Data Protection & Privacy
LGPD compliance, legal bases, and ANPD liaison for foreign businesses.
Data protection law structures the lawful processing of personal data by companies operating in Brazil, regardless of size or sector. Hosaki Advogados assists foreign companies with LGPD compliance, data mapping, legal basis selection, privacy policies and terms, incident response, and ANPD (Brazilian Data Protection Authority) liaison.
Frequently asked questions
Does my small foreign-owned business operating in Brazil need to comply with the LGPD?
Yes. Brazil's General Data Protection Law (Law No. 13,709/2018) applies to any natural person or legal entity that processes personal data in Brazil, regardless of size, sector, or location, as long as processing occurs on Brazilian territory, targets the offering of goods or services to individuals in Brazil, or involves data collected in Brazil. The law has limited exceptions — such as processing by natural persons exclusively for personal and non-economic purposes. Small companies with low data volumes and no sensitive data processing face lower regulatory risk, but are not exempt.
Does every company operating in Brazil need a Data Protection Officer (DPO)?
Brazil's LGPD requires controllers and processors to appoint a Data Protection Officer (Encarregado de Dados / DPO). However, ANPD Resolution CD/ANPD No. 2/2022 established a simplified regime for small-scale processing agents — micro-enterprises, small businesses, and startups — allowing simplification or exemption from certain obligations, including the manner of DPO designation. Even for companies under the simplified regime, having an identified contact point for data-related communications is recommended.
What must a foreign company do after a personal data breach in Brazil?
Under LGPD Art. 48 and ANPD rules, the data controller must notify ANPD and affected data subjects of any security incident that may cause relevant risk or harm to data subjects within 72 hours of becoming aware (per ANPD Resolution CD/ANPD No. 15/2024). The notification must include: description of the nature of the affected data, information on the involved data subjects, technical and security measures adopted, associated risks, and corrective actions taken. Internally, the incident response plan should be activated immediately, evidence preserved, and the legal team involved from the outset to manage regulatory exposure.
What is the correct legal basis for email marketing campaigns targeting Brazil under the LGPD?
Email marketing campaigns in Brazil typically rely on two LGPD legal bases: consent (Art. 7, I), when the data subject expressly authorizes receiving communications through a clear and unambiguous opt-in; or legitimate interest (Art. 7, IX), when there is a pre-existing commercial relationship and the sending is proportionate and expected by the data subject. Using purchased or third-party databases without the subjects' consent creates significant regulatory exposure. The privacy policy must inform the processing purpose, the legal basis used, and the data subject's right to withdraw consent or object to processing at any time.
How should a foreign company adapt its privacy policy for LGPD compliance?
An LGPD-compliant privacy policy must at minimum inform: the identity and contact details of the controller and DPO, the categories of personal data collected, the processing purposes for each category, the legal bases used, the data retention period, third parties with whom data is shared, international data transfers and their legal grounds, and data subjects' rights and how to exercise them. The policy must be written in clear, accessible language and updated whenever there is a relevant change in processing activities. Generic documents imported from another jurisdiction without adaptation create significant regulatory risk in Brazil.
Can a foreign company be fined by ANPD even for a good-faith compliance error in Brazil?
LGPD Art. 52 provides for administrative sanctions including warnings, simple fines of up to 2% of Brazilian revenue (capped at BRL 50 million per violation), daily fines, publication of the infraction, and data blocking or deletion. ANPD's penalty-calibration criteria consider good faith, measures taken to mitigate harm, and compliance history — all of which can reduce the sanction. However, good faith alone does not exclude administrative liability; it influences the severity of the penalty. Documented compliance efforts — particularly when a company is in the early stages of building its LGPD program — are treated favorably by ANPD in administrative proceedings.
SaaS Terms of Service in Brazil: What the Law Actually Requires
No Brazilian law explicitly mandates 'terms of service', but the Marco Civil Internet Act, the Consumer Protection Code, and the LGPD together impose concrete obligations on SaaS operators. What must be in your terms — and what is legally void even if you include it.
Read article →
Does GDPR Apply to Brazilian Companies? When EU Privacy Law Reaches Outside Europe
The GDPR has explicit extraterritorial reach: if you offer goods or services to people in the EU, or monitor their behavior, European privacy law applies — regardless of where your company is based. What this means in practice for Brazilian startups and digital businesses.
Read article →
Brazil's Marco Civil da Internet: A Business Guide
What Brazil's Marco Civil da Internet (Law No. 12,965/2014) requires of digital businesses — provider liability, log retention, net neutrality, and the LGPD interface.
Read article →Have a specific situation regarding Data Protection & Privacy?
Talk to our team →