data recipients outside Brazil
- Update vendor contracts to include LGPD-compliant data processing terms
- Maintain signed copies in a centralized repository for ANPD audits
This step is non-negotiable as of August 2025—the grace period has ended.
Step 6: Train Your Team
Compliance isn't just a legal function. Train customer-facing teams (sales, support, account management) on:
- How to recognize a DSAR
- Where to route requests (privacy contact, not individual teams)
- What not to say (don't promise deadlines you can't meet)
A single misstep—like a support agent promising "we'll get that to you next month"—can trigger a complaint to the ANPD.
Step 7: Conduct a Data Protection Impact Assessment (DPIA)
If you process:
- Sensitive data (health, biometrics, children's data)
- Large-scale profiling or automated decision-making
- Innovative technologies (AI, facial recognition)
You should conduct a DPIA documenting risks to data subjects and mitigation measures. While LGPD does not explicitly mandate DPIAs in all cases, the ANPD has signaled it expects them for high-risk processing.
Key Takeaways
Brazil's LGPD is not a distant compliance requirement—it's an active enforcement priority with real financial and operational consequences. For mid-market companies processing Brazilian customer data, here's what matters most:
- The 15-day DSAR deadline is non-negotiable. Build systems now to respond on time, or accept the risk of ANPD penalties and reputational damage.
- LGPD has extraterritorial reach. If you serve Brazilian customers, you're subject to the law regardless of where your company is headquartered.
- The ANPD is actively enforcing. BRL 98 million in fines between 2023 and early 2025 signals that the grace period is over.
- 10 legal bases, not six. Every processing activity must map to one of LGPD's 10 legal bases—document this in your Data Inventory.
- Cross-border transfers require SCCs. The August 2025 grace period has ended—execute ANPD-approved Standard Contractual Clauses now.
- Penalties scale to 2% of Brazilian revenue. Fines are capped at BRL 50 million per violation, but public disclosure and operational suspensions can be more damaging.
LGPD compliance is achievable for mid-market companies, but it requires structured processes, not ad-hoc responses. Start with your Data Inventory, document your legal bases, and build a DSAR workflow that can hit the 15-day deadline consistently. The ANPD's enforcement priorities are clear—make sure your compliance program aligns with them before a penalty notice arrives.
For jurisdiction-specific guidance and deadline calculators, explore the Brazil LGPD law page and compare with other laws in the Americas region hub. If you're managing multiple privacy frameworks, see how LGPD compares to the EU GDPR to streamline dual compliance.