Brazil LGPD Compliance (Lei 13.709/2018)
巴西LGPD合规指南(第13.709/2018号法律)
The Lei Geral de Proteção de Dados Pessoais (LGPD), enacted as Lei 13.709 on 14 August 2018 and effective from 18 September 2020 (with sanctions enforceable from 1 August 2021), is Brazil's comprehensive data protection law. The LGPD applies to any processing of personal data carried out in Brazil, where the processing activity aims to offer goods or services to individuals located in Brazil, or where the personal data was collected in Brazil (Art. 3). The Autoridade Nacional de Proteção de Dados (ANPD) serves as the supervisory authority with rulemaking, enforcement, and advisory functions.
《个人数据通用保护法》(Lei Geral de Proteção de Dados Pessoais,简称LGPD)作为第13.709号法律于2018年8月14日颁布,2020年9月18日生效(2021年8月1日起可执行处罚),是巴西全面的数据保护法律。LGPD适用于在巴西境内进行的任何个人数据处理活动,或处理活动旨在向巴西境内个人提供商品/服务,或个人数据是在巴西境内收集的情况(第3条)。国家数据保护局(Autoridade Nacional de Proteção de Dados,简称ANPD)作为监管机构,负责制定规则、执法和提供咨询服务。
Ten Lawful Bases Under Article 7
第7条规定的10项合法处理依据
The LGPD provides ten distinct legal bases for processing personal data, exceeding the six lawful bases under EU GDPR. Each base operates independently — organisations may rely on any applicable base without a prescribed hierarchy.
LGPD规定了10项独立的个人数据合法处理依据,数量超过欧盟GDPR的6项。各项依据独立生效——企业可选择任何适用的依据,无需遵循特定优先级。
1. Consent of the Data Subject (Art. 7, I)
1. 数据主体的同意(第7条第I款)
Requirements under Art. 8:
- Consent must be provided in writing or by other means that demonstrate the free, informed, and unequivocal expression of the data subject's will
- Written consent must appear in a clause separate from other contractual provisions (Art. 8, §1)
- The burden of proof that consent was obtained rests with the controller (Art. 8, §2)
- Consent is void if based on misleading information or where the data subject was not adequately informed (Art. 9, §1)
- Consent may be revoked at any time by express statement of the data subject, via a free and facilitated procedure (Art. 8, §5)
Implementation at Zenith Global Enterprises:
- Marketing communications to Brazilian customers require opt-in consent with a standalone consent clause
- Consent records stored in the consent management platform with timestamp, scope, and version
- Consent withdrawal mechanism accessible through the customer privacy portal within two clicks
- Granular consent for each processing purpose (marketing, profiling, third-party sharing)
第8条要求:
- 同意需以书面形式或其他能证明数据主体自由、知情且明确意愿的方式作出
- 书面同意需作为独立条款,与其他合同条款分离(第8条第1款)
- 控制方需承担已获取同意的举证责任(第8条第2款)
- 若基于误导性信息或未充分告知数据主体而获取的同意无效(第9条第1款)
- 数据主体可随时通过明确声明撤销同意,且撤销流程需免费便捷(第8条第5款)
Zenith Global Enterprises实施情况:
- 向巴西客户发送营销信息需获得主动 opt-in 同意,且包含独立同意条款
- 同意记录存储在同意管理平台,包含时间戳、范围和版本信息
- 客户可通过隐私门户点击两次即可访问同意撤回机制
- 针对每个处理目的(营销、画像分析、第三方共享)提供精细化同意选项
2. Compliance with Legal or Regulatory Obligation (Art. 7, II)
2. 遵守法律或监管义务(第7条第II款)
Scope: Processing necessary for the controller to comply with a legal or regulatory obligation under Brazilian law. This includes tax reporting under the Código Tributário Nacional, anti-money laundering under Lei 9.613/1998, and employment record retention under the Consolidação das Leis do Trabalho (CLT).
Implementation at Zenith Global Enterprises:
- Employee payroll records retained for 5 years per CTN Art. 173
- Employment records retained for the duration of the employment relationship plus 5 years per CLT Art. 11
- Anti-money laundering records retained for 5 years from the last transaction per Lei 9.613/1998, Art. 10
适用范围: 控制方为遵守巴西法律或监管义务而进行的数据处理,包括《国家税收法典》下的税务申报、第9.613/1998号法律下的反洗钱要求,以及《劳动法典》(CLT)下的雇佣记录留存要求。
Zenith Global Enterprises实施情况:
- 员工工资记录需按《国家税收法典》第173条留存5年
- 雇佣记录需按《劳动法典》第11条在雇佣关系存续期间加5年留存
- 反洗钱记录需按第9.613/1998号法律第10条从最后一笔交易起留存5年
3. Execution of Public Policies by the Public Administration (Art. 7, III)
3. 公共行政部门执行公共政策(第7条第III款)
Scope: Processing by the public administration for the execution of public policies provided in laws, regulations, or contracts. This base is available only to public administration bodies and is not applicable to private-sector organisations.
Zenith Global Enterprises relevance: Not applicable as a private-sector entity. If engaged in public-private partnerships, the government partner invokes this base.
适用范围: 公共行政部门为执行法律、法规或合同规定的公共政策而进行的数据处理。该依据仅适用于公共行政机构,不适用于私营企业。
Zenith Global Enterprises相关性: 作为私营企业不适用。若参与公私合作项目,由政府合作方援引该依据。
4. Research by Research Bodies (Art. 7, IV)
4. 研究机构开展研究(第7条第IV款)
Scope: Processing for carrying out studies by research bodies, ensuring anonymisation of personal data whenever possible. Research bodies must comply with specific ethical standards and are subject to oversight by the relevant ethics committees.
Zenith Global Enterprises relevance: If collaborating with academic institutions on logistics optimisation research, ensure data shared for research purposes is anonymised or pseudonymised with the research body assuming controller responsibility.
适用范围: 研究机构为开展研究而进行的数据处理,需尽可能实现个人数据匿名化。研究机构需遵守特定伦理标准,并接受相关伦理委员会监督。
Zenith Global Enterprises相关性: 若与学术机构合作开展物流优化研究,需确保用于研究的数据已匿名化或假名化,且由研究机构承担控制方责任。
5. Contract Performance (Art. 7, V)
5. 合同履行(第7条第V款)
Scope: Processing necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject.
Implementation at Zenith Global Enterprises:
- Processing customer shipping addresses, contact details, and payment information to fulfil freight forwarding contracts
- Pre-contractual processing of credit assessments when customers request trade credit terms
- Processing employee data necessary for execution of the employment contract
适用范围: 为履行数据主体作为一方的合同,或应数据主体要求进行的合同前期准备流程所需的数据处理。
Zenith Global Enterprises实施情况:
- 处理客户收货地址、联系方式和支付信息以履行货运代理合同
- 当客户申请贸易信贷条款时,进行合同前期的信用评估处理
- 处理履行雇佣合同所需的员工数据
6. Exercise of Rights in Judicial, Administrative, or Arbitration Proceedings (Art. 7, VI)
6. 在司法、行政或仲裁程序中行使权利(第7条第VI款)
Scope: Processing necessary for the regular exercise of rights in judicial, administrative, or arbitration proceedings. This permits retention and use of personal data where necessary for litigation or regulatory proceedings.
Implementation at Zenith Global Enterprises:
- Retention of customer correspondence and transaction records relevant to pending or anticipated customs disputes
- Preservation of employee performance records where termination is contested before the Justiça do Trabalho (Labour Courts)
适用范围: 为正常行使司法、行政或仲裁程序中的权利所需的数据处理。允许在诉讼或监管程序必要时留存和使用个人数据。
Zenith Global Enterprises实施情况:
- 留存与未决或预期海关纠纷相关的客户通信和交易记录
- 保留与劳动法院(Justiça do Trabalho)争议解雇相关的员工绩效记录
7. Protection of Life or Physical Safety (Art. 7, VII)
7. 保护生命或人身安全(第7条第VII款)
Scope: Processing necessary for the protection of the life or physical safety of the data subject or a third party. This base is reserved for genuine emergency situations where consent cannot reasonably be obtained.
Implementation at Zenith Global Enterprises:
- Processing of employee medical emergency information during workplace incidents at Brazilian warehouse facilities
- Sharing driver location data with emergency services during road transport incidents
适用范围: 为保护数据主体或第三方的生命或人身安全所需的数据处理。该依据仅适用于无法合理获取同意的真实紧急情况。
Zenith Global Enterprises实施情况:
- 在巴西仓库设施发生工作事故时,处理员工医疗应急信息
- 在道路运输事故期间,与应急服务共享司机位置数据
8. Health Protection (Art. 7, VIII)
8. 健康保护(第7条第VIII款)
Scope: Processing necessary for the protection of health, exclusively in a procedure carried out by health professionals, health services, or health authorities. This base is narrower than the life protection base and is restricted to health-sector actors.
Zenith Global Enterprises relevance: Limited to occupational health processing by the company's contracted occupational medicine providers under Norma Regulamentadora NR-7 (PCMSO).
适用范围: 仅由医疗专业人员、医疗服务机构或卫生当局开展的健康保护程序所需的数据处理。该依据比生命保护依据范围更窄,仅适用于医疗行业主体。
Zenith Global Enterprises相关性: 仅限于公司签约职业医疗服务机构根据NR-7法规(PCMSO)进行的职业健康数据处理。
9. Legitimate Interest of the Controller or Third Party (Art. 7, IX)
9. 控制方或第三方的合法利益(第7条第IX款)
Requirements under Art. 10:
- Processing must be for legitimate purposes based on concrete situations, including:
- (I) Support and promotion of the controller's activities
- (II) Protection of the data subject or of the provision of services that benefit the data subject, in connection with the exercise of their rights
- Only strictly necessary data may be processed for the stated purpose
- The controller must adopt transparency measures, including a legitimate interest impact assessment
- If the ANPD requests it, the controller must produce a Relatório de Impacto à Proteção de Dados Pessoais (RIPD) — the LGPD equivalent of a DPIA
Implementation at Zenith Global Enterprises:
- Fraud detection on customer payment transactions using pattern analysis
- IT security monitoring of employee network activity to prevent data breaches
- Customer relationship management analytics to improve service quality
- Legitimate interest assessment documented for each use case using the three-part balancing test: (1) legitimate purpose, (2) necessity, (3) balancing against data subject rights
第10条要求:
- 处理需基于具体场景的合法目的,包括:
- (I) 支持和推广控制方的业务活动
- (II) 保护数据主体或提供有利于数据主体的服务,与其权利行使相关
- 仅可处理实现所述目的严格必要的数据
- 控制方需采取透明度措施,包括合法利益影响评估
- 若ANPD要求,控制方需提交《个人数据保护影响报告》(Relatório de Impacto à Proteção de Dados Pessoais,简称RIPD)——LGPD下等效于GDPR的DPIA
Zenith Global Enterprises实施情况:
- 通过模式分析检测客户支付交易中的欺诈行为
- 监控员工网络活动以防止数据泄露,保障IT安全
- 开展客户关系管理分析以提升服务质量
- 使用三部分平衡测试为每个用例记录合法利益评估:(1) 合法目的,(2) 必要性,(3) 与数据主体权利的平衡
10. Credit Protection (Art. 7, X)
10. 信用保护(第7条第X款)
Scope: Processing for the protection of credit, including credit scoring. This base is unique to the LGPD and has no direct equivalent in the GDPR. It permits processing for credit risk assessment, credit bureau operations, and commercial credit evaluation.
Implementation at Zenith Global Enterprises:
- Credit scoring of corporate customers applying for trade credit terms
- Sharing payment history with credit bureaus (Serasa Experian, SPC Brasil, Boa Vista) in compliance with Lei 12.414/2011 (Positive Credit Registry)
- Retention of credit assessment records for the statutory period
适用范围: 为保护信用而进行的数据处理,包括信用评分。该依据是LGPD独有的,在GDPR中无直接对应项,允许用于信用风险评估、征信机构运营和商业信用评估。
Zenith Global Enterprises实施情况:
- 对申请贸易信贷条款的企业客户进行信用评分
- 按照第12.414/2011号法律(正面信用登记制度)与征信机构(Serasa Experian、SPC Brasil、Boa Vista)共享支付记录
- 按法定期限留存信用评估记录
Sensitive Data Processing Under Article 11
第11条下的敏感数据处理
Sensitive personal data (dados pessoais sensíveis) includes data on racial or ethnic origin, religious conviction, political opinion, trade union membership, health data, sex life, genetic data, and biometric data (Art. 5, II).
Processing of sensitive data requires one of eight specific bases under Art. 11:
- Specific and highlighted consent from the data subject
- Compliance with a legal obligation (without consent)
- Shared processing by the public administration for public policy execution
- Research bodies (with anonymisation where possible)
- Exercise of rights in judicial/administrative/arbitration proceedings
- Protection of life or physical safety
- Health protection in medical procedures
- Fraud prevention and security of the data subject in identification processes
Key distinction from GDPR: The LGPD does not include legitimate interest or contract performance as bases for sensitive data processing.
敏感个人数据(dados pessoais sensíveis)包括种族或民族出身、宗教信仰、政治观点、工会会员身份、健康数据、性生活、基因数据和生物识别数据(第5条第II款)。
处理敏感数据需符合第11条规定的8项特定依据之一:
- 数据主体明确且突出的同意
- 遵守法律义务(无需同意)
- 公共行政部门为执行公共政策进行的共享处理
- 研究机构(尽可能实现匿名化)
- 在司法/行政/仲裁程序中行使权利
- 保护生命或人身安全
- 医疗程序中的健康保护
- 识别过程中的欺诈预防和数据主体安全
与GDPR的关键区别: LGPD未将合法利益或合同履行列为敏感数据处理的依据。
Data Protection Officer (Encarregado) Requirements
数据保护官(Encarregado)要求
Appointment (Art. 41)
任命要求(第41条)
The controller must appoint a Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais). ANPD Resolution CD/ANPD No. 2/2022 (amended by Resolution CD/ANPD No. 18/2024) provides that:
- Small-scale processing agents (agentes de tratamento de pequeno porte) may appoint a simplified contact channel instead of a formal DPO
- The DPO's identity and contact information must be publicly disclosed, preferably on the controller's website
- The ANPD may establish additional rules regarding the DPO's qualifications
控制方必须任命一名个人数据处理负责人(Encarregado pelo Tratamento de Dados Pessoais,即DPO)。ANPD第CD/ANPD No.2/2022号决议(经第CD/ANPD No.18/2024号决议修订)规定:
- 小型处理主体(agentes de tratamento de pequeno porte)可指定简化联系渠道,而非正式DPO
- DPO的身份和联系方式需公开披露,最好在控制方网站上发布
- ANPD可制定关于DPO资质的额外规则
DPO Functions (Art. 41, §2)
DPO职责(第41条第2款)
| Function | Description |
|---|
| Receiving complaints | Accept complaints and communications from data subjects and adopt measures |
| Receiving communications from ANPD | Act as the point of contact for the ANPD |
| Advising employees | Guide the controller's employees and contractors regarding data protection practices |
| Performing other duties | Execute other attributions determined by the controller or established by supplementary regulation |
| 职责 | 描述 |
|---|
| 接收投诉 | 接收数据主体的投诉和沟通,并采取措施 |
| 接收ANPD的沟通 | 作为与ANPD的联络点 |
| 员工咨询 | 指导控制方的员工和承包商遵守数据保护实践 |
| 其他职责 | 执行控制方确定或补充法规规定的其他职责 |
Zenith Global Enterprises DPO Structure
Zenith Global Enterprises DPO架构
| Element | Detail |
|---|
| DPO for Brazil | Maria Fernanda Oliveira, Compliance Director — São Paulo office |
| Public disclosure | Listed on zenithglobal.com.br/privacidade and in the company's Política de Privacidade |
| Contact channel | dpo-brasil@zenithglobal.com — acknowledged within 5 business days |
| Reporting line | Reports directly to the Chief Privacy Officer with a dotted line to the Brazil Country Manager |
| 要素 | 详情 |
|---|
| 巴西DPO | Maria Fernanda Oliveira,合规总监——圣保罗办公室 |
| 公开披露 | 在zenithglobal.com.br/privacidade和公司《隐私政策》中列出 |
| 联系渠道 | dpo-brasil@zenithglobal.com——5个工作日内回复 |
| 汇报线 | 直接向首席隐私官汇报,同时向巴西区域经理虚线汇报 |
Data Subject Rights (Arts. 17-22)
数据主体权利(第17-22条)
| Right | LGPD Article | Response Deadline | Implementation |
|---|
| Confirmation of processing | Art. 18, I | Simplified format: immediately or within 15 days; complete format: within 15 days | Automated lookup in data inventory system |
| Access to data | Art. 18, II | Within 15 days | Data export via privacy portal in machine-readable format |
| Correction of incomplete, inaccurate, or out-of-date data | Art. 18, III | Reasonable period | Self-service correction in customer portal; employee corrections through HR system |
| Anonymisation, blocking, or deletion of unnecessary or excessive data | Art. 18, IV | Reasonable period | Automated deletion workflows; manual review for complex cases |
| Data portability | Art. 18, V | Per ANPD regulation | Export in structured JSON/CSV format via privacy portal |
| Deletion of data processed with consent | Art. 18, VI | Reasonable period | Automated purge upon consent withdrawal, subject to legal retention requirements |
| Information about shared data | Art. 18, VII | Within 15 days | Disclosure of third-party recipients from data sharing register |
| Information about consent denial consequences | Art. 18, VIII | At point of collection | Privacy notice includes consequences of not providing consent |
| Revocation of consent | Art. 18, IX | Immediately effective | One-click withdrawal in privacy portal; processing ceases within 24 hours |
| 权利 | LGPD条款 | 响应期限 | 实施方式 |
|---|
| 处理确认权 | 第18条第I款 | 简化格式:立即或15天内;完整格式:15天内 | 数据库存系统自动查询 |
| 数据访问权 | 第18条第II款 | 15天内 | 通过隐私门户以机器可读格式导出数据 |
| 数据更正权(不完整、不准确或过时数据) | 第18条第III款 | 合理期限 | 客户门户自助更正;员工通过HR系统更正 |
| 匿名化、屏蔽或删除不必要/冗余数据 | 第18条第IV款 | 合理期限 | 自动删除工作流;复杂案例人工审核 |
| 数据可携权 | 第18条第V款 | 按ANPD规定 | 通过隐私门户以结构化JSON/CSV格式导出 |
| 删除基于同意处理的数据 | 第18条第VI款 | 合理期限 | 同意撤回后自动清除,需符合法定留存要求 |
| 数据共享知情权 | 第18条第VII款 | 15天内 | 披露数据共享登记册中的第三方接收方信息 |
| 拒绝同意后果知情权 | 第18条第VIII款 | 收集时 | 隐私告知中包含不提供同意的后果 |
| 同意撤销权 | 第18条第IX款 | 立即生效 | 隐私门户一键撤回;24小时内停止处理 |
Right to Review Automated Decisions (Art. 20)
自动化决策复核权(第20条)
The data subject has the right to request review of decisions made solely on the basis of automated processing, including profiling, that affect their interests. The controller must provide clear and adequate information regarding the criteria and procedures used for automated decision-making, subject to commercial and industrial secrecy.
ANPD Resolution CD/ANPD No. 2/2022 clarified that small-scale processing agents may provide simplified explanations, but all controllers must enable human review upon request.
Zenith Global Enterprises implementation:
- Automated credit scoring decisions are flagged for human review upon data subject request
- Credit model criteria documented and available in simplified form for disclosure
- Human reviewer assigned within 5 business days of request receipt
数据主体有权要求复核仅基于自动化处理(包括画像分析)作出的、影响其利益的决策。控制方需提供关于自动化决策标准和流程的清晰充分信息,需遵守商业和工业保密规定。
ANPD第CD/ANPD No.2/2022号决议明确,小型处理主体可提供简化说明,但所有控制方必须在收到请求后提供人工复核渠道。
Zenith Global Enterprises实施情况:
- 收到数据主体请求后,自动信用评分决策将标记为人工复核
- 信用模型标准已记录,并以简化形式供披露
- 请求收到后5个工作日内分配人工复核人员
International Data Transfer Mechanisms (Art. 33)
国际数据传输机制(第33条)
The LGPD permits international transfer of personal data only under the following conditions:
| Mechanism | LGPD Article | Status |
|---|
| Countries or international organisations with adequate level of protection | Art. 33, I | ANPD has not yet published adequacy decisions as of March 2026 |
| Standard contractual clauses approved by ANPD | Art. 33, II(b) | ANPD Resolution CD/ANPD No. 19/2024 adopted standard contractual clauses effective from August 2025 |
| Global corporate rules (binding corporate rules) | Art. 33, II(c) | ANPD has published draft guidance; formal BCR approval mechanism pending |
| Specific consent for the transfer | Art. 33, VIII | Valid only if the data subject is informed specifically about the international nature of the transfer |
| Compliance with legal or regulatory obligation | Art. 33, IV | Applicable for cross-border regulatory reporting |
| Contract performance or preliminary procedures (at data subject's request) | Art. 33, V | For transfers necessary to execute a contract with the data subject |
| Exercise of rights in judicial/administrative/arbitration proceedings | Art. 33, VI | For litigation support transfers |
| Protection of life or physical safety | Art. 33, VII | Emergency transfers |
| International judicial cooperation | Art. 33, III | For mutual legal assistance |
LGPD仅允许在以下条件下进行个人数据的国际传输:
| 机制 | LGPD条款 | 状态 |
|---|
| 具有充分保护水平的国家或国际组织 | 第33条第I款 | 截至2026年3月,ANPD尚未发布充分性认定 |
| ANPD批准的标准合同条款 | 第33条第II(b)款 | ANPD第CD/ANPD No.19/2024号决议通过了标准合同条款,2025年8月生效 |
| 全球企业规则(具有约束力的企业规则) | 第33条第II(c)款 | ANPD已发布草案指南;正式BCR批准机制待确定 |
| 针对传输的特定同意 | 第33条第VIII款 | 仅在明确告知数据主体传输的国际性质时有效 |
| 遵守法律或监管义务 | 第33条第IV款 | 适用于跨境监管报告 |
| 合同履行或前期准备流程(应数据主体请求) | 第33条第V款 | 用于履行与数据主体合同所需的传输 |
| 在司法/行政/仲裁程序中行使权利 | 第33条第VI款 | 用于诉讼支持传输 |
| 保护生命或人身安全 | 第33条第VII款 | 紧急传输 |
| 国际司法合作 | 第33条第III款 | 用于司法互助 |
Zenith Global Enterprises International Transfer Framework
Zenith Global Enterprises国际传输框架
| Transfer Flow | Destination | Mechanism | Documentation |
|---|
| Customer data to EU headquarters | Germany | Standard contractual clauses (ANPD-approved) | SCC register entry BR-EU-001 |
| Employee data to regional HR hub | Singapore | Standard contractual clauses (ANPD-approved) | SCC register entry BR-SG-001 |
| Payment data to payment processor | United States | Specific consent + supplementary measures | Consent records + TIA-BR-US-001 |
| Logistics data to APAC operations | Japan | Standard contractual clauses (ANPD-approved) | SCC register entry BR-JP-001 |
| 传输流向 | 目的地 | 机制 | 文档 |
|---|
| 客户数据至欧盟总部 | 德国 | ANPD批准的标准合同条款(SCC) | SCC登记条目BR-EU-001 |
| 员工数据至区域HR中心 | 新加坡 | ANPD批准的标准合同条款(SCC) | SCC登记条目BR-SG-001 |
| 支付数据至支付处理器 | 美国 | 特定同意+补充措施 | 同意记录+TIA-BR-US-001 |
| 物流数据至亚太运营中心 | 日本 | ANPD批准的标准合同条款(SCC) | SCC登记条目BR-JP-001 |
ANPD Enforcement Framework
ANPD执法框架
Administrative Sanctions (Art. 52)
行政制裁(第52条)
| Sanction | Detail |
|---|
| Warning | With deadline for corrective measures |
| Simple fine | Up to 2% of revenue in Brazil for the private legal entity, group, or conglomerate, per violation, limited to R$50 million per violation |
| Daily fine | To compel compliance, subject to the R$50 million cap |
| Public disclosure of the violation | After confirmation of the occurrence |
| Blocking of personal data | Until regularisation |
| Deletion of personal data | Related to the violation |
| Partial suspension of database operation | For up to 6 months, renewable |
| Suspension of processing activity | For up to 6 months, renewable |
| Partial or total prohibition of processing activities | Most severe sanction |
| 制裁类型 | 详情 |
|---|
| 警告 | 附带整改期限 |
| 普通罚款 | 针对私营法人、集团或企业联合体,每次违规最高罚款巴西境内营收的2%,单次违规上限为5000万雷亚尔 |
| 每日罚款 | 用于强制合规,受5000万雷亚尔上限约束 |
| 违规公开披露 | 确认违规后公开 |
| 数据屏蔽 | 直至合规 |
| 数据删除 | 删除与违规相关的数据 |
| 数据库部分暂停运营 | 最长6个月,可延期 |
| 处理活动暂停 | 最长6个月,可延期 |
| 处理活动部分或全部禁止 | 最严厉制裁 |
ANPD Dosimetry Regulation (Resolution CD/ANPD No. 4/2023)
ANPD制裁计量规则(第CD/ANPD No.4/2023号决议)
The ANPD published its dosimetry regulation establishing the methodology for calculating administrative sanctions. Key factors:
| Factor | Weight |
|---|
| Severity of the violation | High — nature, conditions, and duration of the processing activity |
| Good faith of the violator | Medium — evidence of intent or negligence |
| Economic advantage obtained or intended | High — financial gain from the violation |
| Economic condition of the violator | Medium — ability to pay |
| Recidivism | High — prior violations within 5 years |
| Degree of harm | High — number of data subjects affected and severity of consequences |
| Adoption of good practices and governance | Mitigating — documented privacy programme, DPO appointment, privacy impact assessments |
| Adoption of corrective measures | Mitigating — timely remediation following the violation |
| Proportionality between the violation and the sanction | Balancing factor |
ANPD发布了制裁计量规则,确立了行政罚款的计算方法。关键因素:
| 因素 | 权重 |
|---|
| 违规严重程度 | 高——处理活动的性质、条件和持续时间 |
| 违规方的善意 | 中——故意或过失的证据 |
| 获取或意图获取的经济利益 | 高——违规带来的财务收益 |
| 违规方的经济状况 | 中——支付能力 |
| 累犯 | 高——5年内有过违规记录 |
| 损害程度 | 高——受影响的数据主体数量和后果严重程度 |
| 良好实践和治理的采用 | 减轻因素——有文档记录的隐私计划、DPO任命、隐私影响评估 |
| 整改措施的采用 | 减轻因素——违规后及时补救 |
| 违规与制裁的比例 | 平衡因素 |
Notable ANPD Enforcement Actions
典型ANPD执法案例
ANPD Administrative Proceeding No. 00261.000489/2022-62 (Telekall Infoservice):
- First administrative fine imposed by the ANPD (July 2023)
- Violation: Offering a list of WhatsApp contacts for political campaign messaging without lawful basis
- Sanctions: Warning for failure to appoint a DPO; fine of R$14,400 for processing personal data without a lawful basis
- Significance: Established that even microenterprises must comply with LGPD fundamentals
ANPD Administrative Proceeding regarding INSS data sharing (2023):
- The ANPD investigated the sharing of social security benefit data by the Instituto Nacional do Seguro Social (INSS) with financial institutions
- Resulted in a recommendation to suspend data sharing until appropriate safeguards were implemented
- Significance: Demonstrated ANPD willingness to act against public administration bodies
ANPD第00261.000489/2022-62号行政程序(Telekall Infoservice):
- ANPD首次施加行政罚款(2023年7月)
- 违规行为:在无合法依据的情况下提供WhatsApp联系人列表用于政治竞选信息发送
- 制裁:未任命DPO的警告;无合法依据处理个人数据罚款14400雷亚尔
- 意义:确立了即使微型企业也需遵守LGPD基本要求
ANPD关于INSS数据共享的行政程序(2023年):
- ANPD调查了国家社会保障局(INSS)与金融机构共享社会保障福利数据的行为
- 结果:建议暂停数据共享,直至实施适当保障措施
- 意义:表明ANPD愿意对公共行政机构采取行动
LGPD Data Protection Impact Assessment (RIPD)
LGPD数据保护影响评估(RIPD)
The ANPD may request a Relatório de Impacto à Proteção de Dados Pessoais (RIPD) from the controller under Art. 38. While not mandatory for every processing activity, the RIPD is strongly recommended for:
- Processing based on legitimate interest (Art. 10, §3)
- Processing of sensitive data (Art. 11)
- Processing of children's data (Art. 14)
- Automated decision-making (Art. 20)
- International data transfers (Art. 33)
根据第38条,ANPD可要求控制方提交《个人数据保护影响报告》(RIPD)。虽非所有处理活动强制要求,但强烈建议在以下场景提交:
- 基于合法利益的处理(第10条第3款)
- 敏感数据处理(第11条)
- 儿童数据处理(第14条)
- 自动化决策(第20条)
- 国际数据传输(第33条)
RIPD Contents (Art. 38, sole paragraph)
RIPD内容(第38条独款)
| Element | Description |
|---|
| Description of processing activities | Types of data collected, methodology, and processing operations |
| Specific processing purposes | Detailed purpose specification beyond generic descriptions |
| Legal basis | Identification and justification of the applicable Art. 7 or Art. 11 base |
| Data protection measures | Technical and organisational safeguards implemented |
| Risk analysis | Identification and assessment of risks to data subjects |
| Mitigation measures | Steps taken to address identified risks |
| 要素 | 描述 |
|---|
| 处理活动描述 | 收集的数据类型、方法和处理操作 |
| 具体处理目的 | 详细说明处理目的,避免泛泛描述 |
| 法律依据 | 识别并证明适用的第7条或第11条依据 |
| 数据保护措施 | 已实施的技术和组织保障措施 |
| 风险分析 | 识别并评估对数据主体的风险 |
| 缓解措施 | 为应对已识别风险采取的步骤 |
Zenith Global Enterprises RIPD Register
Zenith Global Enterprises RIPD登记册
| RIPD Reference | Processing Activity | Legal Basis | Risk Level | Last Updated |
|---|
| RIPD-BR-001 | Customer credit scoring automation | Art. 7, X (credit protection) | High | January 2026 |
| RIPD-BR-002 | Employee biometric access control | Art. 11, I (specific consent) | High | November 2025 |
| RIPD-BR-003 | Marketing analytics profiling | Art. 7, IX (legitimate interest) | Medium | December 2025 |
| RIPD-BR-004 | International transfer to EU headquarters | Art. 33, II(b) (SCCs) | Medium | February 2026 |
| RIPD编号 | 处理活动 | 法律依据 | 风险等级 | 最后更新时间 |
|---|
| RIPD-BR-001 | 客户信用评分自动化 | 第7条第X款(信用保护) | 高 | 2026年1月 |
| RIPD-BR-002 | 员工生物识别门禁控制 | 第11条第I款(特定同意) | 高 | 2025年11月 |
| RIPD-BR-003 | 营销分析画像 | 第7条第IX款(合法利益) | 中 | 2025年12月 |
| RIPD-BR-004 | 向欧盟总部的国际传输 | 第33条第II(b)款(SCC) | 中 | 2026年2月 |
Compliance Programme Implementation Checklist
合规计划实施清单
| Phase | Action | Status | Owner |
|---|
| 1. Foundation | Appoint Encarregado (DPO) and publish contact details | Complete | Legal Department |
| 1. Foundation | Map all processing activities involving Brazilian personal data | Complete | Privacy Team |
| 1. Foundation | Identify and document lawful basis for each processing activity | Complete | Privacy Team |
| 2. Documentation | Draft and publish Política de Privacidade (Privacy Policy) in Portuguese | Complete | Legal + Marketing |
| 2. Documentation | Implement consent collection mechanism with granular purposes | Complete | IT + Privacy Team |
| 2. Documentation | Create RIPD template aligned with Art. 38 requirements | Complete | Privacy Team |
| 3. Rights Management | Implement data subject rights request portal in Portuguese | Complete | IT Development |
| 3. Rights Management | Establish 15-day response workflow for access/confirmation requests | Complete | Privacy Operations |
| 3. Rights Management | Configure automated deletion workflows with legal hold exceptions | Complete | IT + Legal |
| 4. Transfers | Implement ANPD-approved standard contractual clauses for international transfers | Complete | Legal + Transfer Team |
| 4. Transfers | Document all international transfer flows in the transfer register | Complete | Privacy Team |
| 5. Governance | Conduct annual LGPD compliance audit | Scheduled Q2 2026 | Internal Audit |
| 5. Governance | Train all Brazilian employees on LGPD requirements (annual) | Complete for 2025 | HR + Privacy Team |
| 5. Governance | Establish ANPD regulatory monitoring for new resolutions | Active | Legal + Privacy Team |
| 阶段 | 行动 | 状态 | 负责人 |
|---|
| 1. 基础搭建 | 任命Encarregado(DPO)并公开联系方式 | 已完成 | 法务部 |
| 1. 基础搭建 | 梳理所有涉及巴西个人数据的处理活动 | 已完成 | 隐私团队 |
| 1. 基础搭建 | 识别并记录每项处理活动的合法依据 | 已完成 | 隐私团队 |
| 2. 文档准备 | 起草并发布葡萄牙语版《隐私政策》(Política de Privacidade) | 已完成 | 法务+市场部 |
| 2. 文档准备 | 实施带有精细化目的的同意收集机制 | 已完成 | IT+隐私团队 |
| 2. 文档准备 | 创建符合第38条要求的RIPD模板 | 已完成 | 隐私团队 |
| 3. 权利管理 | 实施葡萄牙语版数据主体权利请求门户 | 已完成 | IT开发部 |
| 3. 权利管理 | 建立访问/确认请求的15天响应工作流 | 已完成 | 隐私运营团队 |
| 3. 权利管理 | 配置带有法定保留例外的自动删除工作流 | 已完成 | IT+法务部 |
| 4. 数据传输 | 实施ANPD批准的国际传输标准合同条款 | 已完成 | 法务+传输团队 |
| 4. 数据传输 | 在传输登记册中记录所有国际传输流向 | 已完成 | 隐私团队 |
| 5. 治理 | 开展年度LGPD合规审计 | 计划2026年Q2 | 内部审计部 |
| 5. 治理 | 为所有巴西员工提供年度LGPD要求培训 | 2025年已完成 | HR+隐私团队 |
| 5. 治理 | 建立ANPD新决议的监管监控机制 | 进行中 | 法务+隐私团队 |