What should teams do about Legal Bases under the Brazil LGPD?
Teams should treat Legal Bases under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.
The safest first step is to identify the controller/operator role, purpose, lawful basis, data category, data-subject right, transfer, or incident trigger before assigning the LGPD action.
- Write the Legal Bases decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.
LGPD Article 7 is the primary rule for the lawful bases that a Legal Bases FAQ must map to processing decisions.
Article 11 is the official LGPD source for sensitive-personal-data legal bases and exception handling.
Article 10 is the official LGPD basis for legitimate-interest balancing, including necessity, transparency, and ANPD impact-report requests.