Run Article 3 territorial scope and Article 4 exclusions before you launch controls.
A correct LGPD program starts with processing facts, entity reach, and role allocation, not with a generic privacy checklist.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 3 makes LGPD apply regardless of headquarters location when processing is carried out in Brazil, goods or services are offered to individuals located in Brazil, or personal data is collected in Brazil. Article 4 then removes specific private, journalistic, artistic, academic, public security, national defense, state security, and criminal investigation contexts from the general LGPD regime.
LGPD covers any processing operation involving personal data of a natural person, in digital or physical form. Start by identifying the actual processing operations, not only the product name or contract label.
If the activity only handles anonymized data that cannot reasonably be re-identified, the scope analysis may narrow. If identifiable telemetry, support records, HR data, or user content remain, continue the test.
LGPD can apply even when the controller is outside Brazil. The decisive questions are where the operation occurs, whether the business offers or supplies goods or services to people located in Brazil, and whether the personal data was collected in Brazil.
Foreign groups often fail this step by focusing only on corporate domicile. Article 3 is designed to reach processing that materially targets or involves people in Brazil.
Article 4 exclusions are specific and should not be stretched. Private non-economic household activity, journalistic and artistic activity, academic activity with Articles 7 and 11 still relevant, and certain public security or criminal enforcement contexts are outside the ordinary LGPD track.
A business cannot claim an exclusion just because one department has a public function or because a dataset is later reused for research. The actual purpose and legal context of the processing matter.
The ANPD agents guide treats the controller as the party that makes the essential decisions on purpose and means, while the operator acts according to the controller instructions. Shared or joint decision patterns can produce joint controllership for part of a flow.
Role labels in the contract help, but the factual allocation of decision-making authority matters more than contract vocabulary.
Assessment Autopilot can take Brazil LGPD Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on Brazil LGPD can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from Brazil LGPD Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.
Review your current process, evidence gaps, and next steps for Brazil LGPD Applicability Test.