--- title: "Brazil LGPD Privacy Law FAQ" canonical_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd/faq" source_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd/faq/items" author: "Sorena AI" description: "Practical guidance for the Brazil LGPD FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Brazil LGPD" - "FAQ" - "Brazil LGPD FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Brazil LGPD Privacy Law FAQ Practical guidance for the Brazil LGPD FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *Brazil* *FAQ* ## Brazil LGPD FAQ Use this FAQ as a practical operating reference: each answer defines what to do, who owns the decision, and what evidence is required before moving forward. Use this section to define scope, owner, evidence inputs, and the review outcome before execution. This FAQ hub translates recurring LGPD questions into clear decisions, required evidence, and review steps for cross-functional teams. ## Browse sub-FAQ modules ### [What should teams do about Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md) Brazil LGPD guidance for Children's Data, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md) Brazil LGPD guidance for Controller Operator And DPO Roles, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md) Brazil LGPD guidance for Cookies, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md) Brazil LGPD guidance for Incident Reporting To ANPD, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md) Brazil LGPD guidance for International Transfer Mechanisms, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md) Brazil LGPD guidance for Legal Bases, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Legitimate Interest Balancing under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legitimate-interest-balancing.md) Brazil LGPD guidance for Legitimate Interest Balancing, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Ripd And DPIA under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/ripd-and-dpia.md) Brazil LGPD guidance for Ripd And DPIA, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Sanctions Methodology under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/sanctions-methodology.md) Brazil LGPD guidance for Sanctions Methodology, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Small Processing Agents under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/small-processing-agents.md) Brazil LGPD guidance for Small Processing Agents, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/latam/brazil-lgpd/faq/items](/artifacts/latam/brazil-lgpd/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 30 items.* ### [What should teams do about Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md#what-should-teams-do-about-childrens-data-under-the-brazil-lgpd) *Module: [What should teams do about Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md)* Teams should treat Children's Data under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Children's Data decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 14 explains the highlighted parental or legal-guardian consent rule for children. - [ANPD enunciado sobre tratamento de dados pessoais de crianças e adolescentes](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-divulga-enunciado-sobre-o-tratamento-de-dados-pessoais-de-criancas-e-adolescentes?ref=sorena.io) - ANPD guidance confirms that the child or adolescent best-interest test must guide every legal basis assessment. ### [What evidence should teams keep for Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md#what-evidence-should-teams-keep-for-childrens-data-under-the-brazil-lgpd) *Module: [What should teams do about Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 14 also requires simple, clear, and accessible information for the child and the parent or legal guardian. - [ANPD estudo técnico sobre tratamento de dados de crianças e adolescentes](https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/tratamento_de_dados_de_criancas_e_adolescentes.pdf?ref=sorena.io) - ANPD technical material supports careful assessment of Article 14 consent and limited collection exceptions. ### [Which mistakes create risk when handling Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md#which-mistakes-create-risk-when-handling-childrens-data-under-the-brazil-lgpd) *Module: [What should teams do about Children's Data under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/children-s-data.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 14 is the primary rule for children and adolescent personal-data processing. - [ANPD enunciado sobre tratamento de dados pessoais de crianças e adolescentes](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-divulga-enunciado-sobre-o-tratamento-de-dados-pessoais-de-criancas-e-adolescentes?ref=sorena.io) - ANPD guidance confirms that the child or adolescent best-interest test must guide every legal basis assessment. - [ANPD estudo técnico sobre tratamento de dados de crianças e adolescentes](https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/tratamento_de_dados_de_criancas_e_adolescentes.pdf?ref=sorena.io) - ANPD technical material supports careful assessment of Article 14 consent and limited collection exceptions. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/ANPD-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - ANPD sanctions rules support escalation where role-mapping failures create enforcement exposure. ### [What should teams do about Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md#what-should-teams-do-about-controller-operator-and-dpo-roles-under-the-brazil-lgpd) *Module: [What should teams do about Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md)* Under the Brazil LGPD, the controller makes the decisions about the processing of personal data, the operator processes personal data on the controller's behalf, and the encarregado serves as the communication channel between the controller, the data subjects, and the ANPD. - Write the Controller Operator And DPO Roles decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 5 supplies the legal role definitions that anchor the controller, operator, and DPO evidence record. - [ANPD Guia orientativo sobre atuação do encarregado](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-lanca-guia-sobre-atuacao-do-encarregado?ref=sorena.io) - ANPD guidance supports the operational duties and escalation route for the encarregado role. ### [What evidence should teams keep for Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md#what-evidence-should-teams-keep-for-controller-operator-and-dpo-roles-under-the-brazil-lgpd) *Module: [What should teams do about Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 5 defines controlador, operador, encarregado, and agentes de tratamento for this roles FAQ. - [ANPD Guia orientativo sobre atuação do encarregado](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-lanca-guia-sobre-atuacao-do-encarregado?ref=sorena.io) - ANPD guidance supports the operational duties and escalation route for the encarregado role. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/ANPD-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md#which-mistakes-create-risk-when-handling-controller-operator-and-dpo-roles-under-the-brazil-lgpd) *Module: [What should teams do about Controller Operator And DPO Roles under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/controller-operator-and-dpo-roles.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ANPD Guia orientativo para definições dos agentes de tratamento e do encarregado](https://www.gov.br/anpd/pt-br/assuntos/noticias/nova-versao-do-guia-dos-agentes-de-tratamento?ref=sorena.io) - ANPD guidance explains who can act as controller, operator, and encarregado and how responsibilities apply in practice. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 5 defines controlador, operador, encarregado, and agentes de tratamento for this roles FAQ. - [ANPD Guia orientativo sobre atuação do encarregado](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-lanca-guia-sobre-atuacao-do-encarregado?ref=sorena.io) - ANPD guidance supports the operational duties and escalation route for the encarregado role. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/ANPD-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - ANPD sanctions rules support escalation where role-mapping failures create enforcement exposure. ### [What should teams do about Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md#what-should-teams-do-about-cookies-under-the-brazil-lgpd) *Module: [What should teams do about Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md)* Teams should treat Cookies under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Cookies decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ANPD Guia Orientativo - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/centrais-de-conteudo/materiais-educativos-e-publicacoes/guia-orientativo-cookies-e-protecao-de-dados-pessoais.pdf/@@download/file?ref=sorena.io) - ANPD cookie guidance explains when cookies can collect personal data and how transparency, purpose limitation, consent, legitimate interest, and rights controls should be reflected in cookie banners and policies. - [ANPD - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/assuntos/noticias-periodo-eleitoral/anpd-lanca-guia-orientativo-201ccookies-e-protecao-de-dados-pessoais201d?ref=sorena.io) - ANPD's announcement confirms the cookie guide is meant to support LGPD alignment for processing agents and transparent digital practices. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - The current LGPD text supplies the principles, transparency duties, data-subject rights, and lawful-basis framework that ANPD applies to cookie and tracking technologies. ### [What evidence should teams keep for Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md#what-evidence-should-teams-keep-for-cookies-under-the-brazil-lgpd) *Module: [What should teams do about Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ANPD Guia Orientativo - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/centrais-de-conteudo/materiais-educativos-e-publicacoes/guia-orientativo-cookies-e-protecao-de-dados-pessoais.pdf/@@download/file?ref=sorena.io) - Evidence support for cookie records because the ANPD guide identifies cookie categories, transparency information, consent controls, legitimate-interest considerations, and policy/banner practices. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Evidence support for cookie records because LGPD Article 9 requires clear, adequate, and easily accessible information about personal-data processing. - [ANPD - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/assuntos/noticias-periodo-eleitoral/anpd-lanca-guia-orientativo-201ccookies-e-protecao-de-dados-pessoais201d?ref=sorena.io) - Evidence support for the FAQ answer because ANPD frames the cookie guide around transparent practices and greater user understanding and control. ### [Which mistakes create risk when handling Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md#which-mistakes-create-risk-when-handling-cookies-under-the-brazil-lgpd) *Module: [What should teams do about Cookies under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/cookies.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ANPD Guia Orientativo - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/centrais-de-conteudo/materiais-educativos-e-publicacoes/guia-orientativo-cookies-e-protecao-de-dados-pessoais.pdf/@@download/file?ref=sorena.io) - Risk and boundary support for the FAQ answer because the ANPD guide warns that cookie use is only legitimate when it respects LGPD principles, rights, and the data-protection regime. - [ANPD - Cookies e Proteção de Dados Pessoais](https://www.gov.br/anpd/pt-br/assuntos/noticias-periodo-eleitoral/anpd-lanca-guia-orientativo-201ccookies-e-protecao-de-dados-pessoais201d?ref=sorena.io) - Risk and boundary support for the FAQ answer because ANPD connects cookie compliance to transparency and user control in digital environments. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Risk and boundary support for the FAQ answer because LGPD Article 6 requires purpose, adequacy, necessity, and transparency limits for personal-data processing. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/ANPD-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Risk and boundary support for the FAQ answer because LGPD cookie failures can become enforcement issues under ANPD's sanctions and dosimetry regulation. ### [What should teams do about Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md#what-should-teams-do-about-incident-reporting-to-anpd-under-the-brazil-lgpd) *Module: [What should teams do about Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md)* Teams should treat Incident Reporting To ANPD under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Incident Reporting To ANPD decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [ANPD - Comunicação de Incidente de Segurança](https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis?ref=sorena.io) - ANPD's incident communication page supports the FAQ's reporting workflow by identifying controller responsibility, SEI filing, reportable incident criteria, and the three-business-day communication period. - [Resolução CD/ANPD nº 15, de 24 de abril de 2024](https://dspace.mj.gov.br/bitstream/1/12879/2/RES_ANPD_2024_15.html?ref=sorena.io) - The incident-communication regulation is the primary rule for when and how controllers communicate security incidents to ANPD and affected data subjects. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/ANPD-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Direct support for the FAQ answer on Incident Reporting To ANPD. ### [What evidence should teams keep for Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md#what-evidence-should-teams-keep-for-incident-reporting-to-anpd-under-the-brazil-lgpd) *Module: [What should teams do about Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ANPD - Comunicação de Incidente de Segurança](https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis?ref=sorena.io) - Evidence support for the FAQ answer because ANPD states that incident communication must be filed by the DPO or legal representative through SEI. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Evidence support for the FAQ answer. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Evidence support for the FAQ answer because LGPD Article 48 requires controllers to communicate security incidents that may create relevant risk or harm to data subjects. ### [Which mistakes create risk when handling Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md#which-mistakes-create-risk-when-handling-incident-reporting-to-anpd-under-the-brazil-lgpd) *Module: [What should teams do about Incident Reporting To ANPD under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/incident-reporting-to-anpd.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [ANPD - Comunicação de Incidente de Segurança](https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis?ref=sorena.io) - Risk and boundary support for the FAQ answer because ANPD lists the cumulative criteria for incidents that must be communicated. - [Resolução CD/ANPD nº 15, de 24 de abril de 2024](https://dspace.mj.gov.br/bitstream/1/12879/2/RES_ANPD_2024_15.html?ref=sorena.io) - Risk and boundary support for the FAQ answer because the regulation defines the communication process and ANPD follow-up for relevant-risk incidents. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Risk and boundary support for the FAQ answer because LGPD Article 48 frames incident reporting around risk or relevant harm to data subjects. ### [What transfer mechanisms are allowed under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md#what-transfer-mechanisms-are-allowed-under-the-brazil-lgpd) *Module: [What should teams do about International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md)* Teams should treat international transfers under the Brazil LGPD as a source-linked operating decision: confirm whether the transfer can rely on adequacy, contractual safeguards, binding corporate rules, consent, legal necessity, public policy, ANPD authorization, international cooperation, or other cases listed in Article 33, then assign the team that can change the process and keep evidence showing the action and review trigger. - Adequacy: transfer to countries or international organizations that provide an adequate level of personal data protection recognized by ANPD. - Contractual safeguards: specific contractual clauses, standard contractual clauses, or binding corporate rules when the controller proves compliance with LGPD principles, data subject rights, and the data protection regime. - Other Article 33 cases: cooperation between public bodies, protection of life or physical integrity, ANPD authorization, international cooperation agreements, public policy or legal attribution, specific consent, or the hypotheses in Article 7 or Article 11. - Keep the legal basis, the mechanism used, and the source quote together in the evidence record. Sources for this answer: - [Lei nº 13.709/2018 (LGPD) - Article 33 international transfers](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Primary LGPD source for the legal mechanisms that permit international transfers of personal data from Brazil. - [ANPD Resolution CD/ANPD nº 19/2024 on international data transfers](https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/resolucao-cd-anpd-no-19-de-23-de-agosto-de-2024?ref=sorena.io) - ANPD regulation source for international transfer procedures, standard contractual clauses, and related transfer mechanisms under the LGPD. - [ANPD international transfer standard contractual clauses consultation page](https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-abre-tomada-de-subsidios-sobre-transferencia-internacional-de-dados-pessoais?ref=sorena.io) - ANPD source showing regulatory treatment of international transfers and standard contractual clauses under the LGPD. ### [What evidence should teams keep for International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md#what-evidence-should-teams-keep-for-international-transfer-mechanisms-under-the-brazil-lgpd) *Module: [What should teams do about International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [ANPD Resolution CD/ANPD nº 19/2024 on international data transfers](https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/resolucao-cd-anpd-no-19-de-23-de-agosto-de-2024?ref=sorena.io) - ANPD regulation source for international transfer procedures, standard contractual clauses, and related transfer mechanisms under the LGPD. - [ANPD - Transferência Internacional de Dados](https://www.gov.br/anpd/pt-br/assuntos/assuntos-internacionais/transferencia-internacional-de-dados?ref=sorena.io) - ANPD guidance page summarizing LGPD international transfer mechanisms, including adequacy, contractual clauses, and global corporate rules. ### [Which mistakes create risk when handling International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md#which-mistakes-create-risk-when-handling-international-transfer-mechanisms-under-the-brazil-lgpd) *Module: [What should teams do about International Transfer Mechanisms under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/international-transfer-mechanisms.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Lei nº 13.709/2018 (LGPD) - Article 33 international transfers](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Primary LGPD source for the legal mechanisms that permit international transfers of personal data from Brazil. - [ANPD Resolution CD/ANPD nº 19/2024 on international data transfers](https://www.gov.br/anpd/pt-br/acesso-a-informacao/institucional/atos-normativos/regulamentacoes_anpd/resolucao-cd-anpd-no-19-de-23-de-agosto-de-2024?ref=sorena.io) - ANPD regulation source for international transfer procedures, standard contractual clauses, and related transfer mechanisms under the LGPD. - [ANPD - Transferência Internacional de Dados](https://www.gov.br/anpd/pt-br/assuntos/assuntos-internacionais/transferencia-internacional-de-dados?ref=sorena.io) - ANPD guidance page summarizing LGPD international transfer mechanisms, including adequacy, contractual clauses, and global corporate rules. ### [What should teams do about Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md#what-should-teams-do-about-legal-bases-under-the-brazil-lgpd) *Module: [What should teams do about Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md)* Teams should treat Legal Bases under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Legal Bases decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 7 is the primary rule for the lawful bases that a Legal Bases FAQ must map to processing decisions. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 11](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 11 is the official LGPD source for sensitive-personal-data legal bases and exception handling. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 10 is the official LGPD basis for legitimate-interest balancing, including necessity, transparency, and ANPD impact-report requests. ### [What evidence should teams keep for Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md#what-evidence-should-teams-keep-for-legal-bases-under-the-brazil-lgpd) *Module: [What should teams do about Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 11](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 11 is the official LGPD source for sensitive-personal-data legal bases and exception handling. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 10 is the official LGPD basis for legitimate-interest balancing, including necessity, transparency, and ANPD impact-report requests. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - ANPD dosimetry regulation used to support sanctions-methodology decisions, fine calculation evidence, and enforcement-risk review. ### [Which mistakes create risk when handling Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md#which-mistakes-create-risk-when-handling-legal-bases-under-the-brazil-lgpd) *Module: [What should teams do about Legal Bases under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legal-bases.md)* The common failure pattern is using a GDPR-style answer without checking LGPD roles, lawful bases, ANPD guidance, transfer rules, incident thresholds, and Brazilian enforcement context. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - LGPD Article 7 is the primary rule for the lawful bases that a Legal Bases FAQ must map to processing decisions. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 11](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 11 is the official LGPD source for sensitive-personal-data legal bases and exception handling. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Article 10 is the official LGPD basis for legitimate-interest balancing, including necessity, transparency, and ANPD impact-report requests. - [RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023](https://www.in.gov.br/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - ANPD dosimetry regulation used to support sanctions-methodology decisions, fine calculation evidence, and enforcement-risk review. ### [What should teams do about Legitimate Interest Balancing under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legitimate-interest-balancing.md#what-should-teams-do-about-legitimate-interest-balancing-under-the-brazil-lgpd) *Module: [What should teams do about Legitimate Interest Balancing under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legitimate-interest-balancing.md)* Teams should treat Legitimate Interest Balancing under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Legitimate Interest Balancing decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - Article 10 is the official LGPD basis for legitimate-interest balancing, including necessity, transparency, and ANPD impact-report requests. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10 §1º](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - Necessity language supports limiting legitimate-interest processing to the minimum personal data needed for the stated purpose. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10 §2º](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - Transparency language supports documenting notices and review evidence for legitimate-interest balancing. ### [What evidence should teams keep for Legitimate Interest Balancing under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legitimate-interest-balancing.md#what-evidence-should-teams-keep-for-legitimate-interest-balancing-under-the-brazil-lgpd) *Module: [What should teams do about Legitimate Interest Balancing under the Brazil LGPD?](/artifacts/latam/brazil-lgpd/faq/legitimate-interest-balancing.md)* Useful evidence is not just a privacy notice. Keep the source, role map, lawful-basis note, rights log, transfer analysis, incident assessment, DPO review, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10 §1º](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - Necessity language supports limiting legitimate-interest processing to the minimum personal data needed for the stated purpose. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10 §2º](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - Transparency language supports documenting notices and review evidence for legitimate-interest balancing. - [LEI Nº 13.709, DE 14 DE AGOSTO DE 2018 - Art. 10 §3º](https://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709compilado.htm?ref=sorena.io) - ANPD impact-report language supports retaining a balancing record and escalation path for legitimate-interest processing. ## FAQ Pagination - Canonical index (page 1): [/artifacts/latam/brazil-lgpd/faq/items](/artifacts/latam/brazil-lgpd/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/latam/brazil-lgpd/faq/items.md) | [2](/artifacts/latam/brazil-lgpd/faq/items/page/2.md) [Next page](/artifacts/latam/brazil-lgpd/faq/items/page/2.md) *Recommended next step* *Placement: after the practical guidance* ## Turn Brazil LGPD FAQ into assigned work This artifact page provides practical inputs, owner roles, required outputs, and evidence checkpoints for faq. - [Open Assessment Autopilot for Brazil LGPD](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review Brazil LGPD source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with operational practice. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/latam/brazil-lgpd/faq/items