Brazil is committed to an automated market with companies focused on the use of artificial intelligence, chatbots and online work tools. This development has caused companies to treat their customers’ personal data differently, raising concerns about their privacy.

The adaptation of Brazilian society and economy to the use of new technologies has caused personal data to be valuable assets for cybercriminals, which has increased personal data thefts in recent years. Consequently, Brazil created the General Data Protection Law (LGPD) in order to protect the privacy of personal data and prevent its exposure to information leaks.

On September 18, 2020, the LGPD came into force, which includes certain regulations to regulate and protect the processing of personal data. This new law is based on the well-known General Data Protection Regulation (GDPR) of the EU, but it presents some differences that will be known and deepened later.


The General Data Protection Law (LGPD) is a set of regulations whose priority is to protect the privacy and guarantee the rights of people in relation to their personal data.

The regulations establish the principles that must be followed when processing data, the rights of data subjects, the obligations of data controllers and the penalties for non-compliance.

The LGPD is applicable to any person or companies that process personal data in Brazil, as well as to entities that, although located outside Brazil, process data with activities carried out in the territory.

Although it is based on the General Data Protection Regulation (GDPR) that is governed in the European territory, it presents differences such as the 10 legal bases that it establishes around the processing of personal data.

According to the LGPD, personal data can only be processed if there is at least a legal basis for doing so.
The legal bases are:

  • User consent.
  • Compliance with a legal or regulatory obligation that binds the person responsible for the treatment.
  • The execution of public policies (when such policies are supported by laws, regulations or contractual provisions).
  • The carrying out of studies by research organizations, guaranteeing, whenever possible, the anonymization of the personal data used.
  • The fulfillment of a contractual obligation of which the user is a party (or its preparatory activities).
  • The exercise of rights in judicial, administrative or arbitration procedures.
  • The protection of the life or physical integrity of the user or a third party.
  • The protection of health, in a procedure carried out by professionals or medical services or by health authorities.
  • The legitimate interests of the data controller or a third party, except when the interests, rights and freedoms of the user prevail over them.
  • Credit protection, including the provisions of relevant legislation.


Although the LGPD is based on the legal basis of the RGPD on the processing of personal data, there are differences that are important to highlight to ensure correct compliance with Brazilian regulations:

  • The LGPD does not define types of data in the way that the GDPR does, this means that the regulation is very broad and can apply to data linked directly or indirectly to a person or group of people.


  • The GDPR allows companies to freely use anonymous data without disclosing it, which is not the case with the LGPD, as there is no language regarding data types, which means that regardless of anonymization, the collection must be disclosed.
  • The LGPD gives companies just 15 days to respond to data requests from consumers, compared to 30 days under the GDPR.


  • The maximum fines that the LGPD can impose are 2% of global revenues or 50 million reais, which is approximately equivalent to 50% of the value of the fine that the GDPR can impose.
  • The LGPD does not have a defined time in which a company must report that it has been the victim of a data breach, currently it only establishes a “reasonable time.” The GDPR requires this to be done within 72 hours.


As explained above, the LGPD applies to all those companies, outside and inside Brazil, that process personal and confidential data related to commercial activities and individuals in the territory.

In this context, the regulations specify that non-compliance with the LGPD leads to fines of up to 50 million Brazilian reais (8 million euros or 9 million dollars) in fines and sanctions.

However, the sanctions and fines provided for in the LGPD may vary depending on the severity of the non-compliance and may include:

  • Warning: In some cases, data protection authorities may issue a warning to notify the entity that it has broken the law and give it the opportunity to correct the problem.
  • Monetary fines: Fines can be expressed as a percentage of the company’s annual income or as a fixed amount. These fines can be significant and will be applied based on the severity of the non-compliance.
  • Prohibition of data processing: In serious situations of non-compliance, the authorities may order the suspension or prohibition of the processing of personal data by the responsible entity.
  • Deletion or blocking of data: In some cases, authorities may order the deletion or blocking of personal data that has been collected or processed illegally.
  • Publicity of the violation: In certain circumstances, authorities may order that the violation and the sanction imposed be publicly disclosed.

It is important to keep in mind that sanctions and fines may vary depending on each use case and the final decision rests with the National Data Protection Authority (ANPD) of Brazil. The ANPD is the entity responsible for supervising and enforcing the LGPD in the country.


Brazil’s General Data Protection Law (LGPD) is applicable to a wide range of use cases in which personal data is processed. These are some of the main use cases in which the LGPD applies for not anonymizing personal data:

  • Companies and e-commerce.
  • Government organizations.
  • Health sector and medical services.
  • Human resources and employees.
  • Legal sector.
  • Information management.
  • Websites and online applications.
  • Cloud service providers.

These are just some examples of use cases in which Brazil’s LGPD applies. In general, any entity that handles personal data of individuals and entities must comply with the regulations contained in the law to guarantee the privacy and security of personal data. It is important that organizations are aware of their responsibilities and obligations under the LGPD to avoid sanctions and fines for non-compliance.


Anonymization has become a key tool for companies to comply with the LGPD and avoid negative impacts arising from data privacy violations. It is essential to ensure that the process is applied effectively to comply with the retention periods for the use of personal data and, consequently, to guarantee compliance with regulations, whether in Brazil or abroad.

Furthermore, due to the large volumes of information handled in companies, the anonymization process must be an agile process that does not represent an obstacle to the daily activity of organizations.

Nymiz, through artificial intelligence, simplifies the data anonymization process, automating it and making it available to any user without technical knowledge. Thanks to natural language processing, our software detects personal data by context to later protect it. In addition, it offers different replacement methods, as well as possibilities for customizing the result that easily adapt to the needs of our clients.

more insights