Lei Geral de Proteção de Dados (LGPD)
Complete compliance guide for companies with <200 employees. Everything you need to know about LGPD requirements, deadlines, and penalties.
15 calendar days
BRL 50,000,000/violation
Up to 2% of revenue in Brazil, capped at R$50 million per infraction (Art. 52). ANPD may also impose daily fines, public disclosure of the infraction, or temporary suspension of data processing activities.
No threshold
$8,000 – $30,000
8-20 weeks
Mid-Market Compliance Guide
LGPD applies to any organization processing personal data of individuals in Brazil, regardless of where the company is based. The 15-day DSAR deadline is among the shortest globally. DPO appointment is mandatory for all controllers, though ANPD may issue size-based exceptions.
Key Requirements
- Lawful basis for processing (10 legal bases under Art. 7)
- Appoint a Data Protection Officer (Encarregado)
- Maintain records of processing activities
- Data Protection Impact Assessment for high-risk processing
- Cross-border transfer safeguards (adequacy, contracts, BCRs)
- Data breach notification to ANPD and data subjects
Consumer Rights
Business Obligations
- 1.Appoint DPO (Encarregado) and publish contact details
- 2.Respond to data subject requests within 15 days
- 3.Implement security measures proportionate to risk
- 4.Maintain processing records and demonstrate compliance
- 5.Report security incidents to ANPD within reasonable timeframe
Exemptions
- •Processing by natural persons for personal purposes
- •Journalism, art, and academic purposes
- •Public safety and national defense
- •Criminal investigation and prosecution
Related Privacy Laws
Recommended Compliance Tools
Osano
Easy-to-use privacy compliance for mid-market companies
LGPD consent collection and cookie compliance
BigID
AI-powered data intelligence for privacy and security
LGPD personal data discovery and classification
TrustArc
Enterprise privacy management with built-in regulatory intelligence
LGPD assessment templates and compliance tracking
Securiti
AI-powered data command center for privacy, security, and governance
LGPD data mapping and consent management
DataGrail
DSAR automation platform that connects directly to your data systems
LGPD data subject request handling
Ketch
Programmatic privacy platform for responsible data use
LGPD consent management
Ethyca (Fides)
Open-source privacy engineering infrastructure
LGPD subject request processing
Mine (SayMine)
AI-powered DSAR automation and data minimization
LGPD data subject request support
Didomi
Consent management platform for global privacy compliance
LGPD consent banner and preference center
Usercentrics
Enterprise consent management with Google-certified CMP status
LGPD cookie consent and preference management
CookieYes
Affordable cookie consent and compliance for small businesses
LGPD cookie consent banner
Get a mid-market compliance checklist for LGPD
We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.
See how DPAs enforce LGPD in practice
Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under LGPD.
Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.