Compliance
Practical guidance on meeting data protection requirements across jurisdictions, from implementation steps to ongoing compliance management. Learn how to audit your website for compliance gaps, set up proper consent mechanisms, maintain documentation, and prepare for regulatory inspections and enforcement actions.
The ANPD: Brazil's Data Protection Authority and Its Regulatory Powers
The ANPD is the government body responsible for enforcing Brazil's LGPD. Originally created as a modest federal entity in 2018, it was upgraded to an independent regulatory agency in September 2025 - giving it real teeth to investigate, sanction, and shape data protection policy across Latin America's largest economy.
Data Subject Rights Under the LGPD: Access, Deletion, Portability and More
Brazil's LGPD grants individuals nine distinct rights over their personal data, from confirmation of processing to review of automated decisions. Controllers must respond immediately or within 15 days, depending on the request type - with no option to extend that deadline.
International Data Transfers Under the LGPD: Rules, Safeguards, and the New Adequacy Era
Brazil's LGPD restricts how personal data leaves the country, requiring either an ANPD adequacy decision, standard contractual clauses, or binding corporate rules. With the EU-Brazil mutual adequacy agreement finalised in January 2026, the transfer landscape is shifting fast - and website owners need to keep up.
LGPD Controller vs. Processor: Roles and Joint Liability
Brazil's LGPD divides personal data obligations between controllers and processors. Find out how the law assigns liability, demands specific record keeping, and dictates damage compensation.
LGPD Data Breach Notification: Rules and Timelines
Brazil's data protection law mandates specific actions when a security incident occurs. Controllers must report breaches that pose significant risks to data subjects and the national authority without delay.
Sensitive Personal Data Under the LGPD: What It Is and How Brazil Restricts Its Processing
Brazil's LGPD defines sensitive personal data as information about racial origin, health, biometrics, political opinion, religious belief, and sexual life. Article 11 restricts processing to a narrower set of legal bases than ordinary personal data, and the ANPD has already taken enforcement action against companies that got it wrong.
LGPD Explained: What Is Brazil's Data Protection Law and Who Does It Apply To?
Brazil's LGPD applies to any organisation that processes data of individuals in Brazil, regardless of where the company is based. Articles 1 through 4 define the law's territorial reach, its material scope, and the narrow exemptions that exist. If your website collects any data from Brazilian visitors, this is the article you need to read.
The 10 Legal Bases for Processing Personal Data Under Brazil's LGPD
Article 7 of the Brazilian Data Protection Law outlines ten specific conditions for lawful data processing. Choosing the correct legal basis is mandatory for compliance.
Consent Under the LGPD: Requirements, Revocation, and Common Pitfalls
Brazil's General Data Protection Law (LGPD) places strict requirements on how websites collect and process user data. Consent must be specific, informed, and easily revocable. This guide explains the core rules for valid consent under the LGPD and how to avoid common compliance failures.