What is LGPD
LGPD (Lei Geral de Proteção de Dados, the General Data Protection Law) is Brazil's version of GDPR, which formally took effect in August 2020. It sets out the rules that all organizations processing Brazilians' personal data — wherever they are located — must follow. The regulator is ANPD (Autoridade Nacional de Proteção de Dados, Brazil's National Data Protection Authority).
Fines for violations: up to 2% of annual revenue, capped at R$ 50 million per violation. There are also administrative penalties such as public notices, corrective orders and business suspension. Cross-border companies (including Chinese ones) fall within LGPD's scope as long as they process Brazilians' data.
LGPD's Core Requirements
- Have a legal basis (base legal): consent / contract / legal obligation / legitimate interest, etc. — 10 in total
- Have a clear purpose (finalidade): you must disclose the purpose before processing data
- Minimization principle: collect only necessary data and do not misuse it
- Data subject rights: users can access, correct, delete and export their own data
- Data security: encryption, masking and access control
- Cross-border transfer compliance: transferring to non-LGPD countries requires additional conditions
- 72-hour breach reporting: data breach incidents must be reported to ANPD and affected users
- DPO (Data Protection Officer): organizations processing large amounts of data must appoint a DPO
Core Capabilities of the TF Fiscal LGPD Data Gateway
1. Field-Level Encryption and Masking
During transmission and storage, the API gateway automatically identifies PII (personally identifiable information) fields (CPF, name, phone, email, address, etc.) and applies AES-256 field-level encryption. When exporting reports, it supports automatic masking (e.g. a CPF shown as ***.456.789-**).
2. Purpose-of-Use and Legal-Basis Management
Every API call must declare the finalidade (purpose) and base legal (legal basis). The platform maintains a compliance matrix of "purpose–basis–data fields", automatically rejecting and flagging calls that do not meet the rules.
3. Data Subject Rights Response (DSR)
Provides APIs to receive and respond to Brazilian users' data subject rights requests:
- Right of access (Acesso): export all of that user's data
- Right to correction (Correção): update incorrect data
- Right to erasure (Eliminação): permanently delete (within the limits of the law)
- Right to portability (Portabilidade): export in a structured format
- Right to object (Oposição): stop specific data processing
All responses must be completed within 15 days (an ANPD requirement).
4. Cross-Border Transfer Compliance Auditing
When data flows out of Brazil to a China headquarters or a third country, it automatically records the fact of the transfer, the purpose, the recipient's location and the transfer basis (user consent / contract / adequacy determination / standard contractual clauses). This provides evidence in the event of an ANPD spot check.
5. Data Retention Period Management
Set a retention period for each category of data, automatically archiving or deleting it on expiry. For example:
- Invoicing data: 5 years (required by Brazilian tax law)
- Marketing contact information: 1 year (cleaned up after no new interaction)
- Failed registration attempts: 30 days
6. Data Breach Incident Response
Anomalous-access monitoring + automatic alerts + companion ANPD notification templates and procedures.
Typical Use Cases
- Cross-border C2C platforms: handling personal information such as Brazilian seller identities and PIX payment details
- Cross-border e-commerce: collecting Brazilian consumers' addresses, phone numbers and CPFs
- China headquarters accessing Brazilian data: data masked before transfer for BI reports and market analysis
- SaaS providers: offering compliance evidence to their own customers to avoid customer concerns
- Finance / insurance: high-intensity KYC scenarios
Pricing
- Standard LGPD compliance package: from R$ 499/month, including compliance gateway calls, LGPD compliance templates and audit logs
- Custom enterprise plans: for customers processing large amounts of personal data, with cross-border transfer needs or requiring an on-site DPO consultant, we offer one-on-one customization: including isolated audit resources, cross-border transfer compliance auditing, an ANPD emergency response process, compliance drills and more. Contact sales for a quote →
- Compliance consulting: a free 1-hour initial assessment
Compliance Value Comparison
A single LGPD violation can be fined up to R$ 50 million. A compliance gateway subscription of a few thousand reais a year is the best-value insurance there is.
FAQ
Q: Do Chinese companies also have to comply with LGPD?
Yes. Article 3 of LGPD states that it applies as long as you process the data of data subjects located in Brazil (regardless of where the processor is located). A Chinese e-commerce business collecting Brazilian user information falls under this scenario.
Q: How different is it from GDPR?
The frameworks are almost identical. The main differences: (1) LGPD's regulator is ANPD (GDPR's are each country's DPA); (2) the fine is capped at R$ 50 million (GDPR's is €20 million or 4% of global revenue); (3) LGPD has 10 legal bases (GDPR has 6). A GDPR compliance framework can be migrated and reused, but the specific provisions need to be reviewed.
Q: Must we appoint a DPO?
In principle, all organizations processing personal data should appoint a DPO. However, ANPD grants certain exemptions to micro and small businesses. Enterprise customers can use TF Fiscal's companion DPO consultant service.
Q: Can the data be stored in China?
Yes, but it constitutes a "cross-border transfer" and must meet the requirements of Article 33 of LGPD (such as user consent, contractual obligation or ANPD determination). The TF Fiscal data gateway automatically records the transfer basis.
Related Solutions