Brazil

ANPD is the national authority responsible for enforcement, guidance, and international cooperation. Transitioned to independent autarquia status.

Ten legal bases for processing (broader than GDPR). Consent must be written or demonstrated. Specific consent for sensitive data. Legitimate interest is available.

Nine rights: confirmation of processing, access, correction, anonymisation/blocking/deletion, portability, information about sharing, consent management, revocation, and opposition.

Transfers to countries with adequate protection, SCCs, binding corporate rules, or with data subject consent. ANPD has issued transfer regulation.

Notification to ANPD and data subjects within reasonable time of security incidents that may create risk or relevant damage. ANPD regulation specifies procedures.

Every controller must appoint a DPO (Encarregado). ANPD resolution allows small businesses to be exempt in certain circumstances.

Specific consent of at least one parent/guardian required for children and adolescents. Best interests of the child must be considered.

Up to 2% of revenue in Brazil (max BRL 50 million per infraction). ANPD can also impose warnings, partial/total suspension of database, and daily fines.

Brazilian Central Bank data regulations, health data regulations (ANVISA), consumer protection code supplements LGPD. Sectoral regulation still developing.

No specific cookie law. General LGPD consent requirements apply to cookies collecting personal data. ANPD guidance expected.

LGPD Article 20 provides right to request review of automated decisions. AI regulation bill (PL 2338/2023) progressing through Congress.

No general data localisation requirement. Some sector-specific requirements for government and health data.

No direct equivalent. LGPD obligations apply to all controllers. Small businesses have reduced obligations per ANPD resolution.

LGPD applies to government processing with specific provisions. Processing for public safety, national defence, and state security is excluded.