Home / Publications / Data Law Navigator | Brazil

Data Law Navigator | Brazil

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection 

Last reviewed April 2020

Risk scale

Risk Scale Orange


General Data Protection Law ("LGPD") 13,709/2018 to come into force in August 2020.


National Data Protection Authority ("ANPD").

Anticipated changes to law

Bill 5,762/2019 proposes to postpone the enforcement of the LGPD from August 2020 to August 2022. The bill is pending, and will require approval by the majority of the Congress and Senate. There is not yet an estimated date for the approval of this bill.


LGPD applies to any processing operation carried out by a natural person or legal entity governed by public or private law (irrespective of the means of processing or headquarters of the processing entity), if: 

  1. the processing operation be carried out in the Brazilian territory; 
  2. the purpose of the processing activity is (a) the offer or supply of goods or services or (b) the processing of data of individuals located in the Brazilian territory;
  3. the processed personal data have been collected in the Brazilian territory. 

Personal data collected in the Brazilian territory are considered those personal data, the subject of which is in the Brazilian territory at the time of the collection. 


  • warning; 
  • fine of up to 2% of the entity's profit in its last fiscal year limited to BRL 50 million for infraction;
  • daily fine;
  • publication of infraction;
  • blockage of personal data that relates to infraction for regularization;
  • erasure of personal data that refers to infraction;

Registration / Notification

Provision for notification to ANPD and affected data subject of data breach that may cause a breach or relevant damage to data subjects. 
There is no requirement to register data processing activities, databases or cross-border flow with the ANPD. 

Main obligations and processing requirements

The Controller and Data Processor must comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability and demonstration of compliance with the law. 
Personal data, including sensitive personal data can only be processed or transferred out of Brazil on specified legal bases. 

Data Controller and Data Processor shall keep records of the personal data processing of personal data. 

Controller shall appoint a Data Protection Officer, who shall act as a communication channel between the Controller, Data Subject and the ANPD.

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

Controller must notify the ANPD and data subject of any incident that could result in a breach or relevant damage to data subjects. 

Data subject rights

Data Subject has the following rights:

  • confirmation of existence of personal data;
  • access to data;
  • correction of incomplete, inadequate or out of date data;
  • anonymisation, block, or erasure of unnecessary, excessive or incompliant processed data;
  • portability of data;
  • erasure of persona data obtained with consent; 
  • information regarding the sharing of data with private and public entities;
  • information on the possibility of not providing consent and the negative consequences;
  • revocation of consent;
  • complaint about data processing to ANPD;
  • challenge to data processing obtained without consent, if it is not in compliance with the law;
  • review of automated decision making of personal data that may affect data subject´s interests. 

Processing by third parties

Is subject to the data subject’s consent. 

Transfers out of the Country

The international transfer of personal data is only permitted in the following cases: 

  1. to countries or international organizations that provide the appropriate level of personal data protection required by Brazilian law;
  2. where the controller demonstrates that compliance with the principles, data subject rights and data protection regime established in this Law, is assured either by: a) specific contractual provisions for a given transfer; b) standard terms and conditions; c) global corporate rules; d) seals, certificates or codes of conduct; 
  3. where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies; 
  4. where the transfer is required for life protection or physical integrity of the data subject or any third party; 
  5. where the supervisory authority authorizes such transfer; 
  6. where the transfer results in a commitment undertaken under an international cooperation agreement; 
  7. where the transfer is required for enforcement of a public policy or legal attribution of the public utility; 
  8. where the data subject has provided specific and highlighted consent for such transfer, with previous information on the international nature of the operation, clearly distinguishing it from any other purposes; or
  9. where required for compliance with a statutory or regulatory obligation by the controller or whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject or in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.

Data Protection Officer

An “in charge” person shall be appointed by the Controller to:

  • accept complaints and communication by data subjects, provide clarification and take measures;
  • receive communication from ANPD and take appropriate measures;
  • instruct staff and contractors in respect of data processing practices and; 
  • perform any other instructions by the Controller or established by complimentary rules. 


The LGPD establishes that the ANPD may provide for minimum standard technical security measures. 

The processing agents shall adopt security, technical and administrative measures to protect personal data from unauthorised access, or illicit or accidental incidents that leads to destruction, loss, alteration, communication or any other form of illicit or inadequate access. 

Breach Notification

Controller is required to report data breach to ANPD and the affected data subject in the event of incidents that may cause a breach or relevant damages to data subjects. 

Direct Marketing

The LGPD does not specifically deal with direct marketing, but it is understood that data processing for direct marketing shall require the data subject’s consent. 


The LGPD does not specifically deal with Cookies, but it is understood that data processing for Cookies shall require the data subject’s consent.

Useful Links

Cyber Security

Last reviewed April 2020

Risk scale

Risk Scale Orange

Laws and regulations    

There are no Brazilian laws intended to specifically regulate cybercrime or cybersecurity. There are some specific cybersecurity regulations in certain sectors, such a financial institutions and telecommunications. 

The Consumer Code (Law 8,078/1990) and the Internet Law 12,965/2014 (“Marco Civil”) provide for certain principles and rules that should be observed in relation to cybersecurity/data protection. 

The Criminal Code (Decree Law 2,848/1940) establishes the crime of a computer device invasion, whether or not connected to a network, through an improper breach of security mechanisms and for the purpose of obtaining, altering or destroying data or information without the express or implied authorization of the device owner. It is also an offence to install vulnerabilities to gain an illicit advantage.  Denial-of-service attacks can also be punished under the Brazilian Criminal Code and the Child and Adolescent Act (Law 8,069/1990) provides for the crime of handling child pornographic materials.


There is no specific authority regulating and inspecting compliance with cybersecurity. The Public Prosecutor’s Office, the Ministry of Justice and consumer protection authorities (e.g., the Consumer Protection and Defence Authority and the National Consumer Secretariat) are entities responsible for filing administrative or judicial proceedings against companies or individuals that violate privacy rights. 

Key obligations 

The Marco Civil deals only with the use of internet in Brazil and it provides, as one of its principles, the preservation of stability, security and functionality of the network, via technical measures consistent with international standards and by encouraging the use of best practices.


The crime of invading a computer device is subject to imprisonment from three months to one year and a fine. The offence to install vulnerabilities to gain an illicit advantage is subject to imprisonment from 3 months to 1 year and a fine to be established by the Court. 

If the offence results in obtaining private electronic communications, trade or industrial secrets, confidential information (as defined by law) or unauthorized remote control of the device invaded, the penalty is imprisonment from 6 months to 2 years and fine. The penalties can be increased by 2/3, if there is any disclosure, commercialization or transmission to any third party of the data or information obtained, and by 1/3 to 1/2, if the offence is committed against members of the Public Administration.

Denial-of-service attacks meaning the interruption or disturbance of telegraph, radiotelegraph or telephone services as well as telematics services or public utility information services may be punished with imprisonment and a fine. The maximum penalty is three years of imprisonment, and this penalty may be doubled if the offence occurs during a public calamity.

Please note that a company cannot be convicted of a criminal offence, except environmental offences. However, individual agents involved in the invasion can be penalized. 

Unlawful use of photographs, videos or other materials containing explicit sex scenes or child pornography is subject to a penalty of up to eight years’ imprisonment.

The Consumer Code may impose a fine on organisations that are non-compliant with cybersecurity to the extent that it causes damages to a consumer. 

The Internet Act establishes a fine of up to 10% of the breaching entity’s economic turnover in Brazil in the previous fiscal year, or the suspension or prohibition of services for not complying with the Law. 

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, there is: https://www.cert.br/csirts/brasil/. CERT.br is the Internet Security Response Group for Brazil, coordinated by NIC.br, the Internet Management Committee for Brazil. 

Cert.br is responsible for dealing with computer security incidents involving networks connected to the internet in Brazil. It acts as a central point for receipt of security incident notifications, coordinating and supporting responses to such incidents and connecting the parties involved. 

CERT.br also aims to raise awareness of internet security issues, analyse strands and connections between incidents and to Support the establishment of CSIRTs.

Is there a national incident management structure for responding to cyber security incidents?

No, there is not a national incident management structure for responding to cyber security incidents. There are, however, specific structures for regulated sectors and regulatory agencies, such as the rules applicable to telecommunications providers, within the ambit of the regulator, ANATEL. 

Other cyber security initiatives 

Although there is not a specific cybersecurity law, the Federal Governmental has recently approved a National Strategy-E Cyber Plan with the purpose of providing guidance about the main actions it intends to implement for cybersecurity. This does not, itself, create binding obligations for private individuals or companies.

Useful links    


<< back to Overview


Picture of Ted Rhodes
Ted Rhodes
Rio de Janeiro
Image of Carolina Vaissman Uribe
Carolina Vaissman Uribe
Rio de Janeiro