Understand the key definitions, legal bases, responsibilities, and engineering impacts of Brazil’s General Data Protection Law (LGPD).

Check it out!

The General Data Protection Law (LGPD) – Law No. 13,709/2018 – is the main Brazilian regulatory framework governing the processing of personal data by public and private organizations.

Inspired by international references such as the European Union’s General Data Protection Regulation (GDPR), the LGPD establishes essential legal and technical foundations to ensure security, privacy, and transparency in the use of information related to natural persons.

In this article, we will take a closer look at the main concepts, technical definitions, and operational obligations imposed by the LGPD, addressing fundamental points for project implementation, process adaptation, and the structuring of solutions in engineering, information technology, and data governance.

Take a look!

[elementor-template id=”24446″]

Normative Foundations and the LGPD Context

The LGPD establishes specific guidelines for the processing of personal data within the national territory, covering scenarios involving data collection, storage, processing, transfer, and sharing.

The scope of the legislation covers both natural persons and legal entities, in both the public and private sectors, with the purpose of protecting the fundamental rights of freedom, privacy, and the free development of the natural person’s personality.

There are several legal bases for data processing, such as the execution of public policies, consent, legal compliance, legitimate interest, contract performance, among others. Each of these legal bases applies to specific situations, such as the legal obligation to provide student data to the National Institute for Educational Studies and Research Anisio Teixeira (INEP) for the Higher Education Census.

The global regulatory context and the intense multisector debate supported the creation of robust legislation, guiding mandatory practices not only due to pressure from regulatory authorities, but also from customers, suppliers, and data subjects present in goods and services supply chains.

The National Data Protection Authority (ANPD) is the supervisory entity responsible for enforcing the law and guiding its implementation.

Core Definitions of Personal Data

Correctly understanding the definitions established by the LGPD is essential for implementing policies, processes, and controls aligned with legal requirements.

Below are the main concepts that structure the legislation, guiding both the development of technical solutions and the preparation of documents and organizational practices related to personal data protection:

Personal Data

According to the LGPD, personal data is defined as any information related to an identified or identifiable natural person.

This concept covers everything from directly linked elements, such as name, ID document, tax number, photograph, and address, to data that, when combined with other information, may allow the individual to be identified.

Sensitive Personal Data

Sensitive personal data is information that, because of its nature, requires stronger protection. This category includes:

  • Racial or ethnic origin;
  • Religious belief;
  • Political opinion;
  • Membership in a trade union or in a religious, philosophical, or political organization;
  • Data relating to health or sex life;
  • Genetic or biometric data;

The processing of this data is subject to strict criteria, technical justifications, and differentiated access controls.

Anonymized Data

Anonymized data corresponds to data related to a subject who cannot be identified, considering the use of reasonable technical means available at the time of processing.

Anonymization, according to the LGPD, implies the irreversibility of identifying the data subject, except where the process can be reversed using available technical means.

Roles and Responsibilities of Processing Agents

The structure of the General Data Protection Law establishes different roles for the agents involved in the personal data processing life cycle. Understanding these definitions is essential to implementing effective governance, ensuring regulatory compliance, and mitigating operational and legal privacy risks.

Data Subject

The data subject is the natural person to whom the personal data under processing relates.

This agent is at the center of the legislation, because all protection mechanisms and regulatory safeguards are structured to preserve their fundamental rights to freedom, privacy, and informational self-determination.

The data subject may request access, correction, deletion, portability, and information about the processing of their data, in addition to exercising control over the consent granted.

Data subjects have a set of fundamental rights that ensure control over their information and the ability to exercise their informational autonomy. The main rights include:

  • Confirmation of the existence of processing: the subject may request confirmation as to whether a given organization is processing their personal data.
  • Access to data: the right to fully access the information held by the controller is guaranteed.
  • Correction of data: allows data that is incomplete, inaccurate, or outdated to be updated, completed, or corrected.
  • Anonymization, blocking, or deletion: makes it possible to suspend or remove unnecessary, excessive, or non-compliant data.
  • Data portability: allows the subject to transfer their personal data to another service or product provider, while preserving trade and industrial secrets.
  • Deletion of data: allows the subject to request deletion of data processed on the basis of consent, except where specific regulations provide otherwise.
  • Information about sharing: ensures transparency regarding the sharing of their data with third parties.
  • Information about consent: the subject must be informed of the consequences of refusing consent, as well as the possibility of revoking it at any time.
  • Revocation of consent: the subject may withdraw previously granted consent, with processing performed while it was valid remaining preserved.

The exercise of these rights assumes the existence of efficient service channels and the adoption of clear, secure, and accessible mechanisms for communication between data subjects and processing agents. Effective protection of the data subject’s rights is a central element in building trust and strengthening the culture of privacy within organizations.

Controller

The controller is the public or private entity responsible for making the main decisions regarding the processing of personal data.

The controller is responsible for defining the purposes of processing, selecting the appropriate legal bases, establishing retention policies, and determining the security measures to be adopted.

The controller is also responsible for guiding and supervising operators and ensuring an effective response to data subject rights, being directly accountable to authorities and to the subjects themselves in cases of non-compliance.

Operator

The operator is the agent responsible for carrying out personal data processing operations under the controller’s instructions.

The operator performs technical and administrative tasks such as processing, storage, and transmission of data, always according to the instructions provided by the controller.

Although the operator does not have autonomy to define purposes or legal bases, it is co-responsible for the security and integrity of the information, and must adopt good practices, maintain confidentiality, and comply with the established guidelines.

Data Protection Officer

The data protection officer, also known as the DPO (Data Protection Officer), acts as the communication link between the controller, data subjects, and the national authority.

Its main duties include responding to data subject requests, clarifying internal and external questions, guiding teams on safe practices, and cooperating with the supervisory authority in investigations or audits.

The DPO contributes to a culture of compliance and to transparency in processing operations.

Personal Data Processing

The concept of personal data processing comprises any operation carried out with information related to identified or identifiable natural persons, at all stages of its life cycle. It is a broad term that covers everything from the initial obtaining of data to its final deletion, including intermediate processes of manipulation, storage, and sharing.

In the organizational context, and especially in systems engineering projects and information technology operations, it is essential to map, record, and control all flows and operations involving personal data. This approach ensures traceability of information, facilitates the implementation of security controls, and guarantees compliance with privacy and data protection requirements.

The main operations included in personal data processing may be exemplified as follows:

  • Collection: obtaining data through forms, devices, sensors, applications, or direct interactions with data subjects.
  • Storage: keeping data on physical or digital media, requiring strict access control, integrity, and availability policies.
  • Processing: any manipulation, combination, analysis, or correlation of data for legitimate, authorized purposes compatible with the original purpose.
  • Transfer: movement of data between systems, internal or external departments, or to third parties, observing contractual limits and legal requirements.
  • Deletion: permanent removal of data, whether through physical or logical destruction, including deletion from backups, in a way that prevents unauthorized access or misuse.

Other operations, such as production, reception, classification, access, reproduction, transmission, distribution, archiving, evaluation, modification, communication, dissemination, and extraction, also fall within the broad definition of personal data processing.

Detailed documentation of these activities, associated with consistent governance practices, is essential to meeting the principles of security, transparency, and accountability required in highly complex projects and regulated environments.

Exceptions and Territorial Limitations of the LGPD

The application of the General Data Protection Law is limited to processing operations carried out in the national territory, regardless of the means used, the location of the agent’s headquarters, or the location of the technological infrastructure. It also applies when goods or services are offered or provided to individuals located in Brazil, as well as in situations where personal data has been collected within the national territory.

In addition, the legislation regulates international data transfers, imposing specific requirements so that these operations only occur when the destination country offers a level of personal data protection equivalent to that provided by the LGPD, or through safeguards and mechanisms recognized by the competent authorities.

On the other hand, personal data originating abroad is not subject to Brazilian legislation if there is no communication, shared use, or international transfer involving agents established in Brazil, or when processing occurs entirely within jurisdictions considered adequate in terms of data protection.

These limitations ensure harmonization between national practices and international data protection standards, while preserving sovereignty and legal certainty in cross-border operations.

Legal Bases and Purposes for Data Processing

Personal data processing may only occur when supported by one of the legal bases provided by the LGPD, such as:

  • Data subject consent
  • Contract performance
  • Compliance with a legal or regulatory obligation
  • Protection of life or physical safety
  • Protection of health
  • Legitimate interests of the controller or a third party, provided that the data subject’s fundamental rights and freedoms do not prevail
  • Credit protection
  • Judicial, administrative, and arbitration proceedings

The explicit definition of specific purposes, access limitations, and proportional and minimally necessary processing are cross-cutting principles applicable at all stages of projects and operations governed by the LGPD.

The Impact of the LGPD on Society and Companies

The implementation of the General Data Protection Law marks a turning point in the transformation of organizational and technological culture in Brazil, promoting profound changes in the relationship between individuals, companies, and systems. For society, the LGPD strengthens the right to control personal data, raising privacy standards and demanding greater transparency and ethical treatment of information from organizations. Individuals gain effective tools to request information about the use of their data, exercise correction, deletion, or portability rights, and demand safer and more responsible data management practices.

In the business environment, the LGPD requires a complete review of processes for collecting, processing, storing, and sharing data, as well as the updating of consent mechanisms and the definition of flows to respond to data subject rights. Organizations must structure robust governance processes, appoint a data protection officer, document policies and controls, and ensure that everyone involved is aligned with legal requirements. Failure to comply may result in sanctions, reputational losses, and reduced competitiveness.

From a technical and operational standpoint, the LGPD imposes rigorous standards on systems engineering projects and information technology and automation operations. Among the main requirements are:

Data Governance and Documentation

Establishing methodologies for mapping data flows, risk analysis, segregation of duties, recording legal bases, and documenting security controls, ensuring traceability and accountability.

Security Architecture

Implementing technical and administrative measures to protect personal data against unauthorized access, destruction, loss, alteration, or improper disclosure, including risk controls, continuous monitoring, and incident response plans.

Incident Management

Structuring policies and tools for incident response, with prior procedures for notifying the ANPD and data subjects in cases of relevant risk or damage, promoting organizational readiness and transparency.

Compliance and Audit

Conducting recurring technical audits, procedural reviews, and maintaining objective evidence of compliance, with structured corrections for any identified non-conformities.

Compliance with the LGPD requires investment in technology, training, and the maturation of internal processes. Despite the challenges, compliance strengthens the trust of customers, partners, and data subjects, positioning companies and projects at higher levels of security, sustainability, and competitiveness in an increasingly demanding regulatory environment.

Conclusion

The General Data Protection Law has introduced new technical and organizational benchmarks for the processing of personal data in Brazil.

A precise understanding of the concepts established by the LGPD – including definitions of personal data, the roles of controller, operator, and DPO, territorial scope, legal bases, and processing operations – is decisive for the proper implementation of controls, governance, and technical measures in engineering and information technology solutions.

The systematization of data subject rights, together with the obligation of security, transparency, and accountability, conditions the sustainability and trustworthiness of integrated systems, security, data networks, and corporate automation projects.

Alignment with the LGPD’s requirements and definitions should be understood as an intrinsic part of the systems life cycle, covering everything from the design phase to execution and continuous monitoring.

Engineering strategies that prioritize robust management processes, technical controls, and continuous training position organizations in compliance and at a competitive advantage in the national and international regulatory environment.

Final Considerations

A rigorous understanding and application of the LGPD’s definitions and foundations are essential for professionals and organizations committed to technical excellence and regulatory compliance.

Thank you for reading this article. We invite you to follow A3A Engenharia de Sistemas on social media to keep up with reference technical content, regulatory updates, and best practices in data protection, information security, networks, and systems engineering.