LGPD & Regulatory Compliance Brazil — Data Protection, ANPD, Sectoral Regulators

What Should Foreign Operations Know About Brazilian LGPD and Regulatory Compliance?

Brazil’s regulatory environment combines a general data protection law (the LGPD) with an active sectoral regulator overlay (ANPD, ANVISA, IBAMA, BACEN, CVM, CADE, ANEEL, and more). The LGPD applies extraterritorially to foreign companies offering goods or services to data subjects in Brazil — incorporation outside Brazil does not exempt a controller from compliance obligations. Sectoral regulators add their own layers of registration, reporting, and oversight that frequently impose stricter operational requirements than the LGPD baseline. Foreign operations that build a defensible compliance program early avoid the cluster of remediation work that follows a first ANPD or sectoral inspection.

ZS Advogados Associados advises foreign-owned companies on LGPD compliance program design, ANPD enforcement defense, sectoral regulator interaction, and data-incident response. Our founder, Zachariah Zagol (OAB/SP 351.356), brings an international-law LL.M. and over 15 years of cross-border corporate practice to regulatory matters.

“The LGPD compliance investment that pays the highest return is the data inventory. Companies that genuinely know what they hold, where, who processes it, and on what legal basis, can answer ANPD questions in days. Companies that don’t take six months to even begin answering — and during those six months the regulator’s posture hardens. The inventory is the foundation; everything else builds on top.” — Zachariah Zagol, Founding Partner, OAB/SP 351.356

How Does the LGPD Bind Foreign Companies?

The Lei Geral de Proteção de Dados Pessoais (Lei nº 13.709/2018) entered force on September 18, 2020. It is structurally similar to the EU GDPR — controller/operator/data-subject roles, lawful-basis taxonomy, data-subject rights catalogue, accountability obligations — but with distinct Brazilian features and an active national authority.

Extraterritorial scope (LGPD Art. 3):

• Processing carried out within Brazilian territory
• Processing aimed at offering or providing goods or services to data subjects located in Brazil
• Processing of personal data collected in Brazilian territory

A foreign company with no Brazilian CNPJ but with a Portuguese-language website serving Brazilian customers, a Brazilian-targeted advertising campaign, or analytics that profile Brazilian users falls within scope.

Lawful bases for processing (LGPD Art. 7 — non-sensitive data; Art. 11 — sensitive data):

• Consent (specific, free, informed, unambiguous)
• Compliance with a legal or regulatory obligation
• Contract performance, where the data subject is a party
• Regular exercise of rights in judicial, administrative, or arbitration proceedings
• Protection of life or physical safety
• Health protection in procedures performed by health professionals or sanitary authorities
• Legitimate interest (with balancing test and documentation)
• Credit protection
• Public-interest research (under additional restrictions)

Data-subject rights (LGPD Art. 18): confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, portability, deletion of data processed under consent, information on third-party sharing, and revocation of consent.

Who Must Appoint a DPO?

LGPD Art. 41 requires every controller to appoint an encarregado (the Brazilian equivalent of the DPO) and publish their identity and contact channel.

Resolução CD/ANPD nº 2/2022 carved a partial exemption for “small-scale processing agents” — startups, microbusinesses, individual entrepreneurs, and small businesses (with defined revenue and processing-volume thresholds) — who may designate a communication channel rather than a formal DPO. Foreign companies typically exceed the thresholds and must appoint a DPO.

The DPO’s responsibilities (LGPD Art. 41, §2):

• Receive complaints and communications from data subjects, provide explanations, and adopt corrective measures
• Receive communications from the ANPD and adopt the requested measures
• Guide internal employees and contractors on data protection practices
• Other duties defined by the controller in supplementary rules

The DPO does not need to be a Brazilian resident, but must be reachable in Portuguese and able to respond within reasonable time. Many foreign-owned operations appoint a Brazilian DPO-as-a-service provider to bridge the language and time-zone gap.

How Does the LGPD Regulate International Data Transfers?

LGPD Arts. 33–36 govern transfers of personal data to countries outside Brazil. Permitted bases:

• Transfers to countries that provide adequate protection as recognized by the ANPD
• Standard contractual clauses approved by the ANPD (Resolução CD/ANPD nº 19/2024 published the cláusulas-padrão contratuais)
• Binding corporate rules approved by the ANPD
• Specific consent of the data subject
• Compliance with a legal or regulatory obligation
• Performance of a contract with the data subject
• Protection of life or physical safety

Practical implications for foreign-owned companies:

• Transfers to US-based processors (cloud hosts, CRMs, marketing tools) require an ANPD-approved transfer mechanism in the controller-operator contract
• Standard contractual clauses are the default option for most foreign-owned operations
• The ANPD has not yet published an adequacy list comparable to the EU’s; companies should not assume that GDPR adequacy decisions translate to LGPD adequacy

“The international transfer rules are where I see the largest gap between policy and reality. Companies sign cloud contracts with US processors and assume the GDPR-style standard contractual clauses cover them under LGPD. They don’t, automatically. The ANPD published Brazilian standard clauses in 2024, and the safer position is to amend processor contracts to include the Brazilian clauses rather than rely on a GDPR equivalence argument that has not been formally accepted.” — Zachariah Zagol, Founding Partner, OAB/SP 351.356

What Does ANPD Enforcement Actually Look Like?

The Autoridade Nacional de Proteção de Dados (ANPD) is the federal authority responsible for LGPD enforcement, established by Lei nº 13.853/2019. Enforcement posture has matured from regulatory dialogue toward active sanctioning since 2022.

Sanctions catalogue (LGPD Art. 52):

• Warning, with deadline for corrective measures
• Simple fine of up to 2% of the controller-group’s gross revenue in Brazil in the preceding fiscal year, capped at R$50 million per infraction
• Daily fine, capped at the same R$50 million per infraction
• Publication of the infraction
• Blocking of the personal data being subjected to the violation
• Elimination of the personal data being subjected to the violation
• Partial suspension of the database operation, for up to 12 months
• Partial or total prohibition of activities related to data processing

Resolução CD/ANPD nº 4/2023 regulates the calculation of administrative penalties, codifying aggravating factors (recidivism, breach severity, lack of cooperation) and mitigating factors (existence of governance program, prompt corrective action, transparency).

Where enforcement is most active:

• Data-breach notification failures and inadequate incident response
• Sale or sharing of personal data without lawful basis
• Failure to honor data-subject rights requests
• Lack of documented controller-operator agreements with processors
• Operating without an appointed DPO (above the small-scale threshold)

For foreign operations, the practical defense is a documented compliance program — data inventory, lawful basis records, processor contracts, DPO route, and incident-response runbook — that a regulator can review during inspection.

What Sectoral Regulators Overlay the LGPD?

The LGPD is the general regime; sectoral regulators layer industry-specific obligations that often impose stricter requirements.

ANVISA (Agência Nacional de Vigilância Sanitária) — health, pharma, medical devices, cosmetics. Foundational statute: Lei nº 9.782/1999. Foreign companies importing medical devices or pharmaceuticals must register with ANVISA, comply with Good Manufacturing Practices (BPF), and maintain post-market surveillance. Health data is “sensitive” under LGPD Art. 11 — extra basis requirements apply.

BACEN (Banco Central do Brasil) — banking, FX, payment institutions, capital flows. The BACEN regulatory perimeter has expanded significantly through the Open Finance regime (Resolução Conjunta nº 1/2020) and the payment-institution framework. Foreign banks and fintechs typically engage BACEN early for license applications. Cybersecurity for financial institutions: Resolução BCB nº 4.658/2018 coexists with the LGPD and frequently imposes stricter operational requirements.

CVM (Comissão de Valores Mobiliários) — capital markets, listed-company disclosure, public offerings. Foundational statute: Lei nº 6.385/1976. Companies offering securities to Brazilian investors or with public-company status engage CVM through Resolution CVM nº 80/2022 (issuer registration) and the related public-offering regime.

CADE (Conselho Administrativo de Defesa Econômica) — antitrust and merger control under Lei nº 12.529/2011. Mergers exceeding the notification thresholds must be notified before closing. Thresholds remain at R$750 million / R$75 million (Portaria Interministerial 994/2012, no indexation). Gun-jumping penalties for closing before clearance can reach R$60 million plus daily fines.

IBAMA (Instituto Brasileiro do Meio Ambiente) — environmental licensing under Lei nº 6.938/1981. Foreign companies operating projects with environmental impact (mining, manufacturing, agribusiness, infrastructure) require environmental licenses (LP — Licença Prévia, LI — Licença de Instalação, LO — Licença de Operação) and ongoing compliance.

ANEEL (Agência Nacional de Energia Elétrica) — electricity sector. Foreign investors in generation, transmission, and distribution face concession or authorization regimes plus tariff oversight.

The practical playbook for foreign operations is to map the applicable regulators at the entity-formation stage (not after operations begin), assign a regulatory-affairs owner, and build a compliance calendar covering license renewals, periodic filings, and inspection readiness.

How Should a Foreign-Owned Company Structure Its LGPD Compliance Program?

A defensible LGPD program contains seven elements:

1. Data inventory — every processing activity, controller/operator role, data category, data source, retention period, and data flow (including cross-border transfers)
2. Lawful basis identification — for each processing activity, the LGPD Art. 7 (or Art. 11 for sensitive data) basis, with documentation supporting the choice
3. Privacy notices — Portuguese-language, accessible from every consumer-facing touchpoint, covering data collected, purposes, retention, sharing, and rights
4. Records of processing activities — the LGPD Art. 37 equivalent of the GDPR RoPA, retained for ANPD inspection
5. DPO appointment and published contact route — under Art. 41 (or the small-scale agent’s communication channel)
6. Data-subject rights workflow — under Art. 18, with response deadlines, internal routing, and audit trail
7. Incident-response plan — under Art. 48, with the ANPD-set deadline of three working days from the controller’s awareness (Resolução CD/ANPD nº 15, of 24 April 2024, art. 5), plus data-subject notification when applicable

For organizations with mature security functions, ISO/IEC 27001 and ISO/IEC 27701 certifications provide significant credibility with the ANPD and with Brazilian customers, though they are not formally required.

Why Choose ZS Advogados for LGPD and Regulatory Matters?

LGPD compliance is not a one-time project — it is an operating discipline that survives organizational changes, vendor changes, and regulatory evolution. We help foreign-owned operations build LGPD programs that integrate with sectoral regulator obligations, that hold up under ANPD inspection, and that minimize the cost of incident response when something goes wrong.

ZS Advogados Associados works with foreign-owned operations on:

• LGPD gap assessment and program design from inventory to incident response
• DPO-as-a-service for foreign-owned controllers needing local presence and Portuguese-language responsiveness
• Controller-operator contract amendments for international transfers under ANPD standard clauses
• ANPD enforcement defense (administrative proceedings, settlement negotiations, judicial review)
• Sectoral regulator interaction — ANVISA registrations, BACEN license applications, CVM disclosure, IBAMA licensing
• CADE merger notification analysis and filings
• Data-incident response, ANPD notification drafting, and post-incident remediation

For a consultation on your LGPD or regulatory exposure, contact our team or review our related guides on LGPD compliance and foreign investment in Brazil.