Brazil LGPD Lawful Bases

Start by deciding whether the issue is a personal-data or sensitive-data case, then map it to the relevant LGPD lawful basis. Article 7 covers consent, legal or regulatory obligation, public administration, research, contract performance, judicial, administrative or arbitral proceedings, protection of life or physical safety, health protection, legitimate interest, and credit protection. Article 11 adds the specific lawful bases for sensitive data, including specific and highlighted consent and the listed necessity cases.

Keep the LGPD source, role map, lawful-basis analysis, data-subject-right record, transfer basis, incident assessment, and ANPD-facing evidence together.

Ownership should sit with the team that controls the processing purpose, data-subject channel, vendor relationship, transfer mechanism, security incident response, or ANPD communication.

Evidence should show controller/operator mapping, lawful basis, transparency notice, rights response, transfer analysis, incident decision, DPO involvement, and ANPD remediation record where applicable.

Most LGPD mistakes happen at the boundary between controller and operator duties, consent and other Lawful Bases, academic or public-interest processing, international transfers, and incident notification thresholds.

Apply this section before approving a processing activity, vendor arrangement, transfer, rights workflow, child-data handling, or incident response under LGPD. If evidence is missing, block progression and raise a review task.

Use an LGPD workflow that captures role, purpose, lawful basis, data category, data-subject right, transfer or incident trigger, DPO review, evidence, and review date.

The output should be a lawful-basis memo, role map, privacy notice update, DSAR record, transfer note, incident assessment, or ANPD response pack.