Brazil’s LGPD: The Complete Compliance Guide for Foreign Companies (2026)
Brazil’s General Data Protection Law — Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018 — is not a local regulation affecting only companies with a Brazilian address. It is a comprehensive data protection framework with explicit extraterritorial reach that applies to any foreign business offering goods or services to individuals in Brazil, collecting personal data from Brazilian residents, or running operations through a Brazilian subsidiary. With enforcement fully operational, the National Data Protection Authority (ANPD) actively investigating violations, and administrative fines capped at BRL 50 million per infraction, the LGPD is a material compliance obligation — not a background regulatory matter.
This guide is written for legal counsel, compliance officers, and decision-makers in foreign companies operating in or entering the Brazilian market. It provides a complete, practitioner-oriented analysis of the LGPD’s requirements: its territorial scope, legal bases for processing, the critical differences from the GDPR that require specific adaptation, the international data transfer regime under ANPD Resolution 19/2024, employment data obligations, the sanctions framework, and data protection in M&A transactions. It also answers the specific scenarios that foreign businesses ask most frequently — from SaaS providers and PEO/EOR arrangements to intragroup HR data flows and B2B operations.
This article is part of Barbieri Advogados’ English-language legal resource cluster on Brazilian law for foreign investors, alongside our guides on labor law, corporate taxation and withholding tax.—
Does the LGPD Apply to Your Business? The Three Triggers of Article 3
Article 3 of the LGPD sets out three independent triggers, any one of which is sufficient to bring a foreign business within the law’s scope. The first trigger is straightforward: the LGPD applies when processing operations take place in Brazilian territory. The second — and the one with the broadest impact for foreign businesses — applies when the processing activity aims to offer or supply goods or services to individuals located in Brazil. The third applies when the personal data being processed was originally collected in Brazil, regardless of where it is subsequently processed.
The second trigger operates similarly to the GDPR’s targeting criterion. A foreign e-commerce platform that displays prices in Brazilian reais, accepts Brazilian credit cards, or ships to Brazilian addresses is targeting individuals in Brazil. A foreign SaaS company with Brazilian corporate clients whose employees use the platform from Brazil is processing data of individuals in Brazil. A foreign logistics provider with Brazilian carriers as counterparties is processing personal data collected in Brazilian territory. Each of these scenarios brings the foreign company within the LGPD’s scope for all data collected in those relationships — no Brazilian legal entity or server is required.
Six Practical Scenarios: Does LGPD Apply to Your Operation?
Scenario 1 — Foreign company with Brazilian employees or contractors. If your company employs or engages individuals working from Brazil — whether through direct employment, a PEO/EOR arrangement, or independent contractor agreements — it is processing personal data of individuals located in Brazilian territory. The LGPD applies in full to that employment or service relationship. This is one of the most common entry points into LGPD compliance for foreign companies that have not yet established a Brazilian entity.
Scenario 2 — SaaS or digital platform with Brazilian business clients. Even if your Brazilian clients are legal entities, their employees use your platform from Brazilian territory, and their contact persons — names, emails, roles — are personal data of individuals in Brazil. The LGPD applies. If your platform processes data on behalf of Brazilian companies, you are likely acting as an operator under the LGPD and must comply with the obligations applicable to that role, including the ability to execute Data Processing Agreements with your Brazilian clients.
Scenario 3 — Brazilian subsidiary of a foreign group. The subsidiary is a fully autonomous controller under the LGPD. Its compliance obligations are independent of the parent company’s compliance under the law of another jurisdiction. The parent company, when it receives, accesses, or otherwise processes personal data originating from the subsidiary’s Brazilian operations, becomes either a joint controller or a processor of Brazilian personal data — and must have legal basis and transfer mechanisms in place for that processing.
Scenario 4 — E-commerce or marketplace targeting Brazilian consumers. Accepting orders, processing payments, and managing deliveries for Brazilian consumers constitutes offering goods and services to individuals in Brazil. The LGPD applies to all personal data collected in this context: purchase history, shipping addresses, payment data, customer service interactions. The absence of a Brazilian legal entity does not create an exemption.
Scenario 5 — B2B company with no direct consumer relationships in Brazil. Even pure B2B operations encounter personal data in Brazil. The employees and representatives of your Brazilian corporate clients whose names, emails, and professional details you collect and process are natural persons. That processing falls within the LGPD’s scope. Where your company acts as an operator — processing data on behalf of a Brazilian controller — LGPD obligations applicable to processors apply.
Scenario 6 — Former Brazilian employees now working abroad. If individuals were located in Brazil when your company collected their personal data — during their employment or contracting period in Brazil — that data was collected in Brazilian territory. The LGPD may continue to apply to the processing of that data, depending on the nature and purpose of the ongoing treatment.—
LGPD vs. GDPR: Key Differences That Require Specific Adaptation
Foreign companies that have already invested in GDPR compliance — particularly European multinationals — frequently assume that their existing data protection programme satisfies LGPD requirements. It does not. While the two laws share a principles-based architecture and a similar taxonomy of data subject rights, there are several material differences that require specific adaptation for the Brazilian context. Understanding those differences is the starting point for any LGPD gap analysis.
| Topic | LGPD (Brazil) | GDPR (EU) | Practical Impact |
|---|---|---|---|
| Legal basis for sensitive data | Art. 11 — restricted list; no legitimate interest | Art. 9 — restricted list; legitimate interest available in some MS | AI systems, biometric tools, health analytics relying on LI under GDPR need a new basis in Brazil |
| Legitimate interest (ordinary data) | Available (Art. 7º, IX) with balancing test expected by ANPD | Available (Art. 6(1)(f)) with LIA documentation | Documentation of balancing test required; GDPR LIA may not satisfy ANPD expectations |
| DPO (Encarregado) obligation | All controllers must appoint; simplified regime for small operators | Mandatory only for public bodies, large-scale monitoring, and sensitive data processing | Many companies exempt from GDPR DPO obligation must appoint one in Brazil |
| International transfers | No adequacy decisions yet; requires ANPD-specific SCCs (Res. 19/2024) | EU SCCs available; adequacy decisions for multiple countries | Separate SCC framework needed for outbound transfers from Brazil; EU SCCs insufficient |
| Fine calculation base | 2% of Brazilian revenue, capped at BRL 50M per infraction | 4% of global annual turnover, up to €20M | LGPD cap lower in absolute terms for large groups; but BRL 50M per infraction — multiple fines possible |
| Breach notification deadline | 3 business days to ANPD (Res. 15/2024) | 72 hours to supervisory authority | LGPD deadline is similar but counted in business days; also requires notification to affected data subjects |
| Consent for sensitive data | Must be specific, highlighted, and for specific purposes; cannot be bundled | Must be explicit; can be combined with other consents in some interpretations | Generic consent clauses valid under GDPR may not satisfy LGPD’s highlighting requirement |
| Right to deletion | Available but broader exceptions in employment and legal basis contexts | Right to erasure (Art. 17) with defined exceptions | Scope of deletion rights differs; LGPD allows broader retention for legal basis compliance |
| Binding corporate rules | Available in law; ANPD procedural regulation not yet published | Fully operational; approved by lead supervisory authority | BCRs unavailable as transfer mechanism in Brazil until ANPD regulation is issued |
The most operationally consequential difference is the unavailability of legitimate interest as a legal basis for sensitive personal data under the LGPD. European companies often rely on Article 9(2)(g) of the GDPR — substantial public interest — or on legitimate interest for certain sensitive data processing activities, particularly in AI, HR analytics, and health technology. None of those bases translate directly into an equivalent LGPD provision. Brazilian operations that process sensitive data must find a valid basis within Article 11’s restricted list — most commonly specific consent, legal obligation, or health care protection by a qualified professional.—
Legal Bases for Data Processing Under the LGPD
Ordinary personal data — Article 7’s ten bases
Article 7 of the LGPD establishes ten legal bases for the processing of ordinary personal data — information that does not fall within the sensitive categories of Article 5, II. For foreign businesses, the most frequently applicable are: consent of the data subject, which must be free, informed, and given for specific purposes; compliance with a legal or regulatory obligation, which covers processing required by Brazilian tax, labour, or sector-specific legislation; performance of a contract to which the data subject is a party; and legitimate interest of the controller or a third party, provided those interests are not overridden by the data subject’s fundamental rights.
Consent under the LGPD must be specific — a general acceptance of terms and conditions does not constitute valid consent for data processing. It must be freely given — consent conditioned on access to a service is presumed not free. And it must be revocable at any time, with the revocation not affecting the lawfulness of processing carried out before withdrawal but creating an obligation to cease further processing. Companies that have built data collection strategies around consent under a more permissive regulatory environment should conduct a consent validity review before relying on that basis for Brazilian data subjects.
Sensitive personal data — Article 11’s restricted bases and the absence of legitimate interest
Article 5, II of the LGPD defines sensitive personal data as information relating to racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, health or sex life, genetic data, and biometric data when linked to a natural person. Processing these categories is only permitted under the more restrictive bases of Article 11 — and, critically, legitimate interest is not among them.
The practical implications for foreign companies are significant across several sectors. Artificial intelligence systems that process facial images for identification, emotion detection, or behavioural analysis are processing biometric and potentially health-related data; they cannot rely on legitimate interest for Brazilian deployments. HR analytics platforms that infer health conditions, genetic characteristics, or political opinions from employee behaviour data are processing sensitive data inferences; they need a valid Article 11 basis. Health technology companies processing patient or user health data need consent that is specific to identified purposes — not bundled into a generic app terms acceptance.
The most applicable Article 11 bases in a commercial context are: specific and highlighted consent for defined purposes; compliance with a legal or regulatory obligation; the regular exercise of rights in labour, judicial, or administrative proceedings; and health care protection, exclusively by health professionals subject to professional secrecy. When assessing whether a sensitive data processing activity has an adequate legal basis, the analysis must start with Article 11 — not Article 7.—
International Data Transfers: The 2024 Regulatory Framework
The Article 33 regime and available mechanisms
Article 33 of the LGPD prohibits transfers of personal data to foreign countries or international bodies unless the transfer is covered by one of the law’s permitted mechanisms. This restriction applies to all categories of personal data — ordinary and sensitive — and to all transfer modalities: database replication, API integrations, cloud infrastructure, intragroup IT systems, and email communication containing personal data sent to recipients abroad.
The available mechanisms include: a transfer to a country or body recognised by the ANPD as providing an adequate level of protection; transfers under standard contractual clauses approved by the ANPD; binding corporate rules approved by the ANPD; specific and highlighted consent of the data subject for the transfer; and limited situational bases such as international legal cooperation, contract performance, and protection of life. As of early 2026, the ANPD has not issued an adequacy decision for any country — including EU Member States and the United States. This means that for the vast majority of commercial transfers, the operative mechanism is the standard contractual clauses established by ANPD Resolution CD/ANPD 19/2024.
Resolution 19/2024: what you need to know
Resolution CD/ANPD nº 19, published in August 2024, is the foundational regulation for international data transfers from Brazil. It establishes two sets of standard contractual clauses: one for controller-to-controller transfers and one for controller-to-processor transfers. Both sets must be incorporated into the data sharing agreements that govern each cross-border data flow. The clauses bind the foreign recipient to the LGPD obligations applicable to its role and create direct enforcement rights for Brazilian data subjects against the foreign recipient.
Several points about Resolution 19/2024 deserve specific attention for foreign companies structuring their transfer frameworks. First, the Brazilian SCCs are not interchangeable with EU SCCs. A company that has already executed 2021 EU SCCs for data flows between European and Brazilian entities has addressed the GDPR’s requirements for the Europe-to-Brazil direction, but has not addressed the LGPD’s requirements for the Brazil-to-Europe direction. Two separate SCC frameworks are needed for bidirectional flows. Second, the resolution covers not just transfers to third-country companies but also intragroup transfers — data flowing from a Brazilian subsidiary to a foreign parent within the same corporate group requires the same mechanisms as a transfer to an independent third party. Third, the resolution does not create a simplified procedure for small or low-risk transfers; it applies equally to a Brazilian startup transferring employee data to its US-based founder’s company and to a multinational group moving petabytes of customer data across jurisdictions.
Intragroup transfers: the subsidiary-to-parent flow
Intragroup data flows — Brazilian subsidiary sending employee, customer, or operational data to the foreign parent for consolidated reporting, centralised HR systems, shared IT infrastructure, or group analytics — are among the most common international data transfer scenarios and among the most frequently uncovered as non-compliant in due diligence exercises. The existence of a corporate relationship between sender and recipient creates no exemption under the LGPD.
The correct structure for intragroup transfers involves: identifying the role of each entity — whether the parent acts as a joint controller (determining purposes jointly with the subsidiary) or as a processor (processing data under the subsidiary’s instructions); executing the appropriate set of Resolution 19/2024 SCCs between the subsidiary and the parent entity (or entities) receiving the data; and maintaining those agreements as part of the subsidiary’s records of processing activities. Groups with parent companies in multiple jurisdictions — a US holding company, an EU operational headquarters, and regional shared service centres — need bilateral SCC sets between the Brazilian subsidiary and each receiving entity.
Brazil–EU flows: what changes after Resolution 19/2024
European companies with Brazilian subsidiaries often assume that their existing GDPR compliance infrastructure covers data flows in both directions. It does not. EU SCCs govern the flow of personal data from EU entities to third countries — including Brazil. Resolution 19/2024 SCCs govern the flow of personal data from Brazil to other countries — including EU Member States. For bidirectional flows between a Brazilian entity and an EU entity, both sets of clauses are independently required, and they are not equivalent: the Brazilian clauses contain Brazil-specific data subject rights provisions and ANPD cooperation obligations that the EU clauses do not address.
Brazil–US flows: the transfer gap
For US companies, the situation is more complex. There is no adequacy decision, no bilateral data privacy framework comparable to the EU-US Data Privacy Framework, and no simplified mechanism for US–Brazil flows. The available options are Resolution 19/2024 SCCs or, in limited scenarios, explicit data subject consent. Companies transferring employee payroll data, customer contact information, or operational data between Brazilian and US entities without a properly executed SCC framework are in violation of Article 33 of the LGPD — one of the most frequently identified compliance gaps in Brazil-US corporate operations.—
Employment Data: Obligations for Foreign Employers
Every employer with employees or contractors in Brazil is a controller of sensitive and ordinary personal data under the LGPD, regardless of where the employing entity is incorporated. The law applies in full to the employment relationship, and the absence of a dedicated employment data chapter — unlike the GDPR, which allows Member States to legislate specific employment data rules — means the general LGPD regime governs without sector-specific relief. Foreign employers frequently underestimate the scope of this obligation when structuring their first Brazilian hires through a PEO/EOR or direct employment model.
Data categories and legal bases across the employment lifecycle
The legal basis required depends on the category of data being processed and the purpose. Ordinary personal data in a payroll and HR context — names, tax IDs, bank account details, contact information — is typically processed under legal obligation (Brazilian labour, tax, and social security legislation) or contract performance. Sensitive data requires Article 11 bases: health data from medical certificates and occupational health programmes is covered by legal obligation and health care protection by qualified professionals; biometric data from fingerprint or facial recognition time-and-attendance systems is covered by legal obligation under Ministerial Order MTP 671/2021, which regulates electronic point registration; union membership data used for dues deduction is covered by legal obligation.
The critical access control principle for health data is one that many foreign employers implement incorrectly: the occupational physician (médico do trabalho) may access an employee’s health records for occupational health purposes, but may transmit only the fitness determination — fit or unfit for role — to HR. Diagnoses, clinical findings, and medical record details are protected by professional secrecy and must not reach HR managers, direct supervisors, or payroll processors. Sharing health data beyond this boundary violates both the LGPD and the professional ethics rules applicable to medical professionals in Brazil.
Biometric time-and-attendance: the highest-risk area
Biometric data — fingerprints, facial recognition maps, iris scans — collected for employee time-and-attendance control is sensitive personal data under Article 5, II of the LGPD. Two compliance requirements are frequently missed: first, biometric data may only be used for the purpose declared to the employee (jornada control); any additional use — surveillance, movement tracking, productivity analysis — requires a separate legal basis, which in an employment context almost invariably means specific consent, with all the fragility that entails when the power asymmetry of the employment relationship is considered. Second, when an employee’s contract ends, the biometric data must be deleted in accordance with a defined retention schedule; indefinite storage of biometric data of former employees is a common ANPD enforcement target.
The LGPD clause in employment contracts
Brazilian law does not mandate an LGPD clause in employment contracts, but Article 9 of the LGPD requires controllers to provide data subjects with clear, accessible information about data processing at or before the point of collection. In the employment context, the most efficient way to fulfil this transparency obligation — and to document its fulfilment — is a data protection clause in the employment agreement or a standalone privacy notice delivered and acknowledged at onboarding. The document must identify the categories of data collected, the purposes and legal bases for each category, the recipients or categories of recipients, the data retention periods, and the employee’s rights as a data subject. It must be written in plain language — not in technical or legal terminology that the employee cannot reasonably be expected to understand.
Transferring employee data to the foreign parent
Consolidating Brazilian employee data in a global HR system hosted outside Brazil — payroll, performance data, training records, benefit administration — is a common operational necessity for multinationals and a consistently underdocumented international data transfer. The transfer must be covered by Resolution 19/2024 SCCs between the Brazilian employer and the foreign entity hosting the system, whether that is the parent company, a group shared service centre, or a third-party cloud HR platform. The foreign host of a global HR system that processes data of Brazilian employees is a processor of Brazilian personal data and must be bound by a Data Processing Agreement that incorporates the applicable LGPD obligations.—
Accountability: Organisational Requirements
Records of processing activities (Article 37)
Article 37 of the LGPD requires all controllers and operators to maintain records of the personal data processing activities they carry out. These records — equivalent to the GDPR’s Records of Processing Activities (RoPA) but with LGPD-specific content requirements — must document for each processing activity: the categories of personal data; the categories of data subjects; the purposes and legal bases; the recipients or categories of recipients; and the envisaged retention periods or the criteria used to determine them. The ANPD may request access to these records at any time, and their absence or inadequacy is treated as an independent compliance failure. For foreign subsidiaries inheriting group-wide RoPA structures from their parent companies, the adaptation task is to verify that the legal bases recorded are the Brazilian ones — which may differ from the European or American bases applicable in other jurisdictions.
Data Protection Officer — the Encarregado (Article 41)
Unlike the GDPR, which limits the DPO obligation to specific categories of controllers, the LGPD requires all controllers to appoint an Encarregado (Data Protection Officer), with simplified requirements only for small-scale processing agents under Resolution CD/ANPD 2/2022. The Encarregado’s identity and contact details must be publicly disclosed — typically on the company’s website — and the channel must be accessible to Brazilian data subjects and to the ANPD. Resolution CD/ANPD 18/2024 details the Encarregado’s functions: receiving data subject requests and ANPD communications, guiding employees on data protection practices, and coordinating incident response.
For multinationals, the most common structural choice is to designate a global DPO with Brazilian coverage — often the same individual or firm serving as GDPR DPO for European operations. This is permissible, provided the channel is accessible in Portuguese, responses to Brazilian data subjects are timely, and the DPO has sufficient knowledge of Brazilian-specific requirements (which differ from GDPR in the ways described throughout this article). A DPO fluent only in GDPR requirements, without LGPD-specific training, does not satisfy the Encarregado’s substantive obligations.
Data Protection Impact Assessment — RIPD (Article 38)
The RIPD (Relatório de Impacto à Proteção de Dados Pessoais) is the LGPD’s equivalent of the GDPR’s DPIA. The ANPD may request its completion for processing operations that could generate risks to civil liberties and fundamental rights — and its published guidance indicates that the RIPD is strongly recommended, and may be compelled, for: large-scale processing of sensitive data; biometric identification systems; AI-powered profiling; and new technologies with potentially significant impact on data subjects. Companies launching AI products, biometric access systems, or health data applications in Brazil should incorporate the RIPD into their product launch process, not address it retroactively after ANPD scrutiny.
Vendor management and Data Processing Agreements
Article 46 of the LGPD requires controllers to ensure that their operators implement adequate technical and organisational security measures. This translates into a contractual obligation: every vendor, service provider, or contractor that processes personal data on behalf of the company must have a signed Data Processing Agreement (DPA) that binds them to the applicable LGPD obligations. The absence of DPAs with key processors — cloud infrastructure providers, HR software vendors, payroll processors, biometric system suppliers, marketing automation platforms — is consistently identified as a material gap in LGPD compliance audits and M&A due diligence exercises. For foreign companies contracting with Brazilian vendors, the DPA also needs to specify the legal basis for any data transfers if the vendor will process data outside Brazil.—
Enforcement, Sanctions and Civil Liability
The ANPD’s enforcement trajectory
The ANPD began its enforcement phase in 2023. Its first administrative sanction was issued in Administrative Process nº 00261.000489/2022-62 against Telekall Infoservice, a telecommunications company found to have shared personal data without an adequate legal basis. The fine — BRL 14,400 — was modest and expressly calibrated to the company’s small size, reflecting the ANPD’s stated policy of graduated enforcement proportionate to the violating entity’s scale and economic capacity. The ANPD has signalled clearly that enforcement against larger companies, in cases involving sensitive data processing or large-scale violations, will result in proportionately higher sanctions. Companies should not use the Telekall fine quantum as a risk benchmark for their own exposure.
Administrative sanctions: the Article 52 toolkit
The ANPD’s enforcement toolkit is graduated and cumulative. From least to most severe: warning with mandatory corrective measures and a defined remediation period; administrative fine of up to 2% of the company’s annual revenue in Brazil, capped at BRL 50 million per infraction; daily fine, also capped at BRL 50 million in aggregate; public disclosure of the infraction in the ANPD’s official communications after the final administrative decision becomes res judicata; blocking of the personal data involved in the violation; elimination of the personal data; suspension of the relevant database or processing activities for up to six months, extendable for a further six months; and partial or total prohibition of data processing activities.
Three aspects of this sanctions structure deserve particular attention for foreign companies. First, the BRL 50 million cap applies per infraction — a company found to have committed multiple simultaneous violations across different processing activities may face multiple fines, each up to the cap. Second, the public disclosure sanction — formal naming of the violating company in ANPD communications — creates reputational consequences that may far exceed the financial impact of the fine itself, particularly for companies with public disclosure obligations or ESG commitments. Third, the prohibition of processing activities is the most severe sanction available short of market exit, and it can be applied to specific processing activities (e.g., biometric processing, international transfers) without necessarily shutting down all of the company’s Brazilian operations.
Civil liability: objective standard, no fault required
Articles 42 to 45 of the LGPD establish a civil liability regime that operates independently of — and concurrently with — the ANPD’s administrative sanctions. The standard is objective: the controller is liable for damages caused to data subjects resulting from violations of the LGPD without any requirement for the claimant to prove fault, negligence, or intent. The controller can only escape liability by demonstrating that: it did not carry out the processing in question; it complied fully with the LGPD and the damage resulted exclusively from the data subject’s own conduct; or the damage resulted from a third party’s conduct over which the controller had no control. The burden of proof in these defences lies with the controller.
Operators — vendors and service providers processing data on behalf of the controller — are jointly and severally liable with the controller when their failure to comply with LGPD obligations or the controller’s lawful instructions contributed to the damage. This joint liability exposure makes DPAs not merely a compliance formality but a material contractual risk management instrument: a well-drafted DPA allocates liability between controller and operator and provides indemnification mechanisms that can mitigate the controller’s exposure in disputes with data subjects.
Brazilian courts — including the Labour Courts for employment-related claims and the civil courts and Juizados Especiais for consumer and general data protection claims — have been increasingly receptive to data privacy claims. The Superior Court of Justice (STJ) has addressed data breach liability in cases involving utilities and financial institutions, recognising collective and individual moral damages arising from large-scale breaches. The accessibility of the Juizados Especiais — small claims courts with no filing fees and optional legal representation — means that individual data subjects have a low-friction path to judicial remedies, which tends to increase litigation volumes following disclosed data incidents.—
LGPD in M&A: Due Diligence and Structuring
Data protection has become a standard component of legal due diligence in Brazilian M&A transactions. A target company’s personal data assets — customer databases, employee records, proprietary datasets — are often among its most valuable intangible assets. They are simultaneously among its most material contingent liabilities when collected, stored, or shared without adequate legal basis. Undisclosed ANPD investigations, non-compliant biometric systems, invalid consent bases for customer databases, and missing DPAs with key vendors: each represents a potential post-closing liability that should be identified, quantified, and addressed in the transaction documentation.
The LGPD due diligence checklist
A structured LGPD due diligence assessment for a Brazilian acquisition should cover eight core areas. Data mapping and records of processing activities — does the company maintain a current inventory of its processing activities, with legal bases documented for each? Absence of data mapping is the single most reliable indicator of immature compliance. Legal bases adequacy — are the bases claimed for key processing activities legally sufficient? This includes both ordinary data (Art. 7) and sensitive data (Art. 11) bases, with particular scrutiny of any reliance on consent for commercial data collections. History of incidents — has the company experienced security incidents? Were they notified to the ANPD and to affected data subjects as required by Resolution 15/2024? Are there open ANPD investigations? Data Processing Agreements — are DPAs in place with key vendors? Do they contain the minimum LGPD-required provisions? International data transfers — does the company transfer personal data outside Brazil? Are those transfers covered by Resolution 19/2024 SCCs or another valid mechanism? DPO governance — has an Encarregado been appointed? Is the contact channel publicly available? Employee data — are employment contracts updated with data protection clauses? Are biometric systems properly grounded in legal basis? Customer and commercial data — were consent bases valid when collected? Are data retention periods defined and observed?
Representations, warranties and indemnification
Transaction documentation for Brazilian acquisitions should include LGPD-specific representations and warranties by the seller covering: absence of open ANPD investigations or formal notices; absence of pending data subject claims; material compliance with the LGPD in all processing activities; notification of all material security incidents as required; and validity of the legal bases relied upon for key processing activities. Indemnification provisions should cover post-closing ANPD enforcement actions relating to pre-closing conduct, civil liability claims by data subjects for pre-closing processing violations, and the cost of remediation necessary to bring the acquired company’s data protection practices to the acquirer’s compliance standard. Representations as to LGPD compliance should survive closing for a period aligned with the ANPD’s administrative investigation limitation period, which the ANPD is in the process of formalising through regulation.
Post-closing integration
The integration of an acquired Brazilian company into the acquiring group’s data governance framework requires a sequenced set of LGPD-specific actions that should be planned before closing and executed promptly after. Update or execute Data Processing Agreements reflecting the new group structure. Assess and, where necessary, execute Resolution 19/2024 SCCs for data flows from the Brazilian entity to group companies abroad. Update privacy notices to data subjects — customers, employees, and commercial counterparties — to reflect the new controlling entity. Align the Brazilian entity’s information security controls with the group’s baseline. Integrate it into the group’s incident response and breach notification procedures. Failure to complete these steps creates a scenario in which the acquirer owns the liability for violations that, while originating in the target’s pre-existing practices, continue under the acquirer’s control post-closing.—
Building LGPD Compliance for a Brazilian Subsidiary: The Minimum Viable Programme
For a foreign company establishing or acquiring a Brazilian subsidiary, the minimum viable LGPD compliance programme has five foundational components. A data mapping exercise that produces a current inventory of all processing activities, with legal bases, purposes, retention periods, and recipients documented for each. A legal bases review that verifies the adequacy of the identified bases — with particular attention to sensitive data categories and the absence of legitimate interest in Article 11 — and remediates gaps identified, which may include updating consent mechanisms, identifying alternative bases, or restructuring processing activities. A privacy notice infrastructure that includes: a public-facing privacy policy accessible on the company’s website in Portuguese; an employee privacy notice (standalone or as a contractual clause) delivered at onboarding; and, where applicable, a data subject rights request procedure accessible to Brazilian data subjects. An Encarregado appointment with publicly disclosed contact information, a defined scope of responsibilities, and the operational capacity to respond to ANPD communications and data subject requests in Portuguese. A vendor management programme that inventories all third-party processors of Brazilian personal data, prioritises DPA execution with those handling sensitive data or operating critical systems, and includes data transfer mechanisms for any vendor processing Brazilian data outside the country.
These five components are the foundation; a mature programme builds on them with a RIPD methodology for high-risk processing, a security incident response plan calibrated to Resolution 15/2024’s 3-business-day notification requirement, a data retention and deletion schedule aligned with Brazilian statutory periods, and an ongoing regulatory monitoring function that tracks ANPD rulemaking — which, as of 2026, includes active rulemakings on AI, children’s data, and BCR procedures.—
Frequently Asked Questions
1) Does the LGPD apply to foreign companies with no office in Brazil?
Yes. Article 3’s three triggers — processing in Brazilian territory, offering goods or services to individuals in Brazil, and processing data collected in Brazil — operate independently and do not require physical presence. A foreign company serving Brazilian customers, employing Brazilian contractors, or replicating Brazilian data to foreign servers is subject to the LGPD for all data collected in those activities.
2) Is LGPD compliance the same as GDPR compliance?
No. Material differences require specific adaptation: LGPD prohibits legitimate interest as a basis for sensitive data; requires all controllers to appoint an Encarregado without the GDPR’s threshold exceptions; mandates Brazil-specific standard contractual clauses for international transfers under Resolution 19/2024; and calculates fines on Brazilian revenue rather than global turnover. GDPR SCCs do not satisfy LGPD transfer requirements for outbound flows from Brazil.
3) How must a Brazilian subsidiary transfer employee data to its foreign parent?
As an international data transfer under Article 33. The operative mechanism in the absence of an ANPD adequacy decision — which does not exist for any country — is the standard contractual clauses of Resolution 19/2024. A Data Processing Agreement must be executed between the subsidiary and the parent, reflecting their controller/processor or joint controller roles. The intragroup nature of the transfer creates no exemption.
4) What are the LGPD penalties for violations?
Administrative fines of up to 2% of Brazilian revenue per infraction, capped at BRL 50 million; daily fines; public disclosure; data blocking and deletion; processing suspension; and prohibition of processing activities. Controllers also face objective civil liability for damages to data subjects without any need to prove fault. Multiple simultaneous violations may result in multiple fines, each up to the BRL 50 million cap.
5) What is LGPD due diligence in a Brazilian M&A transaction?
A structured investigation covering: data mapping quality; legal bases adequacy; incident history and ANPD interactions; DPA coverage with key vendors; international transfer mechanisms; DPO governance; and employee data systems. Results inform representations and warranties, indemnification for pre-closing violations, and a post-closing integration roadmap.
6) Does LGPD apply to B2B companies with no direct consumer relationships in Brazil?
Yes. Even in a pure B2B context, the names, emails, and professional details of employees and representatives of Brazilian corporate clients are personal data of natural persons in Brazil. Where the foreign company processes data on behalf of a Brazilian controller, it is an operator under the LGPD and must comply with applicable operator obligations.—
Conclusion
The LGPD is a mature, actively enforced data protection framework that applies to any foreign business with meaningful contact with the Brazilian market. The ANPD is operational, its regulatory output is comprehensive, and its enforcement trajectory is moving from guidance toward sanctions. For foreign companies, the compliance imperatives are clear: assess territorial applicability, establish legal bases for each processing activity — applying the more restrictive Article 11 standard to sensitive data and accepting that legitimate interest is unavailable for that category — structure international data transfers through Resolution 19/2024 SCCs, appoint an Encarregado, maintain processing records, and execute DPAs with all processors of Brazilian personal data.
The cost of building this structure is manageable and, for companies already operating under the GDPR, largely consists of gap-closing adaptations rather than building from scratch. The cost of not building it — ANPD sanctions, civil liability exposure, reputational risk from public infraction disclosure, and the increased scrutiny that disclosed violations bring — is materially higher. Brazil is one of the world’s ten largest economies and a strategically significant digital market; the LGPD is part of the cost of operating in it at the standard that Brazilian data subjects and the ANPD now expect.
Barbieri Advogados provides integrated legal advice on LGPD compliance for foreign investors, covering data protection structuring, international transfer documentation, employment data compliance, and M&A due diligence. Our team combines expertise in Brazilian business law, labour law and digital regulation — the combination most relevant to foreign groups structuring LGPD compliance across their Brazilian operations.—
This article has been prepared forBrazil’s LGPD: The Complete Compliance Guide for Foreign Companies (2026)
Brazil’s General Data Protection Law — Lei Geral de Proteção de Dados (LGPD), Law 13.709/2018 — is not a local regulation affecting only companies with a Brazilian address. It is a comprehensive data protection framework with explicit extraterritorial reach that applies to any foreign business offering goods or services to individuals in Brazil, collecting personal data from Brazilian residents, or running operations through a Brazilian subsidiary. With enforcement fully operational, the National Data Protection Authority (ANPD) actively investigating violations, and administrative fines capped at BRL 50 million per infraction, the LGPD is a material compliance obligation — not a background regulatory matter.
This guide is written for legal counsel, compliance officers, and decision-makers in foreign companies operating in or entering the Brazilian market. It provides a complete, practitioner-oriented analysis of the LGPD’s requirements: its territorial scope, legal bases for processing, the critical differences from the GDPR that require specific adaptation, the international data transfer regime under ANPD Resolution 19/2024, employment data obligations, the sanctions framework, and data protection in M&A transactions. It also answers the specific scenarios that foreign businesses ask most frequently — from SaaS providers and PEO/EOR arrangements to intragroup HR data flows and B2B operations.
This article is part of Barbieri Advogados’ English-language legal resource cluster on Brazilian law for foreign investors, alongside our guides on labor law, corporate taxation and withholding tax.—
Does the LGPD Apply to Your Business? The Three Triggers of Article 3
Article 3 of the LGPD sets out three independent triggers, any one of which is sufficient to bring a foreign business within the law’s scope. The first trigger is straightforward: the LGPD applies when processing operations take place in Brazilian territory. The second — and the one with the broadest impact for foreign businesses — applies when the processing activity aims to offer or supply goods or services to individuals located in Brazil. The third applies when the personal data being processed was originally collected in Brazil, regardless of where it is subsequently processed.
The second trigger operates similarly to the GDPR’s targeting criterion. A foreign e-commerce platform that displays prices in Brazilian reais, accepts Brazilian credit cards, or ships to Brazilian addresses is targeting individuals in Brazil. A foreign SaaS company with Brazilian corporate clients whose employees use the platform from Brazil is processing data of individuals in Brazil. A foreign logistics provider with Brazilian carriers as counterparties is processing personal data collected in Brazilian territory. Each of these scenarios brings the foreign company within the LGPD’s scope for all data collected in those relationships — no Brazilian legal entity or server is required.
Six Practical Scenarios: Does LGPD Apply to Your Operation?
Scenario 1 — Foreign company with Brazilian employees or contractors. If your company employs or engages individuals working from Brazil — whether through direct employment, a PEO/EOR arrangement, or independent contractor agreements — it is processing personal data of individuals located in Brazilian territory. The LGPD applies in full to that employment or service relationship. This is one of the most common entry points into LGPD compliance for foreign companies that have not yet established a Brazilian entity.
Scenario 2 — SaaS or digital platform with Brazilian business clients. Even if your Brazilian clients are legal entities, their employees use your platform from Brazilian territory, and their contact persons — names, emails, roles — are personal data of individuals in Brazil. The LGPD applies. If your platform processes data on behalf of Brazilian companies, you are likely acting as an operator under the LGPD and must comply with the obligations applicable to that role, including the ability to execute Data Processing Agreements with your Brazilian clients.
Scenario 3 — Brazilian subsidiary of a foreign group. The subsidiary is a fully autonomous controller under the LGPD. Its compliance obligations are independent of the parent company’s compliance under the law of another jurisdiction. The parent company, when it receives, accesses, or otherwise processes personal data originating from the subsidiary’s Brazilian operations, becomes either a joint controller or a processor of Brazilian personal data — and must have legal basis and transfer mechanisms in place for that processing.
Scenario 4 — E-commerce or marketplace targeting Brazilian consumers. Accepting orders, processing payments, and managing deliveries for Brazilian consumers constitutes offering goods and services to individuals in Brazil. The LGPD applies to all personal data collected in this context: purchase history, shipping addresses, payment data, customer service interactions. The absence of a Brazilian legal entity does not create an exemption.
Scenario 5 — B2B company with no direct consumer relationships in Brazil. Even pure B2B operations encounter personal data in Brazil. The employees and representatives of your Brazilian corporate clients whose names, emails, and professional details you collect and process are natural persons. That processing falls within the LGPD’s scope. Where your company acts as an operator — processing data on behalf of a Brazilian controller — LGPD obligations applicable to processors apply.
Scenario 6 — Former Brazilian employees now working abroad. If individuals were located in Brazil when your company collected their personal data — during their employment or contracting period in Brazil — that data was collected in Brazilian territory. The LGPD may continue to apply to the processing of that data, depending on the nature and purpose of the ongoing treatment.—
LGPD vs. GDPR: Key Differences That Require Specific Adaptation
Foreign companies that have already invested in GDPR compliance — particularly European multinationals — frequently assume that their existing data protection programme satisfies LGPD requirements. It does not. While the two laws share a principles-based architecture and a similar taxonomy of data subject rights, there are several material differences that require specific adaptation for the Brazilian context. Understanding those differences is the starting point for any LGPD gap analysis.
| Topic | LGPD (Brazil) | GDPR (EU) | Practical Impact |
|---|---|---|---|
| Legal basis for sensitive data | Art. 11 — restricted list; no legitimate interest | Art. 9 — restricted list; legitimate interest available in some MS | AI systems, biometric tools, health analytics relying on LI under GDPR need a new basis in Brazil |
| Legitimate interest (ordinary data) | Available (Art. 7º, IX) with balancing test expected by ANPD | Available (Art. 6(1)(f)) with LIA documentation | Documentation of balancing test required; GDPR LIA may not satisfy ANPD expectations |
| DPO (Encarregado) obligation | All controllers must appoint; simplified regime for small operators | Mandatory only for public bodies, large-scale monitoring, and sensitive data processing | Many companies exempt from GDPR DPO obligation must appoint one in Brazil |
| International transfers | No adequacy decisions yet; requires ANPD-specific SCCs (Res. 19/2024) | EU SCCs available; adequacy decisions for multiple countries | Separate SCC framework needed for outbound transfers from Brazil; EU SCCs insufficient |
| Fine calculation base | 2% of Brazilian revenue, capped at BRL 50M per infraction | 4% of global annual turnover, up to €20M | LGPD cap lower in absolute terms for large groups; but BRL 50M per infraction — multiple fines possible |
| Breach notification deadline | 3 business days to ANPD (Res. 15/2024) | 72 hours to supervisory authority | LGPD deadline is similar but counted in business days; also requires notification to affected data subjects |
| Consent for sensitive data | Must be specific, highlighted, and for specific purposes; cannot be bundled | Must be explicit; can be combined with other consents in some interpretations | Generic consent clauses valid under GDPR may not satisfy LGPD’s highlighting requirement |
| Right to deletion | Available but broader exceptions in employment and legal basis contexts | Right to erasure (Art. 17) with defined exceptions | Scope of deletion rights differs; LGPD allows broader retention for legal basis compliance |
| Binding corporate rules | Available in law; ANPD procedural regulation not yet published | Fully operational; approved by lead supervisory authority | BCRs unavailable as transfer mechanism in Brazil until ANPD regulation is issued |
The most operationally consequential difference is the unavailability of legitimate interest as a legal basis for sensitive personal data under the LGPD. European companies often rely on Article 9(2)(g) of the GDPR — substantial public interest — or on legitimate interest for certain sensitive data processing activities, particularly in AI, HR analytics, and health technology. None of those bases translate directly into an equivalent LGPD provision. Brazilian operations that process sensitive data must find a valid basis within Article 11’s restricted list — most commonly specific consent, legal obligation, or health care protection by a qualified professional.—
Legal Bases for Data Processing Under the LGPD
Ordinary personal data — Article 7’s ten bases
Article 7 of the LGPD establishes ten legal bases for the processing of ordinary personal data — information that does not fall within the sensitive categories of Article 5, II. For foreign businesses, the most frequently applicable are: consent of the data subject, which must be free, informed, and given for specific purposes; compliance with a legal or regulatory obligation, which covers processing required by Brazilian tax, labour, or sector-specific legislation; performance of a contract to which the data subject is a party; and legitimate interest of the controller or a third party, provided those interests are not overridden by the data subject’s fundamental rights.
Consent under the LGPD must be specific — a general acceptance of terms and conditions does not constitute valid consent for data processing. It must be freely given — consent conditioned on access to a service is presumed not free. And it must be revocable at any time, with the revocation not affecting the lawfulness of processing carried out before withdrawal but creating an obligation to cease further processing. Companies that have built data collection strategies around consent under a more permissive regulatory environment should conduct a consent validity review before relying on that basis for Brazilian data subjects.
Sensitive personal data — Article 11’s restricted bases and the absence of legitimate interest
Article 5, II of the LGPD defines sensitive personal data as information relating to racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, health or sex life, genetic data, and biometric data when linked to a natural person. Processing these categories is only permitted under the more restrictive bases of Article 11 — and, critically, legitimate interest is not among them.
The practical implications for foreign companies are significant across several sectors. Artificial intelligence systems that process facial images for identification, emotion detection, or behavioural analysis are processing biometric and potentially health-related data; they cannot rely on legitimate interest for Brazilian deployments. HR analytics platforms that infer health conditions, genetic characteristics, or political opinions from employee behaviour data are processing sensitive data inferences; they need a valid Article 11 basis. Health technology companies processing patient or user health data need consent that is specific to identified purposes — not bundled into a generic app terms acceptance.
The most applicable Article 11 bases in a commercial context are: specific and highlighted consent for defined purposes; compliance with a legal or regulatory obligation; the regular exercise of rights in labour, judicial, or administrative proceedings; and health care protection, exclusively by health professionals subject to professional secrecy. When assessing whether a sensitive data processing activity has an adequate legal basis, the analysis must start with Article 11 — not Article 7.—
International Data Transfers: The 2024 Regulatory Framework
The Article 33 regime and available mechanisms
Article 33 of the LGPD prohibits transfers of personal data to foreign countries or international bodies unless the transfer is covered by one of the law’s permitted mechanisms. This restriction applies to all categories of personal data — ordinary and sensitive — and to all transfer modalities: database replication, API integrations, cloud infrastructure, intragroup IT systems, and email communication containing personal data sent to recipients abroad.
The available mechanisms include: a transfer to a country or body recognised by the ANPD as providing an adequate level of protection; transfers under standard contractual clauses approved by the ANPD; binding corporate rules approved by the ANPD; specific and highlighted consent of the data subject for the transfer; and limited situational bases such as international legal cooperation, contract performance, and protection of life. As of early 2026, the ANPD has not issued an adequacy decision for any country — including EU Member States and the United States. This means that for the vast majority of commercial transfers, the operative mechanism is the standard contractual clauses established by ANPD Resolution CD/ANPD 19/2024.
Resolution 19/2024: what you need to know
Resolution CD/ANPD nº 19, published in August 2024, is the foundational regulation for international data transfers from Brazil. It establishes two sets of standard contractual clauses: one for controller-to-controller transfers and one for controller-to-processor transfers. Both sets must be incorporated into the data sharing agreements that govern each cross-border data flow. The clauses bind the foreign recipient to the LGPD obligations applicable to its role and create direct enforcement rights for Brazilian data subjects against the foreign recipient.
Several points about Resolution 19/2024 deserve specific attention for foreign companies structuring their transfer frameworks. First, the Brazilian SCCs are not interchangeable with EU SCCs. A company that has already executed 2021 EU SCCs for data flows between European and Brazilian entities has addressed the GDPR’s requirements for the Europe-to-Brazil direction, but has not addressed the LGPD’s requirements for the Brazil-to-Europe direction. Two separate SCC frameworks are needed for bidirectional flows. Second, the resolution covers not just transfers to third-country companies but also intragroup transfers — data flowing from a Brazilian subsidiary to a foreign parent within the same corporate group requires the same mechanisms as a transfer to an independent third party. Third, the resolution does not create a simplified procedure for small or low-risk transfers; it applies equally to a Brazilian startup transferring employee data to its US-based founder’s company and to a multinational group moving petabytes of customer data across jurisdictions.
Intragroup transfers: the subsidiary-to-parent flow
Intragroup data flows — Brazilian subsidiary sending employee, customer, or operational data to the foreign parent for consolidated reporting, centralised HR systems, shared IT infrastructure, or group analytics — are among the most common international data transfer scenarios and among the most frequently uncovered as non-compliant in due diligence exercises. The existence of a corporate relationship between sender and recipient creates no exemption under the LGPD.
The correct structure for intragroup transfers involves: identifying the role of each entity — whether the parent acts as a joint controller (determining purposes jointly with the subsidiary) or as a processor (processing data under the subsidiary’s instructions); executing the appropriate set of Resolution 19/2024 SCCs between the subsidiary and the parent entity (or entities) receiving the data; and maintaining those agreements as part of the subsidiary’s records of processing activities. Groups with parent companies in multiple jurisdictions — a US holding company, an EU operational headquarters, and regional shared service centres — need bilateral SCC sets between the Brazilian subsidiary and each receiving entity.
Brazil–EU flows: what changes after Resolution 19/2024
European companies with Brazilian subsidiaries often assume that their existing GDPR compliance infrastructure covers data flows in both directions. It does not. EU SCCs govern the flow of personal data from EU entities to third countries — including Brazil. Resolution 19/2024 SCCs govern the flow of personal data from Brazil to other countries — including EU Member States. For bidirectional flows between a Brazilian entity and an EU entity, both sets of clauses are independently required, and they are not equivalent: the Brazilian clauses contain Brazil-specific data subject rights provisions and ANPD cooperation obligations that the EU clauses do not address.
Brazil–US flows: the transfer gap
For US companies, the situation is more complex. There is no adequacy decision, no bilateral data privacy framework comparable to the EU-US Data Privacy Framework, and no simplified mechanism for US–Brazil flows. The available options are Resolution 19/2024 SCCs or, in limited scenarios, explicit data subject consent. Companies transferring employee payroll data, customer contact information, or operational data between Brazilian and US entities without a properly executed SCC framework are in violation of Article 33 of the LGPD — one of the most frequently identified compliance gaps in Brazil-US corporate operations.—
Employment Data: Obligations for Foreign Employers
Every employer with employees or contractors in Brazil is a controller of sensitive and ordinary personal data under the LGPD, regardless of where the employing entity is incorporated. The law applies in full to the employment relationship, and the absence of a dedicated employment data chapter — unlike the GDPR, which allows Member States to legislate specific employment data rules — means the general LGPD regime governs without sector-specific relief. Foreign employers frequently underestimate the scope of this obligation when structuring their first Brazilian hires through a PEO/EOR or direct employment model.
Data categories and legal bases across the employment lifecycle
The legal basis required depends on the category of data being processed and the purpose. Ordinary personal data in a payroll and HR context — names, tax IDs, bank account details, contact information — is typically processed under legal obligation (Brazilian labour, tax, and social security legislation) or contract performance. Sensitive data requires Article 11 bases: health data from medical certificates and occupational health programmes is covered by legal obligation and health care protection by qualified professionals; biometric data from fingerprint or facial recognition time-and-attendance systems is covered by legal obligation under Ministerial Order MTP 671/2021, which regulates electronic point registration; union membership data used for dues deduction is covered by legal obligation.
The critical access control principle for health data is one that many foreign employers implement incorrectly: the occupational physician (médico do trabalho) may access an employee’s health records for occupational health purposes, but may transmit only the fitness determination — fit or unfit for role — to HR. Diagnoses, clinical findings, and medical record details are protected by professional secrecy and must not reach HR managers, direct supervisors, or payroll processors. Sharing health data beyond this boundary violates both the LGPD and the professional ethics rules applicable to medical professionals in Brazil.
Biometric time-and-attendance: the highest-risk area
Biometric data — fingerprints, facial recognition maps, iris scans — collected for employee time-and-attendance control is sensitive personal data under Article 5, II of the LGPD. Two compliance requirements are frequently missed: first, biometric data may only be used for the purpose declared to the employee (jornada control); any additional use — surveillance, movement tracking, productivity analysis — requires a separate legal basis, which in an employment context almost invariably means specific consent, with all the fragility that entails when the power asymmetry of the employment relationship is considered. Second, when an employee’s contract ends, the biometric data must be deleted in accordance with a defined retention schedule; indefinite storage of biometric data of former employees is a common ANPD enforcement target.
The LGPD clause in employment contracts
Brazilian law does not mandate an LGPD clause in employment contracts, but Article 9 of the LGPD requires controllers to provide data subjects with clear, accessible information about data processing at or before the point of collection. In the employment context, the most efficient way to fulfil this transparency obligation — and to document its fulfilment — is a data protection clause in the employment agreement or a standalone privacy notice delivered and acknowledged at onboarding. The document must identify the categories of data collected, the purposes and legal bases for each category, the recipients or categories of recipients, the data retention periods, and the employee’s rights as a data subject. It must be written in plain language — not in technical or legal terminology that the employee cannot reasonably be expected to understand.
Transferring employee data to the foreign parent
Consolidating Brazilian employee data in a global HR system hosted outside Brazil — payroll, performance data, training records, benefit administration — is a common operational necessity for multinationals and a consistently underdocumented international data transfer. The transfer must be covered by Resolution 19/2024 SCCs between the Brazilian employer and the foreign entity hosting the system, whether that is the parent company, a group shared service centre, or a third-party cloud HR platform. The foreign host of a global HR system that processes data of Brazilian employees is a processor of Brazilian personal data and must be bound by a Data Processing Agreement that incorporates the applicable LGPD obligations.—
Accountability: Organisational Requirements
Records of processing activities (Article 37)
Article 37 of the LGPD requires all controllers and operators to maintain records of the personal data processing activities they carry out. These records — equivalent to the GDPR’s Records of Processing Activities (RoPA) but with LGPD-specific content requirements — must document for each processing activity: the categories of personal data; the categories of data subjects; the purposes and legal bases; the recipients or categories of recipients; and the envisaged retention periods or the criteria used to determine them. The ANPD may request access to these records at any time, and their absence or inadequacy is treated as an independent compliance failure. For foreign subsidiaries inheriting group-wide RoPA structures from their parent companies, the adaptation task is to verify that the legal bases recorded are the Brazilian ones — which may differ from the European or American bases applicable in other jurisdictions.
Data Protection Officer — the Encarregado (Article 41)
Unlike the GDPR, which limits the DPO obligation to specific categories of controllers, the LGPD requires all controllers to appoint an Encarregado (Data Protection Officer), with simplified requirements only for small-scale processing agents under Resolution CD/ANPD 2/2022. The Encarregado’s identity and contact details must be publicly disclosed — typically on the company’s website — and the channel must be accessible to Brazilian data subjects and to the ANPD. Resolution CD/ANPD 18/2024 details the Encarregado’s functions: receiving data subject requests and ANPD communications, guiding employees on data protection practices, and coordinating incident response.
For multinationals, the most common structural choice is to designate a global DPO with Brazilian coverage — often the same individual or firm serving as GDPR DPO for European operations. This is permissible, provided the channel is accessible in Portuguese, responses to Brazilian data subjects are timely, and the DPO has sufficient knowledge of Brazilian-specific requirements (which differ from GDPR in the ways described throughout this article). A DPO fluent only in GDPR requirements, without LGPD-specific training, does not satisfy the Encarregado’s substantive obligations.
Data Protection Impact Assessment — RIPD (Article 38)
The RIPD (Relatório de Impacto à Proteção de Dados Pessoais) is the LGPD’s equivalent of the GDPR’s DPIA. The ANPD may request its completion for processing operations that could generate risks to civil liberties and fundamental rights — and its published guidance indicates that the RIPD is strongly recommended, and may be compelled, for: large-scale processing of sensitive data; biometric identification systems; AI-powered profiling; and new technologies with potentially significant impact on data subjects. Companies launching AI products, biometric access systems, or health data applications in Brazil should incorporate the RIPD into their product launch process, not address it retroactively after ANPD scrutiny.
Vendor management and Data Processing Agreements
Article 46 of the LGPD requires controllers to ensure that their operators implement adequate technical and organisational security measures. This translates into a contractual obligation: every vendor, service provider, or contractor that processes personal data on behalf of the company must have a signed Data Processing Agreement (DPA) that binds them to the applicable LGPD obligations. The absence of DPAs with key processors — cloud infrastructure providers, HR software vendors, payroll processors, biometric system suppliers, marketing automation platforms — is consistently identified as a material gap in LGPD compliance audits and M&A due diligence exercises. For foreign companies contracting with Brazilian vendors, the DPA also needs to specify the legal basis for any data transfers if the vendor will process data outside Brazil.—
Enforcement, Sanctions and Civil Liability
The ANPD’s enforcement trajectory
The ANPD began its enforcement phase in 2023. Its first administrative sanction was issued in Administrative Process nº 00261.000489/2022-62 against Telekall Infoservice, a telecommunications company found to have shared personal data without an adequate legal basis. The fine — BRL 14,400 — was modest and expressly calibrated to the company’s small size, reflecting the ANPD’s stated policy of graduated enforcement proportionate to the violating entity’s scale and economic capacity. The ANPD has signalled clearly that enforcement against larger companies, in cases involving sensitive data processing or large-scale violations, will result in proportionately higher sanctions. Companies should not use the Telekall fine quantum as a risk benchmark for their own exposure.
Administrative sanctions: the Article 52 toolkit
The ANPD’s enforcement toolkit is graduated and cumulative. From least to most severe: warning with mandatory corrective measures and a defined remediation period; administrative fine of up to 2% of the company’s annual revenue in Brazil, capped at BRL 50 million per infraction; daily fine, also capped at BRL 50 million in aggregate; public disclosure of the infraction in the ANPD’s official communications after the final administrative decision becomes res judicata; blocking of the personal data involved in the violation; elimination of the personal data; suspension of the relevant database or processing activities for up to six months, extendable for a further six months; and partial or total prohibition of data processing activities.
Three aspects of this sanctions structure deserve particular attention for foreign companies. First, the BRL 50 million cap applies per infraction — a company found to have committed multiple simultaneous violations across different processing activities may face multiple fines, each up to the cap. Second, the public disclosure sanction — formal naming of the violating company in ANPD communications — creates reputational consequences that may far exceed the financial impact of the fine itself, particularly for companies with public disclosure obligations or ESG commitments. Third, the prohibition of processing activities is the most severe sanction available short of market exit, and it can be applied to specific processing activities (e.g., biometric processing, international transfers) without necessarily shutting down all of the company’s Brazilian operations.
Civil liability: objective standard, no fault required
Articles 42 to 45 of the LGPD establish a civil liability regime that operates independently of — and concurrently with — the ANPD’s administrative sanctions. The standard is objective: the controller is liable for damages caused to data subjects resulting from violations of the LGPD without any requirement for the claimant to prove fault, negligence, or intent. The controller can only escape liability by demonstrating that: it did not carry out the processing in question; it complied fully with the LGPD and the damage resulted exclusively from the data subject’s own conduct; or the damage resulted from a third party’s conduct over which the controller had no control. The burden of proof in these defences lies with the controller.
Operators — vendors and service providers processing data on behalf of the controller — are jointly and severally liable with the controller when their failure to comply with LGPD obligations or the controller’s lawful instructions contributed to the damage. This joint liability exposure makes DPAs not merely a compliance formality but a material contractual risk management instrument: a well-drafted DPA allocates liability between controller and operator and provides indemnification mechanisms that can mitigate the controller’s exposure in disputes with data subjects.
Brazilian courts — including the Labour Courts for employment-related claims and the civil courts and Juizados Especiais for consumer and general data protection claims — have been increasingly receptive to data privacy claims. The Superior Court of Justice (STJ) has addressed data breach liability in cases involving utilities and financial institutions, recognising collective and individual moral damages arising from large-scale breaches. The accessibility of the Juizados Especiais — small claims courts with no filing fees and optional legal representation — means that individual data subjects have a low-friction path to judicial remedies, which tends to increase litigation volumes following disclosed data incidents.—
LGPD in M&A: Due Diligence and Structuring
Data protection has become a standard component of legal due diligence in Brazilian M&A transactions. A target company’s personal data assets — customer databases, employee records, proprietary datasets — are often among its most valuable intangible assets. They are simultaneously among its most material contingent liabilities when collected, stored, or shared without adequate legal basis. Undisclosed ANPD investigations, non-compliant biometric systems, invalid consent bases for customer databases, and missing DPAs with key vendors: each represents a potential post-closing liability that should be identified, quantified, and addressed in the transaction documentation.
The LGPD due diligence checklist
A structured LGPD due diligence assessment for a Brazilian acquisition should cover eight core areas. Data mapping and records of processing activities — does the company maintain a current inventory of its processing activities, with legal bases documented for each? Absence of data mapping is the single most reliable indicator of immature compliance. Legal bases adequacy — are the bases claimed for key processing activities legally sufficient? This includes both ordinary data (Art. 7) and sensitive data (Art. 11) bases, with particular scrutiny of any reliance on consent for commercial data collections. History of incidents — has the company experienced security incidents? Were they notified to the ANPD and to affected data subjects as required by Resolution 15/2024? Are there open ANPD investigations? Data Processing Agreements — are DPAs in place with key vendors? Do they contain the minimum LGPD-required provisions? International data transfers — does the company transfer personal data outside Brazil? Are those transfers covered by Resolution 19/2024 SCCs or another valid mechanism? DPO governance — has an Encarregado been appointed? Is the contact channel publicly available? Employee data — are employment contracts updated with data protection clauses? Are biometric systems properly grounded in legal basis? Customer and commercial data — were consent bases valid when collected? Are data retention periods defined and observed?
Representations, warranties and indemnification
Transaction documentation for Brazilian acquisitions should include LGPD-specific representations and warranties by the seller covering: absence of open ANPD investigations or formal notices; absence of pending data subject claims; material compliance with the LGPD in all processing activities; notification of all material security incidents as required; and validity of the legal bases relied upon for key processing activities. Indemnification provisions should cover post-closing ANPD enforcement actions relating to pre-closing conduct, civil liability claims by data subjects for pre-closing processing violations, and the cost of remediation necessary to bring the acquired company’s data protection practices to the acquirer’s compliance standard. Representations as to LGPD compliance should survive closing for a period aligned with the ANPD’s administrative investigation limitation period, which the ANPD is in the process of formalising through regulation.
Post-closing integration
The integration of an acquired Brazilian company into the acquiring group’s data governance framework requires a sequenced set of LGPD-specific actions that should be planned before closing and executed promptly after. Update or execute Data Processing Agreements reflecting the new group structure. Assess and, where necessary, execute Resolution 19/2024 SCCs for data flows from the Brazilian entity to group companies abroad. Update privacy notices to data subjects — customers, employees, and commercial counterparties — to reflect the new controlling entity. Align the Brazilian entity’s information security controls with the group’s baseline. Integrate it into the group’s incident response and breach notification procedures. Failure to complete these steps creates a scenario in which the acquirer owns the liability for violations that, while originating in the target’s pre-existing practices, continue under the acquirer’s control post-closing.—
Building LGPD Compliance for a Brazilian Subsidiary: The Minimum Viable Programme
For a foreign company establishing or acquiring a Brazilian subsidiary, the minimum viable LGPD compliance programme has five foundational components. A data mapping exercise that produces a current inventory of all processing activities, with legal bases, purposes, retention periods, and recipients documented for each. A legal bases review that verifies the adequacy of the identified bases — with particular attention to sensitive data categories and the absence of legitimate interest in Article 11 — and remediates gaps identified, which may include updating consent mechanisms, identifying alternative bases, or restructuring processing activities. A privacy notice infrastructure that includes: a public-facing privacy policy accessible on the company’s website in Portuguese; an employee privacy notice (standalone or as a contractual clause) delivered at onboarding; and, where applicable, a data subject rights request procedure accessible to Brazilian data subjects. An Encarregado appointment with publicly disclosed contact information, a defined scope of responsibilities, and the operational capacity to respond to ANPD communications and data subject requests in Portuguese. A vendor management programme that inventories all third-party processors of Brazilian personal data, prioritises DPA execution with those handling sensitive data or operating critical systems, and includes data transfer mechanisms for any vendor processing Brazilian data outside the country.
These five components are the foundation; a mature programme builds on them with a RIPD methodology for high-risk processing, a security incident response plan calibrated to Resolution 15/2024’s 3-business-day notification requirement, a data retention and deletion schedule aligned with Brazilian statutory periods, and an ongoing regulatory monitoring function that tracks ANPD rulemaking — which, as of 2026, includes active rulemakings on AI, children’s data, and BCR procedures.—
Frequently Asked Questions
1) Does the LGPD apply to foreign companies with no office in Brazil?
Yes. Article 3’s three triggers — processing in Brazilian territory, offering goods or services to individuals in Brazil, and processing data collected in Brazil — operate independently and do not require physical presence. A foreign company serving Brazilian customers, employing Brazilian contractors, or replicating Brazilian data to foreign servers is subject to the LGPD for all data collected in those activities.
2) Is LGPD compliance the same as GDPR compliance?
No. Material differences require specific adaptation: LGPD prohibits legitimate interest as a basis for sensitive data; requires all controllers to appoint an Encarregado without the GDPR’s threshold exceptions; mandates Brazil-specific standard contractual clauses for international transfers under Resolution 19/2024; and calculates fines on Brazilian revenue rather than global turnover. GDPR SCCs do not satisfy LGPD transfer requirements for outbound flows from Brazil.
3) How must a Brazilian subsidiary transfer employee data to its foreign parent?
As an international data transfer under Article 33. The operative mechanism in the absence of an ANPD adequacy decision — which does not exist for any country — is the standard contractual clauses of Resolution 19/2024. A Data Processing Agreement must be executed between the subsidiary and the parent, reflecting their controller/processor or joint controller roles. The intragroup nature of the transfer creates no exemption.
4) What are the LGPD penalties for violations?
Administrative fines of up to 2% of Brazilian revenue per infraction, capped at BRL 50 million; daily fines; public disclosure; data blocking and deletion; processing suspension; and prohibition of processing activities. Controllers also face objective civil liability for damages to data subjects without any need to prove fault. Multiple simultaneous violations may result in multiple fines, each up to the BRL 50 million cap.
5) What is LGPD due diligence in a Brazilian M&A transaction?
A structured investigation covering: data mapping quality; legal bases adequacy; incident history and ANPD interactions; DPA coverage with key vendors; international transfer mechanisms; DPO governance; and employee data systems. Results inform representations and warranties, indemnification for pre-closing violations, and a post-closing integration roadmap.
6) Does LGPD apply to B2B companies with no direct consumer relationships in Brazil?
Yes. Even in a pure B2B context, the names, emails, and professional details of employees and representatives of Brazilian corporate clients are personal data of natural persons in Brazil. Where the foreign company processes data on behalf of a Brazilian controller, it is an operator under the LGPD and must comply with applicable operator obligations.—
Conclusion
The LGPD is a mature, actively enforced data protection framework that applies to any foreign business with meaningful contact with the Brazilian market. The ANPD is operational, its regulatory output is comprehensive, and its enforcement trajectory is moving from guidance toward sanctions. For foreign companies, the compliance imperatives are clear: assess territorial applicability, establish legal bases for each processing activity — applying the more restrictive Article 11 standard to sensitive data and accepting that legitimate interest is unavailable for that category — structure international data transfers through Resolution 19/2024 SCCs, appoint an Encarregado, maintain processing records, and execute DPAs with all processors of Brazilian personal data.
The cost of building this structure is manageable and, for companies already operating under the GDPR, largely consists of gap-closing adaptations rather than building from scratch. The cost of not building it — ANPD sanctions, civil liability exposure, reputational risk from public infraction disclosure, and the increased scrutiny that disclosed violations bring — is materially higher. Brazil is one of the world’s ten largest economies and a strategically significant digital market; the LGPD is part of the cost of operating in it at the standard that Brazilian data subjects and the ANPD now expect.
Barbieri Advogados provides integrated legal advice on LGPD compliance for foreign investors, covering data protection structuring, international transfer documentation, employment data compliance, and M&A due diligence. Our team combines expertise in Brazilian business law, labour law and digital regulation — the combination most relevant to foreign groups structuring LGPD compliance across their Brazilian operations.—
This article has been prepared for general informational purposes only and does not constitute legal advice on any specific transaction or operation. The legal framework described reflects the state of Brazilian data protection regulation as of March 2026.
© 2026. All rights reserved. Barbieri Advogados. general informational purposes only and does not constitute legal advice on any specific transaction or operation. The legal framework described reflects the state of Brazilian data protection regulation as of March 2026.
© 2026. All rights reserved. Barbieri Advogados.
Daiane Rebelato de Mamam é advogada da Barbieri Advogados, graduada em Direito pela Universidade de Passo Fundo (UPF) e pós-graduada em Direito Civil e Processo Civil pela Fundação Escola Superior do Ministério Público (FMP). Inscrita na OAB/RS sob o nº 81.250.
E-mail: daiane.mamam@barbieriadvogados.com