LGPD: The Latest Updates to Brazil’s Data Privacy Law
The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian Federal Senate in May 2019 and signed into law by President Jair Bolsanaro in July 2019.
The final version of the General Data Protection Law (LGPD), was ratified by the Brazilian Federal Senate in May 2019 and signed into law by President Jair Bolsonaro in July 2019.
When the LGPD was first passed by the Brazilian Senate in August 2018, the then President, Michel Temer, vetoed the law’s provision of setting up a Federal Data Protection Authority to oversee and implement this regulation on constitutional grounds.
However, the LGPD is now scheduled to come into effect on August 16, 2020.
Some of the key changes incorporated into the final version of the LGPD include:
- The establishment of the National Data Protection Authority (ANDP)
- A review of automated decisions
- The handling of personal health information
- Administrative sanctions
- The role of the Data Protection Officer
The Establishment of the National Data Protection Authority
In the final version of the LGPD sanctioned by Brazilian leader, Jair Bolsonaro, the National Data Protection Authority will now be anchored in the Office of the President.
However, the law provides for the enactment of a change within two years of the LGPD being enforced. This aspect is aimed at giving the ANDP more autonomy.
The primary duties of the ANDP include:
- Ensuring compliance with the LGPD
- Receipt and resolution of data subjects’ complaints
- Perform audits
- Provide support services to businesses in terms of understanding and preparing for various circumstances that will emerge when the LGPD comes into effect
A Review of Automated Decisions
According to the draft version of the LGPD, in case a data subject needed to seek a re-examination of any decision reached exclusively through an automated manner, it was within their rights to ask a company to use a human agent to carry out the assessment.
However, the final version of the LGDP eliminates the review of automated decisions by a human agent.
This provision is different from Article 22 of the GDPR which grants consumers the privilege of getting human intervention in the assessment of automated decisions.
The Management of Personal Health Information
The final version of the LGPD not only establishes the protection of health data but also covers the procedures used by health service providers and professionals as well as sanitary agencies.
For this reason, the LGPD prohibits the sharing of specific types of sensitive personal information, except if;
- the information is crucial to the delivery of healthcare or pharmaceutical assistance
- It is beneficial to the welfare of the data subject
- It is not intended for private health insurance to review contract exposures, as well as adding or removing beneficiaries
- It is for the purpose of either data portability petitioned by the data subject or monetary transactions resulting from the receipt of healthcare services
The Role of the Data Protection Officer
The initial conception of the LGPD provided for the appointment of a Data Protection Officer (DPO) with a legal and regulatory background in data protection. Essentially, a DPO was required to have extensive knowledge of both LGPD and the EU’s General Data Protection Regulation (GDPR). See the Key Similarities and Differences between LGPD and GDPR here.
However, President Bolsonaro amended this provision by arguing that this requirement would amount to an overly rigorous qualification, in addition to being against public welfare, and a violation of fundamental rights.
The bill signed into law also provides for the appointment of the DPO by the data controller, which is different from the procedure employed in appointing Data Protection Officers under the GDPR.
Another crucial update is connected to the fact that the requirement to appoint a Data Protection Officer under the LGPD is now applicable to both controllers and processors. Primarily, DPO’s are expected to act as the link between data subjects, businesses, and the ANPD.
Regulatory Sanctions
Although the regulatory penalties remain unchanged in the final version of the LGPD, it is still important to highlight them.
LGPD’s administrative sanctions include;
- Caution with a pointer for the adoption of corrective measures
- A fine of up to 2% of the previous year’s sales revenue limited to 50 million reais for every violation
- Daily fine limited to the aforementioned value
- Disclosure of the violation after due investigative processes and its occurrence verified
- Erasure of the personal information related to the violation in question
Essentially, the LGPD provides that the ANPD my fine non-compliant companies with temporary, and in some cases, permanent suspension from data processing activities.
Our detailed LGPD summary gives you a simplified, yet a comprehensive breakdown of the key provisions under Brazil’s data protection regulation.
For personalized LGPD compliance support, book a call with us today to speak with a data privacy and security expert.
Additional Resources;
Download your free LGPD e-book and have it delivered directly into your inbox.
See how businesses can prepare for Brazil’s Data Protection Law here.
See what are the LGPD Cookie Banner Requirements and take a look at the 2022 LGPD updates.

How to Get Your Free GDPR Certificate with Secure Privacy
Secure Privacy offers a Free GDPR Certification Course. In this blog post, we will discuss how to get your GDPR certificate with Secure Privacy and its benefits.
- Data Protection
- GDPR

A Comprehensive Guide to Creating a Privacy Policy for Your Shopify Store
Online store owners must comply with privacy laws, including GDPR, CCPA, and CalOPPA, by having a privacy policy page on their website's footer menu to inform visitors of their data privacy practices and legal compliance. Look at our Comprehensive Guide to learn how to create your Shopify Privacy Policy.
- Data Protection

All You Need to Know About the 2023 Oman Data Protection Law
The Oman Personal Data Protection Law (PDPL) came into effect in February 2023, introducing new legal requirements for businesses that process personal data. The law is based on the opt-in principle, meaning that businesses can only process personal data if the user consents or if there is another legal basis. This aligns the PDPL requirements with those prescribed by the General Data Protection Regulation (GDPR) in the European Union. However, there are nuances that make this law different, which is precisely what this article will explore.
- Data Protection