--- title: "Brazil LGPD Requirements" canonical_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd/requirements" source_url: "https://www.sorena.io/artifacts/latam/brazil-lgpd/requirements" author: "Sorena AI" description: "Operational Brazil LGPD requirements map covering scope, lawful bases, transparency, rights, records, DPO, security, incidents, transfers." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "Brazil LGPD requirements" - "LGPD control mapping" - "ANPD evidence" - "Brazil privacy controls" - "LGPD article mapping" - "LGPD controls" - "privacy control mapping" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Brazil LGPD Requirements Operational Brazil LGPD requirements map covering scope, lawful bases, transparency, rights, records, DPO, security, incidents, transfers. *Requirements Guide* *Article to Control Mapping* ## Brazil LGPD Requirements Use one register that links each LGPD requirement to a control, owner, and proof set. The most useful requirement map is the one a privacy lead, product lead, and ANPD reviewer can all follow without translation. LGPD implementation becomes manageable when the requirements are grouped into operating domains. The practical domains are scope and roles, lawful bases and transparency, rights, records and DPO, security and incidents, transfers, and sanctions mitigation. ## Scope, roles, and accountability requirements Articles 3 to 5, 37, 39, and 41 create the accountability spine. Controllers need defensible scope analysis, operator oversight, records of processing, and a designated DPO with public contact information. The ANPD agents guide adds useful operational detail on controller, operator, suboperator, and DPO allocation. - Requirement: scope memo covering Article 3 and Article 4 - Control: role matrix for controller, operator, suboperator, and DPO - Evidence: processing inventory, contracts, appointment act, website DPO disclosure *Recommended next step* *Placement: after the requirement breakdown* ## Turn Brazil LGPD Requirements into an operational assessment Assessment Autopilot can take Brazil LGPD Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on Brazil LGPD can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for Brazil LGPD Requirements](/solutions/assessment.md): Start from Brazil LGPD Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through Brazil LGPD](/contact.md): Review your current process, evidence gaps, and next steps for Brazil LGPD Requirements. ## Lawful basis, transparency, and rights requirements Articles 7 to 11, 14, 18, 19, and 20 drive the user-facing core of the regime. Teams need consistent basis selection, clear notices, rights intake, immediate or 15 day response logic, and automated decision review controls. Best-interest analysis for children and adolescents and legitimate-interest balancing are now specific evidence items, not informal assumptions. - Requirement: basis register and notice content by purpose - Control: request intake, verification, response, denial, and escalation workflow - Evidence: basis log, notice versions, request case files, balancing tests, child-data assessment notes ## Security, incident, and transfer requirements Articles 46 to 49 require technical and administrative measures, while Article 48 and the current ANPD rule create a live incident communication clock. Articles 33 to 35 then impose separate transfer controls with mechanism and transparency requirements. These duties need real operational evidence such as logs, contracts, forms, tabletop outcomes, and corrective actions. - Requirement: appropriate technical and administrative safeguards - Control: incident triage and 3 business day reporting workflow - Control: transfer register, contract clause governance, and website disclosures - Evidence: security policy, access logs, incident form, communications, signed clauses, transfer notice ## Good practices and sanctions requirements Articles 50 to 52 and Resolution CD ANPD No. 4/2023 reward good-faith governance, prompt corrective action, cooperation, and durable internal procedures. A sanctions-ready program keeps that evidence current even when there is no open case. This is where remediation tracking, training, and board reporting become legally relevant. - Requirement: good practices and governance program with internal supervision - Control: quarterly control testing, exception review, and remediation closure - Evidence: committee minutes, risk decisions, training completion, test results, corrective action records ## Primary sources - [Lei No. 13.709/2018 (LGPD)](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Primary legal text for the requirement domains summarized here. - [ANPD guide for controllers, processors, and DPOs (May 2021)](https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/2021.05.27GuiaAgentesdeTratamento_Final.pdf?ref=sorena.io) - Official ANPD guide on role and DPO expectations. - [Resolution CD/ANPD No. 4/2023](https://www.in.gov.br/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077?ref=sorena.io) - Official ANPD rule on dosimetry and administrative sanctions. ## Related Topic Guides - [ANPD Enforcement and Fines | Brazil LGPD Inspection, Procedure, and Sanctions](/artifacts/latam/brazil-lgpd/anpd-enforcement-and-fines.md): Grounded ANPD enforcement guide covering inspection procedure, sanctions progression, Article 52 factors, Resolution CD ANPD No. - [Brazil LGPD Applicability Test | Article 3 Scope, Article 4 Exclusions, Roles](/artifacts/latam/brazil-lgpd/applicability-test.md): Grounded Brazil LGPD applicability test covering Article 3 territorial reach, Article 4 exclusions, controller versus operator allocation. - [Brazil LGPD Checklist | Scope, Rights, Incidents, Transfers, Evidence](/artifacts/latam/brazil-lgpd/checklist.md): Audit-ready Brazil LGPD checklist covering scope, role allocation, lawful bases, rights timing, DPO disclosure, security, incident reporting. - [Brazil LGPD Compliance Program Guide](/artifacts/latam/brazil-lgpd/compliance.md): Build a grounded Brazil LGPD compliance program around scope, lawful bases, rights, records, incident reporting, transfers, DPO, and ANPD-ready evidence. - [Brazil LGPD Data Subject Rights | Articles 18 to 20 and 15 Day Access Rule](/artifacts/latam/brazil-lgpd/data-subject-rights.md): Grounded Brazil LGPD rights guide covering Articles 18 to 20, free requests, immediate simplified confirmation, full access declaration within 15 days. - [Brazil LGPD Deadlines and Compliance Calendar](/artifacts/latam/brazil-lgpd/deadlines-and-compliance-calendar.md): Brazil LGPD compliance calendar covering key legal and ANPD milestones plus recurring duties for rights, incidents, transfers, training. - [Brazil LGPD DSAR Response Template | Immediate and 15 Day Response Logic](/artifacts/latam/brazil-lgpd/lgpd-dsar-response-template.md): Use a Brazil LGPD DSAR response template aligned to Articles 18 and 19, immediate simplified response, full declaration within 15 days, denial rationale. - [Brazil LGPD FAQ | Scope, Rights, Incidents, Transfers, Enforcement](/artifacts/latam/brazil-lgpd/faq.md): Practical Brazil LGPD FAQ answering common scope, lawful basis, rights, incident, transfer, DPO, and enforcement questions using the law and ANPD guidance. - [Brazil LGPD Incident Reporting and Breach Notification](/artifacts/latam/brazil-lgpd/breach-notification.md): Grounded Brazil LGPD incident reporting guide covering Article 48, ANPD Resolution CD ANPD No. - [Brazil LGPD International Transfers | Articles 33 to 35 and ANPD Transfer Mechanisms](/artifacts/latam/brazil-lgpd/international-transfers.md): Grounded Brazil LGPD transfer guide covering Articles 33 to 35, adequacy, ANPD standard contractual clauses, specific clauses, binding corporate rules. - [Brazil LGPD Lawful Bases | Article 7, Article 11, Legitimate Interest](/artifacts/latam/brazil-lgpd/lawful-bases.md): Grounded Brazil LGPD lawful basis guide covering Article 7 and 11 bases, consent rules, ANPD legitimate interest guide, sensitive data. - [Brazil LGPD Penalties and Fines | Article 52 and ANPD Dosimetry](/artifacts/latam/brazil-lgpd/penalties-and-fines.md): Grounded Brazil LGPD penalties guide covering Article 52 sanctions, 2 percent fine cap, R$50 million limit per infraction, publicization, blocking, deletion. - [Brazil LGPD Templates | DSAR, Incident, Basis, Transfer, Governance](/artifacts/latam/brazil-lgpd/templates.md): Practical Brazil LGPD template library priorities covering DSAR responses, incident communications, lawful basis records, transfer assessments. - [Brazil LGPD vs CCPA and CPRA | Structure, Rights, Enforcement, and Reuse](/artifacts/latam/brazil-lgpd/lgpd-vs-ccpa.md): Grounded comparison of Brazil LGPD and CCPA or CPRA covering scope logic, legal basis model, rights timing, cross-border governance, and reusable controls. - [Brazil LGPD vs GDPR | Similarities, Differences, and Control Reuse](/artifacts/latam/brazil-lgpd/lgpd-vs-gdpr.md): Grounded comparison of Brazil LGPD and GDPR covering scope, lawful bases, rights timing, DPO rules, transfer mechanisms, incident reporting. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/latam/brazil-lgpd/requirements