---
title: "Brazil LGPD Compliance Hub: Scope, Rights, Incident Rule, Transfers, and ANPD Enforcement"
canonical_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd"
source_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd"
author: "Sorena AI"
description: "Grounded Brazil LGPD compliance hub covering Articles 3, 4, 7, 11, 18, 19, 33, 41, 48, and 52, plus ANPD guidance on roles, legitimate interest."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "Brazil LGPD compliance"
  - "Brazil LGPD requirements"
  - "ANPD guidance"
  - "LGPD lawful bases"
  - "LGPD data subject rights"
  - "LGPD incident reporting"
  - "LGPD international transfer"
  - "LGPD sanctions"
  - "Brazil LGPD rights"
  - "Brazil LGPD incident reporting"
  - "Brazil LGPD transfers"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Brazil LGPD Compliance Hub: Scope, Rights, Incident Rule, Transfers, and ANPD Enforcement

Grounded Brazil LGPD compliance hub covering Articles 3, 4, 7, 11, 18, 19, 33, 41, 48, and 52, plus ANPD guidance on roles, legitimate interest.

![Brazil LGPD compliance timeline and decision flow](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-br-lgpd-timeline-small.jpg?v=cheatsheets%2Fprod)

*LATAM Brazil LGPD* *Free Resource*

## Brazil LGPD Compliance Hub

This Brazil LGPD hub is built around the law itself and the current ANPD guidance set. It covers territorial scope, exclusions, role allocation, lawful basis selection, rights handling, incident reporting, transfer mechanisms, and sanctions risk.

Use the root timeline and decision flow first. Then use the subpages to operationalize Articles 18 and 19 rights handling, the 3 business day incident rule under Resolution CD ANPD No. 15 of 24 April 2024, Article 33 to 35 transfer controls, and Article 52 sanctions exposure.

[Get an LGPD review](/contact.md)

## What this LGPD hub helps you execute

- **Applicability and scope**: Territorial nexus, role classification, and in-scope processing tests.
- **Obligations and controls**: Lawful bases, rights operations, incident, transfer, and vendor controls.
- **Evidence and assurance**: Audit-ready artifacts for ANPD interactions, governance, and board reporting.

By Sorena AI | Grounded in LGPD and ANPD materials | Updated March 2026

### Compliance focus

*LGPD*

- **Scope and roles**: Test Article 3 reach, Article 4 exclusions, and controller versus operator allocation before rollout.
- **Operational duties**: Run lawful basis, Article 18 and 19 rights, Article 41 DPO, Article 48 incident, and Article 33 transfer workflows.
- **Regulator readiness**: Prepare ANPD-ready records for sanctions, transfer safeguards, rights logs, and incident communications.

Use the decision flow and timeline first, then open the deep-dive subpages for implementation details.

| Value | Metric |
| --- | --- |
| Law 13.709 | LGPD law |
| Art. 18-20 | Rights core |
| 3 business days | Incident rule |
| 2% / R$50M | Fine cap |

**Key highlights:** Article 3 scope | Article 18 rights | Article 33 transfers

## Topic Guides

- [ANPD Enforcement and Fines | Brazil LGPD Inspection, Procedure, and Sanctions](/artifacts/latam/brazil-lgpd/anpd-enforcement-and-fines.md): Grounded ANPD enforcement guide covering inspection procedure, sanctions progression, Article 52 factors, Resolution CD ANPD No.
- [Brazil LGPD Applicability Test | Article 3 Scope, Article 4 Exclusions, Roles](/artifacts/latam/brazil-lgpd/applicability-test.md): Grounded Brazil LGPD applicability test covering Article 3 territorial reach, Article 4 exclusions, controller versus operator allocation.
- [Brazil LGPD Checklist | Scope, Rights, Incidents, Transfers, Evidence](/artifacts/latam/brazil-lgpd/checklist.md): Audit-ready Brazil LGPD checklist covering scope, role allocation, lawful bases, rights timing, DPO disclosure, security, incident reporting.
- [Brazil LGPD Compliance Program Guide](/artifacts/latam/brazil-lgpd/compliance.md): Build a grounded Brazil LGPD compliance program around scope, lawful bases, rights, records, incident reporting, transfers, DPO, and ANPD-ready evidence.
- [Brazil LGPD Data Subject Rights | Articles 18 to 20 and 15 Day Access Rule](/artifacts/latam/brazil-lgpd/data-subject-rights.md): Grounded Brazil LGPD rights guide covering Articles 18 to 20, free requests, immediate simplified confirmation, full access declaration within 15 days.
- [Brazil LGPD Deadlines and Compliance Calendar](/artifacts/latam/brazil-lgpd/deadlines-and-compliance-calendar.md): Brazil LGPD compliance calendar covering key legal and ANPD milestones plus recurring duties for rights, incidents, transfers, training.
- [Brazil LGPD DSAR Response Template | Immediate and 15 Day Response Logic](/artifacts/latam/brazil-lgpd/lgpd-dsar-response-template.md): Use a Brazil LGPD DSAR response template aligned to Articles 18 and 19, immediate simplified response, full declaration within 15 days, denial rationale.
- [Brazil LGPD FAQ | Scope, Rights, Incidents, Transfers, Enforcement](/artifacts/latam/brazil-lgpd/faq.md): Practical Brazil LGPD FAQ answering common scope, lawful basis, rights, incident, transfer, DPO, and enforcement questions using the law and ANPD guidance.
- [Brazil LGPD Incident Reporting and Breach Notification](/artifacts/latam/brazil-lgpd/breach-notification.md): Grounded Brazil LGPD incident reporting guide covering Article 48, ANPD Resolution CD ANPD No.
- [Brazil LGPD International Transfers | Articles 33 to 35 and ANPD Transfer Mechanisms](/artifacts/latam/brazil-lgpd/international-transfers.md): Grounded Brazil LGPD transfer guide covering Articles 33 to 35, adequacy, ANPD standard contractual clauses, specific clauses, binding corporate rules.
- [Brazil LGPD Lawful Bases | Article 7, Article 11, Legitimate Interest](/artifacts/latam/brazil-lgpd/lawful-bases.md): Grounded Brazil LGPD lawful basis guide covering Article 7 and 11 bases, consent rules, ANPD legitimate interest guide, sensitive data.
- [Brazil LGPD Penalties and Fines | Article 52 and ANPD Dosimetry](/artifacts/latam/brazil-lgpd/penalties-and-fines.md): Grounded Brazil LGPD penalties guide covering Article 52 sanctions, 2 percent fine cap, R$50 million limit per infraction, publicization, blocking, deletion.
- [Brazil LGPD Requirements | Articles, Controls, Evidence, and ANPD Guidance](/artifacts/latam/brazil-lgpd/requirements.md): Operational Brazil LGPD requirements map covering scope, lawful bases, transparency, rights, records, DPO, security, incidents, transfers.
- [Brazil LGPD Templates | DSAR, Incident, Basis, Transfer, Governance](/artifacts/latam/brazil-lgpd/templates.md): Practical Brazil LGPD template library priorities covering DSAR responses, incident communications, lawful basis records, transfer assessments.
- [Brazil LGPD vs CCPA and CPRA | Structure, Rights, Enforcement, and Reuse](/artifacts/latam/brazil-lgpd/lgpd-vs-ccpa.md): Grounded comparison of Brazil LGPD and CCPA or CPRA covering scope logic, legal basis model, rights timing, cross-border governance, and reusable controls.
- [Brazil LGPD vs GDPR | Similarities, Differences, and Control Reuse](/artifacts/latam/brazil-lgpd/lgpd-vs-gdpr.md): Grounded comparison of Brazil LGPD and GDPR covering scope, lawful bases, rights timing, DPO rules, transfer mechanisms, incident reporting.

## Key milestones for LATAM Brazil LGPD compliance

*Brazil LGPD Timeline*

Use timeline milestones to schedule policy rollout, rights operations, incident processes, transfer mechanisms, and readiness reviews.

## Determine which LGPD duties apply to your business model

*Brazil LGPD Decision Flow*

Follow branching logic to classify controller/operator role, lawful basis options, rights obligations, incident duties, and transfer safeguards.

*Next step*

## Turn Brazil LGPD Compliance Hub into a cited research workflow

Brazil LGPD Compliance Hub should be the shared entry point for your team. Route execution into Research Copilot for live work and into Assessment Autopilot when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from Brazil LGPD Compliance Hub and route the work by entity, product, team, or control owner.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs for Brazil LGPD Compliance Hub.
- [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints from the same artifact.
- [Talk through Brazil LGPD Compliance Hub](/contact.md): Review your current process, evidence model, and next steps for Brazil LGPD Compliance Hub.

## Decision Steps

### STEP 1: Does LGPD apply to your data processing operations?

*Reference: Art. 3*

- LGPD applies if: (i) processing is carried out in Brazil; OR (ii) processing aims at offering/supplying goods or services or processing data of individuals in Brazil; OR (iii) personal data were collected in Brazil.
- Check exclusions in Art. 4 before proceeding.

- **NO** Out of Scope
- **YES** Does an Article 4 exclusion apply to your processing?

### STEP 2: Does an Article 4 exclusion apply to your processing?

*Reference: Art. 4*

- If yes, LGPD does not apply to such processing.
- If no, continue to determine your processing legal basis.

- **YES** Out of Scope
- **NO** Are you processing children's or adolescents' personal data?

### STEP 4: Are you processing sensitive personal data?

*Reference: Art. 5, II & Art. 11*

- Sensitive personal data includes: racial/ethnic origin, religious belief, political opinion, trade union affiliation, data on health/sex life, genetic or biometric data related to a natural person.
- If yes: follow Art. 11 requirements for sensitive data processing.
- If no: follow Art. 7 requirements for general personal data processing.

- **YES** LGPD Applies - Sensitive Personal Data
- **NO** LGPD Applies - General Personal Data

### STEP 3: Are you processing children's or adolescents' personal data?

*Reference: Art. 14*

- Processing of children's personal data requires specific and distinguishable consent from at least one parent or legal representative (Art. 14, para. 1).
- Controllers must make public the types of data collected, usage, and procedures for exercising data subject rights (Art. 14, para. 2).
- Processing must be in the best interest of the child (Art. 14 head provision).

- **YES** LGPD Applies - Children's/Adolescents' Data
- **NO** Are you processing sensitive personal data?

### STEP 5: Are you relying on consent as the legal basis?

*Reference: Art. 7, I & Art. 8*

- Consent must be: freely given, informed, and unambiguous (Art. 5, XII).
- Consent must be given in writing or by other means demonstrating manifestation of intention (Art. 8).
- Controller bears burden of proving consent was obtained (Art. 8, para. 2).
- Consent must refer to specific purposes; generic authorizations are void (Art. 8, para. 4).
- Consent can be revoked at any time via free and facilitated procedure (Art. 8, para. 5).

- **YES** Consent as Legal Basis
- **NO** Are you relying on legitimate interest as the legal basis?

### STEP 6: Are you relying on legitimate interest as the legal basis?

*Reference: Art. 7, IX & Art. 10*

- Legitimate interest may only be used for legitimate purposes based on particular situations, including: (i) support/promotion of controller's activity; (ii) protection of data subject's regular exercise of rights or provision of services for their benefit (Art. 10).
- Only strictly necessary personal data may be processed (Art. 10, para. 1).
- Controller must adopt transparency measures (Art. 10, para. 2).
- ANPD may request DPIA when processing is based on legitimate interest (Art. 10, para. 3).

- **YES** Legitimate Interest as Legal Basis
- **NO** Must you appoint a Data Protection Officer (DPO / Encarregado)?

### STEP 7: Must you appoint a Data Protection Officer (DPO / Encarregado)?

*Reference: Art. 41*

- Controller must appoint a DPO (Art. 41 head provision).
- ANPD may establish supplementary rules on definition and duties of DPO, including cases where appointment may be waived according to nature/size of entity or volume of processing (Art. 41, para. 3).
- DPO identity and contact data must be publicly, clearly and objectively disclosed, preferably on controller's website (Art. 41, para. 1).
- Government authorities must appoint DPO when carrying out personal data processing operations (Art. 23, III).

- **YES** DPO Appointment Required
- **NO** Must you prepare a Data Protection Impact Assessment (RIPD)?

### STEP 8: Must you prepare a Data Protection Impact Assessment (RIPD)?

*Reference: Art. 38*

- ANPD may require controller to prepare DPIA (Relatorio de Impacto a Protecao de Dados - RIPD) relating to data processing operations, including sensitive data (Art. 38).
- DPIA contains description of processing operations that could pose risks to civil liberties and fundamental rights, and measures/safeguards/mechanisms to mitigate risks (Art. 5, XVII).
- Report must contain at least: description of types of data collected, methodology for collection and ensuring information security, analysis of adopted measures/safeguards/risk mitigation mechanisms (Art. 38, sole para.).
- ANPD may request DPIA when processing based on legitimate interest (Art. 10, para. 3).
- Government authority agents may be requested to publish DPIA reports (Art. 32).

- **YES** DPIA May Be Required
- **NO** Are you transferring personal data internationally?

### STEP 9: Are you transferring personal data internationally?

*Reference: Art. 33*

- International transfer of personal data only allowed in Art. 33 cases.
- ANPD evaluates level of data protection in foreign country or international organization (Art. 34).
- ANPD defines content of standard contractual clauses and verifies specific clauses, binding corporate rules, seals, certificates and codes of conduct (Art. 35).
- Amendments to guarantees for international transfer must be communicated to ANPD (Art. 36).

- **YES** International Transfer Permitted
- **NO** Have you experienced a security incident?

### STEP 10: Have you experienced a security incident?

*Reference: Art. 48*

- Controller must notify ANPD and data subject of security incident that may result in relevant risk or damage to data subjects (Art. 48).
- Communication made as soon as reasonably feasible, as defined by ANPD (Art. 48, para. 1).
- Communication must contain: (i) description of nature of affected personal data; (ii) information on data subjects involved; (iii) indication of technical/security measures used; (iv) risks related to incident; (v) reasons for delay if not immediate; (vi) measures adopted or to be adopted to reverse/mitigate effects.
- ANPD determines severity of incident and may order measures including full disclosure in media and measures to reverse/mitigate effects (Art. 48, para. 2).

- **YES** Security Incident Notification Required
- **NO** Are you subject to ANPD enforcement powers?

### STEP 11: Are you subject to ANPD enforcement powers?

*Reference: Art. 52*

- ANPD has authority to apply administrative sanctions for infractions of LGPD (Art. 52).
- Sanctions applied following administrative proceeding providing opportunity for full defense (Art. 52, para. 1).
- ANPD defines methodologies for calculation of fine sanctions via public consultation (Art. 53).
- Individual data breaches or unauthorized access may be subject of direct conciliation between controller and data subject; if no settlement, controller subject to penalties (Art. 52, para. 7).

- **YES** Subject to ANPD Enforcement

## Reference Information

### Territorial Scope (Art. 3)

- Processing operation carried out in Brazil (Art. 3, I);
- Processing aimed at offering/supplying goods or services, or processing data of individuals located in Brazil (Art. 3, II);
- Personal data collected in Brazil - data subject was in Brazil at time of collection (Art. 3, III and para. 1).

### Key Exclusions (Art. 4)

- Processing by natural person purely for private and non-economic purposes (Art. 4, I);
- Processing exclusively for journalistic and artistic purposes (Art. 4, II(a));
- Processing for academic purposes (subject to Arts. 7 and 11) (Art. 4, II(b));
- Processing exclusively for public security, national defense, State security, or criminal investigation/prosecution (governed by specific legislation) (Art. 4, III);
- Processing originating outside Brazil and not subject to communication or shared use with Brazilian processing agents, and not subject to international transfer to a third country other than the country of origin (if the country of origin offers an adequate level of protection) (Art. 4, IV).

### Legal Bases for Processing Personal Data (Art. 7)

- I - Consent of the data subject;
- II - Compliance with legal/regulatory obligation by controller;
- III - Public administration processing for public policies (as per law/regulation or contracts);
- IV - Studies by research bodies (with anonymization whenever possible);
- V - Performance of contract or preliminary procedures to which data subject is party;
- VI - Regular exercise of rights in judicial, administrative or arbitration procedures;
- VII - Protection of life or physical integrity of data subject or third party;
- VIII - Protection of health in procedures by health professionals/services/authorities;
- IX - Legitimate interests of controller or third party (except when data subject's fundamental rights prevail);
- X - Protection of credit (as per relevant legislation).

### Legal Bases for Sensitive Personal Data (Art. 11)

- I - Specific and emphatic consent for specific purposes;
- II - Without consent when indispensable for: (a) compliance with legal/regulatory obligation; (b) shared processing for public policy enforcement; (c) research with anonymization whenever possible; (d) regular exercise of rights in contracts/judicial/administrative/arbitration proceedings; (e) protecting life or physical integrity; (f) health protection in procedures by health professionals/services/authorities; (g) fraud prevention and data subject safety in authentication systems.
- Communication/shared use of sensitive health data among controllers for economic advantage is prohibited except for provision of health services, pharmaceutical assistance, health insurance, diagnostic/therapeutic services (Art. 11, para. 4).
- Private healthcare plan operators prohibited from processing health data for risk selection or beneficiary inclusion/exclusion (Art. 11, para. 5).

### Controller vs Processor (Operator)

- Controller: natural/legal person in charge of making decisions regarding processing of personal data (Art. 5, VI).
- Processor (Operator): natural/legal person that processes personal data on behalf of the controller (Art. 5, VII).
- Processor carries out processing according to controller's instructions; controller assesses compliance (Art. 39).
- Controller and processor are jointly referred to as 'processing agents' (Art. 5, IX).

### DPO Duties (Art. 41, para. 2)

- I - Accept complaints and communications from data subjects, provide clarifications and adopt measures;
- II - Receive communications from ANPD and adopt measures;
- III - Instruct entity's employees and contractors on practices for personal data protection;
- IV - Perform other duties determined by controller or established in supplementary rules.

### Data Subject Rights (Art. 18)

- I - Confirmation of existence of processing;
- II - Access to data;
- III - Correction of incomplete, inaccurate or outdated data;
- IV - Anonymization, blocking or erasure of unnecessary/excessive data or data processed in non-compliance;
- V - Portability of data to another service/product provider (upon express request);
- VI - Erasure of personal data processed with consent (except Art. 16 events);
- VII - Information on government/private entities with which controller shared data;
- VIII - Information on possibility of denying consent and consequences;
- IX - Revocation of consent.
- Right to petition ANPD against the controller (Art. 18, para. 1).
- Right to object to processing carried out on a consent waiver legal basis, in case of non-compliance with LGPD (Art. 18, para. 2).
- Rights must be exercised upon express request by data subject or legally appointed representative (Art. 18, para. 3).
- Requests must be met free of charge within time periods/terms in regulation (Art. 18, para. 5).
- Confirmation/access must be provided: (i) immediately in simplified format; OR (ii) within 15 days via clear and complete statement (Art. 19).

### Automated Decision Review (Art. 20)

- Data subject entitled to request review of decisions made solely based on automated processing that affect their interests, including decisions defining personal/professional/consumer/credit profile or personality aspects (Art. 20).
- Controller shall provide, upon request, clear and adequate information on criteria and procedures used for automated decision (Art. 20, para. 1).
- If information not provided based on trade/industrial secrecy compliance, ANPD may audit to verify discriminatory aspects (Art. 20, para. 2).

### International Transfer Grounds (Art. 33)

- I - To countries/organizations providing adequate level of protection;
- II - When controller offers and demonstrates guarantees of compliance via: (a) specific contractual clauses; (b) standard contractual clauses; (c) binding corporate rules; (d) regularly issued seals, certificates, codes of conduct;
- III - When transfer required for international legal cooperation among intelligence, investigation and prosecution government bodies;
- IV - When transfer required to protect life or physical integrity of data subject or third party;
- V - When ANPD authorizes the transfer;
- VI - When transfer results from commitment in international cooperation agreements;
- VII - When transfer required for enforcement of public policy or legal attribution of public service;
- VIII - When data subject provided specific and distinguishable consent for transfer, with previous information on international nature of operation;
- IX - When required to meet Art. 7, II, V and VI hypotheses (legal obligation, contract performance, exercise of rights).

### Security and Confidentiality (Arts. 46-47, 49)

- Processing agents must adopt technical and administrative security measures to protect personal data from unauthorized accesses and accidental/unlawful situations of destruction, loss, alteration, communication, or improper/unlawful processing (Art. 46).
- ANPD may provide minimum technical standards, considering nature of processed information, specific characteristics of processing, current state of technology, especially for sensitive personal data (Art. 46, para. 1).
- Security measures must be observed from design phase of product/service until implementation (Art. 46, para. 2).
- Processing agents or any person involved in processing phases required to ensure information security even after conclusion of processing (Art. 47).
- Systems used for personal data processing must be structured to meet security requirements, good practices, governance standards, and general principles (Art. 49).

### Good Practices and Governance (Art. 50)

- Controllers and processors may formulate rules for good practices and governance (Art. 50).
- Rules may provide for: organization conditions, operational arrangements, procedures (including complaints/requests from data subjects), security rules, technical standards, specific obligations, educational activities, internal supervision/risk mitigation mechanisms (Art. 50).
- Controller may implement privacy governance program (Art. 50, para. 2, I) that: (a) demonstrates commitment to internal procedures/policies ensuring compliance; (b) applies to entire set of personal data; (c) is adapted to structure, scale, volume of operations and sensitivity of data; (d) establishes policies/safeguards based on a systematic assessment of impacts and privacy risks; (e) establishes trust relationship via transparent actions ensuring data subject participation; (f) is integrated into general governance structure; (g) has incident response/remediation plans; (h) is constantly updated based on continuous monitoring and periodic assessments.
- Controller may demonstrate effectiveness of privacy governance program when appropriate, especially at ANPD request (Art. 50, para. 2, II).
- Rules on good practices and governance shall be published, updated periodically, and may be acknowledged and disseminated by ANPD (Art. 50, para. 3).

### Processing by Government Authorities (Art. 23)

- Processing by government authorities must be carried out to achieve public purpose, in benefit of public interest, to enforce legal powers or fulfill legal duties of public service (Art. 23).
- Government authorities must: (i) inform events in which they process personal data while performing duties, providing clear and updated information on legal basis, purpose, procedures and practices, in easily accessible media (preferably websites) (Art. 23, I); (ii) appoint DPO when carrying out processing operations (Art. 23, III).
- Government authorities forbidden to transfer personal data in databases to private entities, except: (a) in cases of decentralized performance of public activity requiring transfer; (b) when data publicly accessible; (c) when there is legal provision or transfer grounded on contracts/agreements; (d) when transfer exclusively intended to prevent fraud/irregularities or protect/safeguard data subject's security/integrity (Art. 26, para. 1).
- Contracts and agreements for transfer to private entities must be informed to ANPD (Art. 26, para. 2).
- Communication/shared use of personal data from government authority to private entity must be informed to ANPD and rely on data subject consent, except waiver cases in LGPD (Art. 27).
- ANPD may request government bodies/entities to provide specific information on scope/nature of data and processing details; may issue supplementary technical report to ensure compliance (Art. 29).

### Termination of Processing and Data Retention (Arts. 15-16)

- Processing of personal data ceases: (i) upon evidence purpose achieved or data no longer necessary/pertinent; (ii) upon expiration of processing period; (iii) upon notice from data subject (including consent revocation), subject to public interest; (iv) at order of ANPD upon violation of LGPD (Art. 15).
- Personal data shall be erased following termination of processing, within scope and technical limits of activities (Art. 16).
- Storage authorized for: (i) compliance with legal/regulatory obligation; (ii) study by research body (with anonymization whenever possible); (iii) transfer to third party, upon compliance with processing requirements; (iv) exclusive use by controller with access by third party prohibited and data anonymized (Art. 16).

### Liability and Damages (Arts. 42-45)

- Controller or processor that causes pecuniary, moral, individual or collective damage in violation of data protection legislation shall be required to compensate (Art. 42).
- Processor jointly liable for damages when it fails to comply with LGPD obligations or acts contrary to lawful controller instructions (Art. 42, para. 1, I).
- Controllers directly involved in processing activities that resulted in damages jointly liable (Art. 42, para. 1, II).
- Judge may reverse burden of proof in favor of data subject when allegation appears true, there is hyposufficiency for evidence production, or evidence is overly burdensome (Art. 42, para. 2).
- Processing agents not liable only when they prove: (i) they did not carry out processing attributed to them; (ii) although they carried out processing, there was no violation; OR (iii) damage results from exclusive fault of data subject or third party (Art. 43).
- Processing deemed irregular when it fails to comply with law or does not provide security expected by data subject (Art. 44).
- Controller/processor who causes damage by failing to adopt Art. 46 security measures liable for damages from data security violation (Art. 44, sole para.).
- Violations in consumer relations remain subject to liability rules in relevant legislation (Art. 45).

### Administrative Sanctions (Art. 52)

- I - Warning, indicating deadline for corrective measures;
- II - Simple fine up to 2% of gross revenue of legal entity of private law, group or conglomerate net tax revenues in Brazil in preceding fiscal year (excluding taxes), limited to BRL 50,000,000 (fifty million Reais) per infraction;
- III - Daily fine, subject to total limit in item II;
- IV - Public disclosure of infraction after investigation and confirmation;
- V - Blocking of personal data to which infraction refers until regularization;
- VI - Erasure of personal data to which infraction refers;
- X - Partial suspension of operations of database for maximum 6 months, extendable for equal period, until controller regularizes processing;
- XI - Suspension of personal data processing activity for maximum 6 months, extendable for equal period;
- XII - Partial or full prohibition of activities related to data processing.
- Sanctions X, XI, XII only applied after at least one of sanctions II, III, IV, V, VI imposed for same specific case, and after hearing other bodies/entities with sanctioning powers (Art. 52, para. 6).

### Sanction Parameters and Criteria (Art. 52, para. 1)

- I - Severity and nature of infractions and personal rights affected;
- II - Good faith of offender;
- III - Advantage obtained or intended by offender;
- IV - Economic condition of offender;
- V - Recidivism;
- VI - Extent of damage;
- VII - Cooperation of offender;
- VIII - Repeated and demonstrated adoption of internal mechanisms/procedures to minimize damage, aimed at safe and proper data processing;
- IX - Adoption of policy of good practices and governance;
- X - Prompt adoption of corrective measures;
- XI - Proportionality between severity of infraction and intensity of sanction.

### Sanctions for Government Entities (Art. 52, para. 3)

- Sanctions I, IV, V, VI, X, XI and XII of Art. 52 may be applied to government entities and bodies (Art. 52, para. 3).
- Application without prejudice to provisions of Law No. 8,112/1990 (civil servants), Law No. 8,429/1992 (administrative improbity), and Law No. 12,527/2011 (access to information).
- ANPD may issue statement with applicable measures to cease violation by government bodies (Art. 31).
- ANPD may request government authority agents to publish DPIA reports and suggest adoption of standards and good practices (Art. 32).

### National Data Protection Authority (ANPD)

- ANPD is a special autarchy linked to the Ministry of Justice and Public Security, with functional, technical, decision-making, administrative and financial autonomy, with its own assets, and with headquarters and jurisdiction in the Federal District (Art. 55-A).
- ANPD is composed of: (i) Board of Directors (highest governing body); (ii) National Council for Personal Data and Privacy Protection; (iii) Corregedoria; (iv) Ombudsman's Office; (v) Procuradoria; (vi) Auditoria; (vii) administrative and specialized units (Art. 55-C).
- Board of Directors consists of 5 directors (including Director-President), chosen and appointed by President of Republic after Federal Senate approval (Art. 55-D).
- Directors have 4-year term of office (Art. 55-D, para. 3).
- ANPD responsible for: ensuring protection of personal data; ensuring compliance with trade/industrial secrets; preparing guidelines for National Policy for Personal Data and Privacy; and other duties in Art. 55-J.

### Personal Data Protection Principles (Art. 6)

- I - Purpose: processing for legitimate, specific and explicit purposes informed to data subject, with no subsequent incompatible processing;
- II - Adequacy: compatibility of processing with purposes informed to data subject;
- III - Necessity: limitation to minimum required, relevant, proportional and non-excessive data;
- IV - Free access: guarantee to data subjects of facilitated and free consultation on form/duration of processing and data integrity;
- V - Data quality: guarantee of accuracy, clarity, relevance and updating of data;
- VI - Transparency: guarantee of clear, accurate and easily accessible information on processing activities and processing agents;
- VII - Security: use of technical/administrative measures to protect personal data;
- VIII - Prevention: adoption of measures to prevent damages from processing;
- IX - Non-discrimination: impossibility of processing for unlawful or abusive discriminatory purposes;
- X - Liability and accountability: proof by agent of adoption of effective measures demonstrating observance and compliance, including effectiveness of measures.

### Key Definitions (Art. 5)

- Personal data: information regarding identified or identifiable natural person (Art. 5, I);
- Sensitive personal data: data concerning racial/ethnic origin, religious belief, political opinion, trade union affiliation, data on health/sex life, genetic or biometric data related to natural person (Art. 5, II);
- Anonymized data: data related to data subject who cannot be identified, considering reasonable technical means available at time of processing (Art. 5, III);
- Data subject: natural person to whom personal data being processed refers (Art. 5, V);
- Consent: freely, informed and unambiguous manifestation whereby data subject agrees to processing of their personal data for given purpose (Art. 5, XII);
- Processing: any operation performed on personal data (collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, erasure, evaluation, control, modification, communication, transfer, dissemination or retrieval) (Art. 5, X);
- Anonymization: use of reasonable technical means by which data loses possibility of direct or indirect association with individual (Art. 5, XI).

## Possible Outcomes

### [RESULT] Out of Scope

LGPD does not apply

- LGPD does not apply to your processing operations.
- Either territorial scope not met (Art. 3) or an exclusion applies (Art. 4).
- Even if LGPD does not apply, consider other applicable data protection laws and best practices.

### [RESULT] LGPD Applies - General Personal Data

Follow Art. 7 legal bases and compliance requirements

- LGPD applies to your processing of general personal data.
- Ensure valid legal basis under Art. 7 for all processing operations.
- Comply with all LGPD principles (Art. 6), data subject rights (Arts. 17-22), security obligations (Arts. 46-49), and other applicable requirements.
- Appoint DPO as required (Art. 41).
- Implement appropriate technical and administrative security measures (Art. 46).
- Prepare for data subject rights requests (Art. 18) and security incident notification (Art. 48).
- Maintain processing records, especially when based on legitimate interest (Art. 37).

### [RESULT] LGPD Applies - Sensitive Personal Data

Follow Art. 11 stricter requirements

- LGPD applies to your processing of sensitive personal data.
- Ensure valid legal basis under Art. 11 (specific and emphatic consent OR one of Art. 11, II exceptions).
- Apply heightened security measures for sensitive data (Art. 46, para. 1).
- Be aware of restrictions on communication/shared use of sensitive data for economic advantage (Art. 11, para. 3-5).
- Comply with all LGPD principles (Art. 6), data subject rights (Arts. 17-22), and other applicable requirements.
- Appoint DPO as required (Art. 41).
- Prepare for ANPD requests for DPIA (Art. 38).

### [RESULT] LGPD Applies - Children's/Adolescents' Data

Follow Art. 14 best interest requirements

- LGPD applies to your processing of children's and adolescents' personal data.
- Processing must be in best interest of child/adolescent (Art. 14).
- Obtain specific and distinguishable consent from at least one parent or legal representative for children's data (Art. 14, para. 1).
- Make public information on types of data collected, usage, and procedures for exercising rights (Art. 14, para. 2).
- Make all reasonable efforts to confirm consent given by representative, considering available technologies (Art. 14, para. 5).
- Provide information in simple, clear and accessible manner, considering physical-motor, perceptive, sensorial, intellectual and mental characteristics (Art. 14, para. 6).
- Do not subject participation to providing personal information beyond strictly necessary (Art. 14, para. 4).
- Comply with all other LGPD requirements for general or sensitive data as applicable.

### [RESULT] Consent as Legal Basis

Comply with Art. 8 consent requirements

- You are relying on consent as legal basis (Art. 7, I or Art. 11, I).
- Ensure consent is freely given, informed, and unambiguous (Art. 5, XII).
- Obtain consent in writing or by other means demonstrating manifestation of intention (Art. 8).
- If in writing, consent must be in clause that stands out from other contractual clauses (Art. 8, para. 1).
- Maintain proof that consent was obtained (Art. 8, para. 2).
- Consent must refer to specific purposes; generic authorizations are void (Art. 8, para. 4).
- Provide data subject with Art. 9 information (purpose, type/duration, controller identity/contact, shared use, responsibilities, data subject rights).
- Ensure data subject can revoke consent at any time via free and facilitated procedure (Art. 8, para. 5).
- If consent required for communication/sharing with other controllers, obtain specific consent (Art. 7, para. 5).
- For sensitive data: obtain specific and emphatic consent for specific purposes (Art. 11, I).
- For children's data: obtain specific and distinguishable consent from at least one parent or legal representative (Art. 14, para. 1).

### [RESULT] Legitimate Interest as Legal Basis

Comply with Art. 10 requirements

- You are relying on legitimate interest as legal basis (Art. 7, IX).
- Legitimate interest only for legitimate purposes based on particular situations, including: support/promotion of controller's activity; protection of data subject's regular exercise of rights or provision of services for their benefit (Art. 10).
- Process only strictly necessary personal data (Art. 10, para. 1).
- Adopt measures to ensure transparency of processing based on legitimate interest (Art. 10, para. 2).
- Be prepared for ANPD to request DPIA when processing based on legitimate interest (Art. 10, para. 3).
- Maintain records of processing operations based on legitimate interest (Art. 37).
- Ensure data subject's fundamental rights and liberties requiring personal data protection do not prevail over legitimate interest (Art. 7, IX exception).

### [RESULT] DPO Appointment Required

Comply with Art. 41 DPO requirements

- You must appoint a Data Protection Officer (DPO / Encarregado) (Art. 41).
- Publicly, clearly and objectively disclose DPO identity and contact data, preferably on website (Art. 41, para. 1).
- Ensure DPO performs duties: (i) accept complaints/communications from data subjects, provide clarifications and adopt measures; (ii) receive communications from ANPD and adopt measures; (iii) instruct employees/contractors on data protection practices; (iv) perform other duties determined by controller or in supplementary rules (Art. 41, para. 2).
- Monitor ANPD supplementary rules on DPO definition and duties (Art. 41, para. 3).
- DPO acts as communication channel between controller, data subjects and ANPD (Art. 5, VIII).

### [RESULT] DPIA May Be Required

Prepare for ANPD DPIA request

- ANPD may require you to prepare Data Protection Impact Assessment (RIPD) (Art. 38).
- DPIA contains description of processing operations that could pose risks to civil liberties and fundamental rights, and measures/safeguards/mechanisms to mitigate risks (Art. 5, XVII).
- DPIA must contain at least: (i) description of types of data collected; (ii) methodology for collection and ensuring information security; (iii) analysis of adopted measures, safeguards and risk mitigation mechanisms (Art. 38, sole para.).
- ANPD may request a DPIA when processing is based on legitimate interest (Art. 10, para. 3).
- ANPD may request public sector agents to publish DPIA reports and may suggest standards and good practices for processing by the public sector (Art. 32).
- Security measures must be observed from the product or service design phase through execution (Art. 46, para. 2), and controllers may adopt a privacy governance program based on a systematic assessment of impacts and privacy risks (Art. 50, para. 2, I(d)).

### [RESULT] International Transfer Permitted

Ensure ongoing compliance with Art. 33-36

- International transfer of personal data permitted under Art. 33 grounds.
- If relying on adequate level of protection (Art. 33, I): monitor ANPD evaluations of foreign country/organization (Art. 34).
- If relying on contractual guarantees (Art. 33, II): use ANPD-defined standard contractual clauses or obtain ANPD verification of specific clauses, binding corporate rules, seals, certificates, codes of conduct (Art. 35).
- If relying on ANPD authorization (Art. 33, V): maintain authorization documentation.
- If relying on data subject consent (Art. 33, VIII): ensure specific and distinguishable consent with previous information on international nature of operation.
- Communicate amendments to transfer guarantees to ANPD (Art. 36).
- Ensure ongoing compliance with LGPD principles and data subject rights for transferred data.

### [RESULT] Security Incident Notification Required

Notify ANPD and data subjects per Art. 48

- You must notify ANPD and data subjects of security incident that may result in relevant risk or damage (Art. 48).
- Communicate as soon as reasonably feasible, as defined by ANPD (Art. 48, para. 1).
- Communication must contain: (i) description of nature of affected personal data; (ii) information on data subjects involved; (iii) indication of technical/security measures used; (iv) risks related to incident; (v) reasons for delay if not immediate; (vi) measures adopted or to be adopted to reverse/mitigate effects (Art. 48, para. 1).
- ANPD will determine severity of incident and may order: (i) full disclosure in media; (ii) measures to reverse/mitigate effects (Art. 48, para. 2).
- Document incident and response measures for accountability (Art. 6, X).
- Review and update security measures to prevent recurrence (Art. 46).

### [RESULT] Subject to ANPD Enforcement

Ensure compliance to avoid Art. 52 sanctions

- You are subject to ANPD administrative sanctions for LGPD infractions (Art. 52).
- Sanctions range from warning to fines (up to 2% of gross revenue, capped at BRL 50 million per infraction) to partial/full prohibition of data processing activities (Art. 52, I-VI, X-XII).
- Sanctions applied following administrative proceeding with opportunity for full defense, considering Art. 52, para. 1 parameters/criteria.
- ANPD defines methodologies for fine calculation via public consultation (Art. 53).
- Demonstrate good faith, cooperation, adoption of good practices/governance, prompt corrective measures to mitigate sanctions (Art. 52, para. 1, II, VII, VIII, IX, X).
- Consider direct conciliation with data subjects for individual data breaches or unauthorized access (Art. 52, para. 7).
- ANPD has competences that include issuing regulations and guidelines to implement LGPD (Art. 55-J), and ANPD may acknowledge and disseminate rules on good practices and governance (Art. 50, para. 3).

## LGPD Timeline

| Date | Event | Reference |
| --- | --- | --- |
| 2018-08-14 | LGPD published (Law No. 13,709/2018) | Law No. 13,709/2018 (publication date) |
| 2018-12-28 | ANPD framework provisions effective (Arts. 55-A to 55-L and others) | Art. 65, I |
| 2019-07-08 | LGPD amended by Law No. 13,853/2019 (ANPD-related amendments) | Law No. 13,853/2019 (publication date) |
| 2021-08-01 | Administrative sanctions (Arts. 52-54) became enforceable | Art. 65, I-A |
| 2022-10-26 | Law No. 14,460/2022 enters into force (transforms ANPD into a special autarchy) | Law No. 14,460/2022 (publication / entry into force) |

## Compliance Timeline

| Date | Event | Category | Reference |
| --- | --- | --- | --- |
| 2014-04-23 | Marco Civil da Internet (Lei 12.965/2014) published | Legislation |  |
| 2014-06-23 | Marco Civil enters into force | Legislation |  |
| 2016-05-11 | Marco Civil regulation (Decreto 8.771/2016) published | Legislation |  |
| 2018-08-14 | LGPD enacted (Lei 13.709/2018) published | Legislation |  |
| 2018-08-15 | LGPD partially republished (extra edition) | Legislation |  |
| 2018-12-28 | ANPD-related provisions enter into force under LGPD | ANPD Development |  |
| 2019-07-08 | LGPD amended and ANPD created (Lei 13.853/2019) published | ANPD Development |  |
| 2020-08-26 | ANPD structure established (Decreto 10.474/2020) published | ANPD Development |  |
| 2021-01-01 | LGPD guide for the electoral context published (2021) | Guidance & Regulation |  |
| 2021-01-27 | ANPD Regulatory Agenda 2021-2022 adopted | Regulatory Agenda |  |
| 2021-03-08 | ANPD internal regulations approved (Portaria No. 1/2021) | ANPD Development |  |
| 2021-05-01 | ANPD guide on controllers, processors, and DPOs (May 2021) | Guidance & Regulation |  |
| 2021-07-08 | ANPD rulemaking process approved (Portaria/ANPD No. 16/2021) | ANPD Development |  |
| 2021-08-01 | LGPD sanctions provisions become effective (Arts. 52-54) | Enforcement & Sanctions |  |
| 2021-10-28 | ANPD inspection and sanctioning procedures (Resolução CD/ANPD No. 1/2021) adopted | Enforcement & Sanctions |  |
| 2021-10-29 | Resolução CD/ANPD No. 1/2021 published (in force) | Enforcement & Sanctions |  |
| 2021-11-10 | International transfer regulation project opened (Termo de Abertura de Projeto) | Regulatory Agenda |  |
| 2022-01-01 | ANPD guide for personal data processing by public authorities (Jan 2022) | Guidance & Regulation |  |
| 2022-01-27 | Small-scale processing agents regulation adopted (Resolução CD/ANPD No. 2/2022) | Guidance & Regulation |  |
| 2022-02-03 | Information security guidance for small-scale processing agents (Feb 2022) | Guidance & Regulation |  |
| 2022-05-18 | International transfer regulation questionnaire period begins | Regulatory Agenda |  |
| 2022-06-30 | International transfer regulation questionnaire period ends | Regulatory Agenda |  |
| 2022-09-01 | Preliminary study on children's and adolescents' personal data (Sep 2022) | Guidance & Regulation |  |
| 2022-09-21 | ANPD structure amended (Decreto 11.202/2022) published | ANPD Development |  |
| 2022-10-01 | ANPD cookies and personal data protection guide (Oct 2022) | Guidance & Regulation |  |
| 2022-10-05 | Decreto 11.202/2022 enters into force | ANPD Development |  |
| 2022-10-26 | ANPD becomes an autonomous authority (Lei 14.460/2022) published | ANPD Development |  |
| 2022-11-04 | ANPD Regulatory Agenda 2023-2024 published | Regulatory Agenda |  |
| 2023-02-24 | Sanctions dosimetry rules (Resolução CD/ANPD No. 4/2023) adopted | Enforcement & Sanctions |  |
| 2023-02-27 | Resolução CD/ANPD No. 4/2023 published (in force) | Enforcement & Sanctions |  |
| 2023-05-22 | ANPD Statement (Enunciado CD/ANPD No. 1) approved | Guidance & Regulation |  |
| 2023-05-24 | Enunciado CD/ANPD No. 1 published in the DOU | Guidance & Regulation |  |
| 2023-08-14 | International transfer regulation consultation notice published (Consulta Publica No. 2/2023) | Regulatory Agenda |  |
| 2023-08-15 | International transfer regulation public consultation begins | Regulatory Agenda |  |
| 2023-09-12 | International transfer regulation public hearing held | Regulatory Agenda |  |
| 2023-10-14 | International transfer regulation public consultation ends | Regulatory Agenda |  |
| 2023-12-27 | ANPD Regulatory Agenda 2023-2024 amended | Regulatory Agenda |  |
| 2024-02-01 | Legitimate interest guide published (Feb 2024) | Guidance & Regulation |  |
| 2024-04-24 | Security incident communication regulation approved (Resolução CD/ANPD No. 15/2024) | Enforcement & Sanctions |  |
| 2024-07-17 | ANPD SEI external user manual updated (v17-07-2024) | Guidance & Regulation |  |
| 2025-08-18 | International data transfer regulation rectified (Aug 2025) | Guidance & Regulation |  |
| 2026-12-31 | ANPD personnel requisition authority expires (Decreto 10.474/2020) | ANPD Development |  |

**Event details:**

- **2014-04-23 - Marco Civil da Internet (Lei 12.965/2014) published**: LEI Nº 12.965, DE 23 DE ABRIL DE 2014
- **2014-06-23 - Marco Civil enters into force**: Esta Lei entra em vigor após decorridos 60 (sessenta) dias de sua publicação oficial.
- **2016-05-11 - Marco Civil regulation (Decreto 8.771/2016) published**: DECRETO Nº 8.771, DE 11 DE MAIO DE 2016
- **2018-08-14 - LGPD enacted (Lei 13.709/2018) published**: LEI Nº 13.709, DE 14 DE AGOSTO DE 2018
- **2018-08-15 - LGPD partially republished (extra edition)**: republicado parcialmente em 15.8.2018 - Edição extra
- **2018-12-28 - ANPD-related provisions enter into force under LGPD**: dia 28 de dezembro de 2018, quanto aos arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58-A e 58-B
- **2019-07-08 - LGPD amended and ANPD created (Lei 13.853/2019) published**: LEI Nº 13.853, DE 8 DE JULHO DE 2019
- **2020-08-26 - ANPD structure established (Decreto 10.474/2020) published**: DECRETO Nº 10.474, DE 26 DE AGOSTO DE 2020
- **2021-01-01 - LGPD guide for the electoral context published (2021)**: Brasilia, TSE, 2021 (year only in source; date normalized for sorting).
- **2021-01-27 - ANPD Regulatory Agenda 2021-2022 adopted**: Ordinance No. 11, of January 27, 2021
- **2021-03-08 - ANPD internal regulations approved (Portaria No. 1/2021)**: Regimento Interno da ANPD aprovado pela Portaria No. 1, de 8 de marco de 2021.
- **2021-05-01 - ANPD guide on controllers, processors, and DPOs (May 2021)**: Data indicada na capa: MAIO DE 2021
- **2021-07-08 - ANPD rulemaking process approved (Portaria/ANPD No. 16/2021)**: Portaria/ANPD No. 16, de 8 de julho de 2021 (approves the regulatory process within ANPD; cited in RTID annexes).
- **2021-08-01 - LGPD sanctions provisions become effective (Arts. 52-54)**: dia 1º de agosto de 2021, quanto aos arts. 52, 53 e 54; (Incluído pela Lei nº 14.010, de 2020)
- **2021-10-28 - ANPD inspection and sanctioning procedures (Resolução CD/ANPD No. 1/2021) adopted**: RESOLUÇÃO CD/ANPD Nº 1, DE 28 DE OUTUBRO DE 2021
- **2021-10-29 - Resolução CD/ANPD No. 1/2021 published (in force)**: Publicado em: 29/10/2021 | Edicao: 205 | Secao: 1 | Pagina: 6. Entra em vigor na data de publicacao.
- **2021-11-10 - International transfer regulation project opened (Termo de Abertura de Projeto)**: Process to regulate international data transfers started with a project opening term signed on 10/11/2021 (cited in RTID Annex 1-D).
- **2022-01-01 - ANPD guide for personal data processing by public authorities (Jan 2022)**: VERSÃO 1.0  JAN. 2022
- **2022-01-27 - Small-scale processing agents regulation adopted (Resolução CD/ANPD No. 2/2022)**: RESOLUCAO CD/ANPD No. 2, de 27 de janeiro de 2022 (Regulamento para agentes de tratamento de pequeno porte).
- **2022-02-03 - Information security guidance for small-scale processing agents (Feb 2022)**: Brasilia, 03 de fevereiro de 2022 (date shown in the ANPD guidance document).
- **2022-05-18 - International transfer regulation questionnaire period begins**: CGN received responses to 20 questions between 18/05/2022 and 30/06/2022 (cited in RTID Annex 1-D).
- **2022-06-30 - International transfer regulation questionnaire period ends**: CGN received responses through 30/06/2022 (cited in RTID Annex 1-D).
- **2022-09-01 - Preliminary study on children's and adolescents' personal data (Sep 2022)**: Setembro/2022 (cover; month only).
- **2022-09-21 - ANPD structure amended (Decreto 11.202/2022) published**: DECRETO Nº 11.202, DE 21 DE SETEMBRO DE 2022
- **2022-10-01 - ANPD cookies and personal data protection guide (Oct 2022)**: OUT/2022 (cover; month only).
- **2022-10-05 - Decreto 11.202/2022 enters into force**: Este Decreto entra em vigor em 5 de outubro de 2022.
- **2022-10-26 - ANPD becomes an autonomous authority (Lei 14.460/2022) published**: Publicado no DOU de 26.10.2022. Entra em vigor na data de sua publicacao.
- **2022-11-04 - ANPD Regulatory Agenda 2023-2024 published**: ANPD ORDINANCE No. 35, of NOVEMBER 4, 2022
- **2023-02-24 - Sanctions dosimetry rules (Resolução CD/ANPD No. 4/2023) adopted**: RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023
- **2023-02-27 - Resolução CD/ANPD No. 4/2023 published (in force)**: Publicado em: 27/02/2023 | Edição: 39 | Seção: 1 | Página: 59
- **2023-05-22 - ANPD Statement (Enunciado CD/ANPD No. 1) approved**: ENUNCIADO CD/ANPD Nº 1, DE 22 DE MAIO DE 2023
- **2023-05-24 - Enunciado CD/ANPD No. 1 published in the DOU**: Publicado em: 24/05/2023 | Edicao: 98 | Secao: 1 | Pagina: 129.
- **2023-08-14 - International transfer regulation consultation notice published (Consulta Publica No. 2/2023)**: Publicacao da Consulta Publica No. 2, de 14 de agosto de 2023, no DOU (edicao 15/08/2023, citado em RTID Anexo 1-D).
- **2023-08-15 - International transfer regulation public consultation begins**: Consulta Publica na plataforma Participa Mais Brasil (15/08/2023 a 14/10/2023, citado em RTID Anexo 1-D).
- **2023-09-12 - International transfer regulation public hearing held**: Audiencia Publica virtual realizada em 12/09/2023 (citada em RTID Anexo 1-D).
- **2023-10-14 - International transfer regulation public consultation ends**: Fim da Consulta Publica (14/10/2023, citado em RTID Anexo 1-D).
- **2023-12-27 - ANPD Regulatory Agenda 2023-2024 amended**: RESOLUTION CD/ANPD No. 11, of DECEMBER 27, 2023
- **2024-02-01 - Legitimate interest guide published (Feb 2024)**: FEV/2024 (cover; month only).
- **2024-04-24 - Security incident communication regulation approved (Resolução CD/ANPD No. 15/2024)**: Resolução CD/ANPD No. 15, de 24 de abril de 2024 (Regulamento de Comunicacao de Incidente de Seguranca).
- **2024-07-17 - ANPD SEI external user manual updated (v17-07-2024)**: Versao atualizada em 17/07/2024.
- **2025-08-18 - International data transfer regulation rectified (Aug 2025)**: (Amended by the RECTIFICATION of August 18, 2025)
- **2026-12-31 - ANPD personnel requisition authority expires (Decreto 10.474/2020)**: A ANPD poderá requisitar pessoal civil e militar até 31 de dezembro de 2026


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/latam/brazil-lgpd