Brazil — Data Subject Rights

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13,709 enacted August 14, 2018 and in force since September 2020, establishes comprehensive data subject rights modeled on the European GDPR but with important structural differences. Article 17 affirms that every natural person (pessoa natural) has "assured ownership of their personal data and guaranteed fundamental rights of freedom, intimacy and privacy" under the law. Article 18 then enumerates nine distinct rights that the data subject (titular dos dados pessoais) may exercise against the controller at any time upon request.

The nine Article 18 rights are:

I. Confirmation of processing — the right to obtain confirmation from the controller that processing of the data subject's personal data exists.

II. Access — the right to access the data being processed.

III. Correction — the right to correct incomplete, inaccurate, or out-of-date personal data.

IV. Anonymization, blocking, or deletion — the right to anonymize, block, or delete unnecessary or excessive data, or data processed in noncompliance with the LGPD.

V. Data portability — the right to request portability of data to another service or product provider, subject to regulation by the Autoridade Nacional de Proteção de Dados (ANPD, Brazil's national data protection authority) and observing trade secrets and industrial secrets. This provision was amended by Law No. 13,853 of July 8, 2019.

VI. Deletion of consent-based data — the right to delete personal data processed with the data subject's consent, except in the cases specified in Article 16 (which lists retention justifications including legal compliance, regulatory obligation, and exercise of rights in legal proceedings).

VII. Information about data sharing — the right to obtain information about public and private entities with which the controller has shared the data subject's data.

VIII. Information about the right to refuse consent — the right to be informed about the possibility of not providing consent and the consequences of refusal.

IX. Consent revocation — the right to revoke consent at any time, pursuant to Article 8, § 5.

Article 18, § 1 grants data subjects the right to petition the ANPD against the controller regarding their data. Paragraph 2 permits data subjects to oppose processing carried out under one of the legal bases that dispenses with consent (such as legitimate interests under Article 7, IX or contract performance under Article 7, V) where the controller has violated the LGPD. Paragraph 3 requires that these rights be exercised through an express request by the data subject or a legally appointed representative to the controller (agente de tratamento). Paragraph 4 provides that where immediate compliance is impossible, the controller must send a reply explaining the reasons; paragraph 5 mandates that requests be fulfilled free of charge.

The ANPD has listed data subject rights as a priority enforcement theme for the 2026–2027 biennium, with particular attention to the use of sensitive data for advertising and secondary processing incompatible with the original purpose. The ANPD's enforcement powers, strengthened when it became an independent regulatory agency in February 2026, include administrative fines of up to 2% of a private entity's revenue in Brazil (capped at R$ 50 million per infraction under Article 52) and the power to suspend processing activities for up to six months.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD) Source: LGPD — English Translation, ANPD

When a data subject exercises any of the Article 18 rights, Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) imposes strict response obligations on the controller. Article 19 establishes two distinct fulfillment pathways depending on the complexity and scope of the request, both of which carry significantly tighter timelines than comparable regimes such as the GDPR (30 days) or the California Consumer Privacy Act (45 days). The LGPD affords no statutory extension mechanism, no matter the size or complexity of the data subject request.

Two-tier response mechanism under Article 19

Article 19 of the LGPD provides for confirmation of the existence of processing or access to personal data "upon request of the data subject" (mediante requisição do titular) through two alternatives:

I. Simplified statement (immediate delivery) — The controller may respond immediately by providing a simplified summary of the principal personal data processed (por meio de declaração simplificada). Article 19, I does not define "immediate" or prescribe the required content of a simplified statement; the statute is silent on operational details.

II. Complete declaration (15 calendar days) — Alternatively, the controller must provide a "clear and complete declaration that indicates the origin of the data, the nonexistence of any record, the criteria used, and the purpose of the processing, observing commercial and industrial secrets" within a maximum of 15 calendar days counted from the date of the data subject's request (fornecida no prazo de até 15 (quinze) dias, contado da data do requerimento do titular). This complete response obligation under Article 19, II is mandatory whenever the data subject requests detailed information or when the controller cannot provide immediate simplified access.

The 15-day clock is firm. Unlike the GDPR's Article 12(3), which permits a two-month extension for complex or voluminous requests, or the CCPA's 45-day window with a possible 45-day extension under Cal. Civ. Code § 1798.130(a)(2), the LGPD text provides no extension mechanism. The statutory language "no prazo de até 15 (quinze) dias" establishes a ceiling. Controllers serving both Brazilian data subjects and those in other jurisdictions must build separate fulfillment tracks to meet this accelerated timeline.

Article 18, § 3, § 4, and § 5 — procedural framework

Article 18, § 3 requires that data subject rights be exercised through an "express request" (requisição expressa) by the data subject or a legally appointed representative to the controller. The LGPD does not prescribe a mandatory form or channel; the statute is silent on whether controllers may require requests via a specific portal, email address, or form.

Article 18, § 4 provides that when immediate compliance is impossible, the controller must send a reply to the data subject explaining the reasons for the delay (informando os motivos de sua impossibilidade de adoção imediata das providências requeridas). This exception addresses technical or legal obstacles to fulfilling the request within the 15-day window, not routine processing delays.

Article 18, § 5 mandates that all data subject requests be fulfilled free of charge (gratuitamente) to the data subject. Controllers may not impose fees for compliance with Article 18 rights. This differs from the GDPR's Article 12(5), which permits "a reasonable fee" for manifestly unfounded or excessive requests.

Verification of identity

The LGPD does not address identity verification procedures for data subject requests. Article 19 and Article 18 are silent on what authentication a controller may demand before disclosing personal data. The ANPD has not, as of May 2026, published formal guidance or binding regulations specifying permissible verification measures. In the absence of statutory or regulatory direction, controllers typically apply measures proportional to the sensitivity of the data and the risk of impersonation, but these are industry practices, not legal mandates.

Format and delivery under Article 19, § 2

Article 19, § 2 permits the data subject to choose the format of delivery:

I. By electronic means, secure and suitable for that purpose (por meio eletrônico, seguro e idôneo para esse fim); or II. In printed form (sob forma impressa).

The controller must honor the data subject's stated preference. The statute does not define "secure and suitable," leaving implementation to the controller's judgment consistent with the security obligations under Article 46.

Portability overlay — Article 19, § 3

When processing is based on the data subject's consent (Article 7, I) or on contract performance (Article 7, V), Article 19, § 3 grants the data subject the right to request a full electronic copy of their personal data "in a format that permits subsequent use, including in other processing operations" (em formato que permita a sua utilização subsequente, inclusive em outras operações de tratamento), observing commercial and industrial secrets and subject to regulation by the ANPD. The ANPD's Regulation on International Transfer of Personal Data, approved in 2023, harmonizes the 15-day response deadline for portability requests within the context of cross-border data flows (Clause 15.3 of the standard contractual clauses).

Storage format requirement — Article 19, § 1

Article 19, § 1 requires that "personal data shall be stored in a format that favors the exercise of the right of access" (Os dados pessoais serão armazenados em formato que favoreça o exercício do direito de acesso). This is a forward-looking obligation on controllers to design data systems that enable timely retrieval and export, reinforcing the operational feasibility of the 15-day deadline.

Consequences of non-compliance

Failure to respond within the 15-day deadline constitutes a violation of Article 18, § 5 and Article 19, II. The ANPD may impose administrative sanctions under Article 52, including:

• Warning with a deadline for corrective measures (Article 52, I);
• Simple fine of up to 2% of the private entity's revenue in Brazil in the prior fiscal year, capped at R$ 50 million per infraction (Article 52, II);
• Daily fine, subject to the same cap (Article 52, III);
• Suspension of processing activities for up to six months (Article 52, VI, b).

As of May 2026, the ANPD has not published dedicated guidance or case precedent interpreting the Article 19 timeline obligations, leaving controllers to apply the statutory text as written.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 18 and 19 Source: ANPD Regulation on International Transfer of Personal Data (2023), Clause 15.3

Beyond the nine enumerated rights in Article 18 of Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), paragraph 2 of that same article creates an additional data subject right: the right to oppose processing carried out under one of the legal bases that dispense with consent. This right functions as Brazil's analogue to the GDPR's Article 21 right to object, but with important structural differences in scope, trigger conditions, and the controller's burden of proof.

Statutory language and scope — Article 18, § 2

Article 18, § 2 of the LGPD provides: "O titular poderá se opor a tratamento realizado com fundamento em uma das hipóteses de dispensa de consentimento, em caso de descumprimento ao disposto nesta Lei" (The data subject may oppose processing carried out under one of the hypotheses dispensing with consent, in case of non-compliance with this Law).

The right applies exclusively to processing carried out under the legal bases listed in Articles 7 and 11 of the LGPD that do not require consent. These non-consent legal bases include:

• Legitimate interests of the controller (Article 7, IX and Article 10) — the most common trigger for opposition in practice, mirroring the GDPR's legitimate-interests balancing test;
• Contract performance (Article 7, V) — necessary for the execution of a contract to which the data subject is a party, or for pre-contractual measures;
• Compliance with a legal or regulatory obligation (Article 7, II);
• Execution of public policies (Article 7, III) — for public-sector controllers;
• Research purposes (Article 7, IV) — provided by public research entities or ensured anonymization;
• Exercise of rights in legal, administrative, or arbitral proceedings (Article 7, VI);
• Protection of life or physical safety (Article 7, VII);
• Health protection (Article 7, VIII and Article 11, II(a) for sensitive data);
• Prevention of fraud and security (Article 7, X);
• Credit protection (Article 7, X).

The right does not apply to processing based on consent (Article 7, I and Article 11, I), because the data subject already holds the separate right to revoke consent at any time under Article 18, IX. A data subject who consented to processing must use the revocation mechanism, not the opposition right.

"In case of non-compliance with this Law" — substantive trigger requirement

The text of Article 18, § 2 conditions the opposition right on "descumprimento ao disposto nesta Lei" — non-compliance with the LGPD. This phrase creates a substantive threshold: the data subject must assert that the controller's processing, even though it relies on a facially valid non-consent legal basis, violates one or more provisions of the LGPD.

In practice, opposition requests typically allege one of the following LGPD violations:

• Breach of the necessity principle (Article 6, III) — the controller is processing more data than strictly necessary for the stated purpose;
• Breach of the adequacy principle (Article 6, II) — the processing is incompatible with the purposes disclosed to the data subject;
• Breach of the purpose-limitation principle (Article 6, I) — the controller is using the data for a purpose different from the one originally disclosed;
• Failure to satisfy the legitimate-interests balancing test (Article 10, § 1 and § 2) — the controller has not demonstrated that the processing is strictly necessary for a legitimate purpose, or has not adopted transparency measures;
• Violation of data subject rights or fundamental freedoms — the processing poses risks to the data subject's privacy, intimacy, or other Article 2 protected interests that outweigh the controller's claimed justification.

The statute does not prescribe the form or evidentiary standard for the data subject's opposition. Article 18, § 3 requires only an "express request" (requisição expressa) by the data subject or a legally appointed representative. The data subject need not prove the alleged LGPD violation in the initial opposition; it is sufficient to state the grounds and the specific provision claimed to be violated. The burden then shifts to the controller.

Controller's response obligation and burden of proof

When a data subject exercises the right to oppose processing under Article 18, § 2, the controller must evaluate whether the asserted LGPD violation is substantiated and, if so, cease the processing unless the controller can demonstrate compelling justifications that override the data subject's interests. The LGPD does not spell out this balancing test as explicitly as GDPR Article 21(1) does ("compelling legitimate grounds which override the interests, rights and freedoms of the data subject"), but the legislative history and the structure of Article 10 (legitimate interests) indicate that controllers bear the burden of demonstrating compliance.

Under Article 18, § 4, if the controller cannot immediately comply with the data subject's opposition request, the controller must send a reply "explaining the reasons for the impossibility of immediate adoption of the requested measures" (informando os motivos de sua impossibilidade de adoção imediata das providências requeridas). This reply must be substantive, not boilerplate. The controller must articulate:

• Why the processing remains compliant with the LGPD despite the data subject's allegations;
• Which specific LGPD provision authorizes continued processing (e.g., Article 7, II for legal obligation, or Article 7, IX with a documented legitimate-interests assessment under Article 10);
• What safeguards or mitigation measures the controller has implemented to protect the data subject's rights;
• If the opposition is partially justified, what corrective measures the controller will adopt (e.g., limiting the scope of processing, anonymizing certain fields, or stopping secondary uses).

Article 18, § 5 requires that the controller's response, like all data subject rights responses, be provided free of charge to the data subject.

Distinction from consent revocation (Article 18, IX) and deletion (Article 18, VI)

Practitioners must carefully distinguish the opposition right from two related but distinct rights:

1. Consent revocation (Article 18, IX and Article 8, § 5) — applies only to processing based on consent (Article 7, I or Article 11, I). Revocation is unconditional; the data subject need not allege an LGPD violation. Once consent is revoked, the controller must stop processing unless another legal basis applies (Article 16 retention exceptions).

1. Deletion of consent-based data (Article 18, VI) — the right to delete personal data processed with consent, again subject to Article 16 exceptions. This right is substantive, not procedural; it compels deletion, not merely cessation of processing.

The opposition right under Article 18, § 2, by contrast, applies to processing not based on consent and requires the data subject to assert an LGPD violation. If the opposition is upheld, the controller must cease the challenged processing activity but is not automatically required to delete the data if another legal basis (e.g., legal obligation, Article 7, II) or an Article 16 retention justification applies.

Intersection with Article 20 automated decision-making rights

When processing relies on automated decision-making that affects the data subject (profiling for credit, employment, or targeted advertising), the data subject may invoke both the Article 18, § 2 opposition right and the Article 20 right to request review of automated decisions. Article 20 grants the data subject the right to request review of decisions "taken solely on the basis of automated processing of personal data that affect their interests" and to obtain information about the criteria and procedures used. An opposition under Article 18, § 2 challenging the lawfulness of the underlying processing can run in parallel with an Article 20 request for human review of the decision output.

ANPD enforcement and petition right (Article 18, § 1)

Article 18, § 1 grants data subjects the right to petition the Autoridade Nacional de Proteção de Dados (ANPD) against the controller regarding their personal data. If the controller rejects an opposition request under Article 18, § 2 or fails to provide a substantive justification under Article 18, § 4, the data subject may escalate the matter to the ANPD. The ANPD's enforcement powers under Article 52 include ordering the controller to cease the challenged processing, imposing administrative fines of up to 2% of the controller's revenue in Brazil (capped at R$ 50 million per infraction), or suspending processing activities for up to six months.

As of June 2026, the ANPD has not published formal guidance interpreting the scope and application of the Article 18, § 2 opposition right, leaving controllers to apply the statutory text in light of the LGPD's general principles (Article 6) and the legitimate-interests framework (Article 10).

Response timeline — 15-day deadline under Article 19

The controller's response to an opposition request is subject to the same 15 calendar-day deadline established by Article 19, II for all data subject access and information requests. Unlike the GDPR's 30-day window with a possible 60-day extension, the LGPD affords no statutory extension mechanism for complex or voluminous requests. The 15-day clock begins on the date of the data subject's request and runs continuously, including weekends and holidays.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 18, § 2 Source: LGPD Articles 6, 7, 10, and 19 — Principles, Legal Bases, Legitimate Interests, and Response Timelines

Article 18, IV of Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) grants data subjects the right to request that the controller anonymize, block, or delete their personal data when that data is unnecessary, excessive, or processed in violation of the LGPD. This right applies to all processing operations, regardless of the legal basis (consent, legitimate interests, contract, legal obligation, etc.), distinguishing it from the narrower consent-specific deletion right in Article 18, VI. Controllers must evaluate every Article 18, IV request against three substantive triggers and four statutory retention exceptions under Article 16.

Three substantive triggers under Article 18, IV

A data subject may invoke the Article 18, IV right when the controller's processing meets any one of three conditions:

1. Unnecessary data — The personal data is not required to fulfill the specific, legitimate purpose for which it was originally collected. Article 6, III of the LGPD imposes the necessity principle (princípio da necessidade), requiring controllers to limit processing to the minimum necessary for the stated purpose, with data that are pertinent, proportional, and not excessive. If the controller is processing data fields or data categories that are not strictly necessary for the purpose disclosed to the data subject, those fields are "unnecessary" under Article 18, IV. Example: a controller collects biometric fingerprints for employee time-tracking but also collects and retains genetic data with no legitimate business justification; the genetic data are unnecessary and subject to deletion on request.

2. Excessive data — The personal data exceed what is proportional and adequate for the processing purpose. "Excessive" overlaps with "unnecessary" but emphasizes volume and scope rather than categorical relevance. Article 6, II (adequacy principle) and Article 6, III (necessity principle) require that the data processed be compatible with the purpose and not disproportionate. Example: a controller retains five years of granular location data for a delivery service when six months would suffice for the stated purpose of route optimization and customer service; the excess retention period renders the data excessive.

3. Data processed in violation of the LGPD (dados tratados em desconformidade com o disposto nesta Lei) — The processing violates any provision of the LGPD, including:

• Lack of a valid legal basis under Article 7 (for ordinary personal data) or Article 11 (for sensitive personal data);
• Breach of a foundational principle under Article 6 (purpose limitation, adequacy, necessity, transparency, security, accountability, or non-discrimination);
• Failure to provide required transparency under Article 9 (the controller did not inform the data subject of the purpose, retention period, or data-sharing arrangements);
• Unlawful secondary processing incompatible with the original purpose (Article 6, I);
• Inadequate security measures under Article 46, resulting in unmitigated risk to the data subject's rights;
• Processing of children's data without parental consent in violation of Article 14, § 1;
• Cross-border transfer without a valid mechanism under Chapter V (Articles 33–36).

The phrase "in violation of the LGPD" is a residual category that captures any unlawful processing not already covered by the "unnecessary" or "excessive" labels. A data subject asserting this ground must identify the specific LGPD provision the controller has violated. The controller then bears the burden under Article 18, § 4 to justify continued processing or explain why immediate compliance is impossible.

Three remedial options: deletion, anonymization, or blocking

Article 18, IV grants the data subject the right to request deletion (eliminação), anonymization (anonimização), or blocking (bloqueio). The LGPD does not prescribe which remedy the controller must apply; the statutory text uses the disjunctive "or," suggesting the controller may choose the remedy that best balances the data subject's rights with any residual business or legal need. In practice:

• Deletion (eliminação) — Permanent removal of the personal data from all of the controller's databases and systems, including backups, logs, and archives, regardless of the technical procedure adopted. Deletion is the strongest remedy and the default when no retention exception applies.

• Anonymization (anonimização) — Application of reasonable and available technical measures to render the personal data irreversibly unlinked to the data subject, such that the data can no longer be associated, directly or indirectly, with a natural person. Article 5, III defines anonymized data as data "relating to a data subject who cannot be identified, considering the use of reasonable technical means available at the time of processing." Article 12 of the LGPD provides that anonymized data are not considered personal data under the law, except when the anonymization process can be reversed using the controller's own means or with reasonable effort. Controllers choosing anonymization must ensure the technique is irreversible under the Article 12 standard; otherwise, the data remain personal data subject to the LGPD.

• Blocking (bloqueio) — Temporary suspension of any processing operation involving the personal data, while keeping the data stored in the controller's database or systems with an indication that they cannot be used for any other purpose. Blocking is an intermediate remedy when the controller has a residual legal or regulatory obligation to retain the data (e.g., for litigation, audit, or tax compliance under Article 16, I) but the data subject's opposition is substantiated. Blocked data remain in storage but are flagged as unavailable for active processing. Article 18, § 6 of the LGPD requires that when the controller deletes, anonymizes, or blocks personal data in response to a data subject request, the controller must immediately inform all processors and third parties with whom the controller has shared the data, so that they repeat the same procedure. This obligation does not apply when such communication is manifestly impossible or would require disproportionate effort (Article 18, § 6, sentence 2).

Article 16 retention exceptions — when deletion is NOT required despite an Article 18, IV request

Article 18, IV is subject to the retention framework in Article 16 of the LGPD. Article 16 is titled "Deletion of Personal Data" (Eliminação dos Dados Pessoais) and appears in Section IV (Termination of Data Processing) of Chapter II. Article 16 establishes the general rule that personal data shall be deleted at the end of processing (Os dados pessoais serão eliminados após o término de seu tratamento), within the scope and technical limits of the controller's activities. However, Article 16 then enumerates four exceptions that authorize or require continued retention even after the data subject requests deletion under Article 18, IV or Article 18, VI:

I. Compliance with a legal or regulatory obligation of the controller (cumprimento de obrigação legal ou regulatória pelo controlador) — When a statute, regulation, or binding administrative rule requires the controller to retain the personal data for a specified period, the controller may (and in many cases must) retain the data despite the data subject's deletion request. Examples include:

• Brazilian tax law (Lei nº 8.981/1995 and Decreto nº 9.580/2018) requires businesses to retain accounting and invoicing records, including customer personal data, for five years from the end of the fiscal year for audit purposes by the Receita Federal do Brasil;
• Labor law (Consolidação das Leis do Trabalho, CLT) requires employers to retain employee payroll and social-security contribution records for specific periods;
• Anti-money-laundering regulations (Lei nº 9.613/1998) require financial institutions to retain customer identification and transaction records for ten years;
• Consumer protection law (Código de Defesa do Consumidor, Lei nº 8.078/1990) creates prescription periods during which complaint and warranty records must be accessible.

A controller invoking Article 16, I must identify the specific legal or regulatory provision that mandates retention and the prescribed retention period. The controller may not retain the data beyond the statutory deadline. Once the legal retention obligation expires, the data subject's original deletion request revives (assuming no other Article 16 exception applies), and the controller must delete the data.

II. Research by research entities, ensuring anonymization whenever possible (estudo por órgão de pesquisa, garantida, sempre que possível, a anonimização dos dados pessoais) — Personal data may be retained for historical, scientific, or statistical research conducted by a research entity (órgão de pesquisa), defined in Article 5, XVIII (as amended by Law No. 13.853/2019) as a public-sector entity or a Brazilian private nonprofit legal entity whose institutional mission or statutory purpose includes basic or applied research of a historical, scientific, technological, or statistical nature. The LGPD prioritizes anonymization for research purposes (Article 13 specifically addresses public-health research and requires anonymization "whenever possible"). When full anonymization is not feasible, the research entity may retain identifiable personal data under Article 7, IV (for public research entities) or Article 11, II(d) (for research involving sensitive data), subject to additional safeguards. A commercial controller that is not a research entity under Article 5, XVIII cannot invoke Article 16, II to resist a deletion request on research grounds.

III. Transfer to a third party, provided the LGPD processing requirements are fulfilled (transferência a terceiro, desde que respeitados os requisitos de tratamento de dados dispostos nesta Lei) — A controller may retain personal data for the purpose of transferring it to a third party (another controller, a joint controller, or a processor), provided the transfer itself complies with all LGPD requirements, including a valid legal basis under Article 7 or Article 11, adherence to the purpose-limitation and necessity principles under Article 6, and (if the transfer is cross-border) compliance with Chapter V (Articles 33–36). This exception is narrow: it permits temporary retention to facilitate a lawful, contemplated transfer, not indefinite retention on the speculative possibility of a future transfer. Example: a data subject requests deletion from an e-commerce platform on the day before the platform is contractually obligated to transfer the data to an acquirer as part of a corporate transaction; the platform may invoke Article 16, III to complete the transfer, after which the acquirer becomes the controller and must evaluate the deletion request anew. The exception does not authorize the original controller to retain the data indefinitely post-transfer.

IV. Exclusive use by the controller, provided the data are anonymized (uso exclusivo do controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados) — The controller may retain personal data for its exclusive use, meaning no third party (including processors, joint controllers, or data recipients) may access the data, provided the data are anonymized in accordance with Article 5, III and Article 12. Once anonymized, the data are no longer "personal data" under the LGPD (Article 12, caput), and the controller may use them for analytics, internal reporting, model training, or other purposes without triggering LGPD obligations. Article 16, IV creates a pathway for controllers to retain the informational value of the data while eliminating the personal-data status and the associated data subject rights. The anonymization must be irreversible under the Article 12 standard (cannot be reversed using the controller's own means or with reasonable effort). If the anonymization is reversible, the data remain personal data, and Article 16, IV does not apply.

Interaction between Article 18, IV and Article 18, VI (consent-specific deletion)

Article 18, VI grants a separate, narrower deletion right: the right to delete personal data processed with the data subject's consent, except in the cases provided in Article 16. Article 18, VI applies only when the legal basis for processing was consent under Article 7, I or Article 11, I. Article 18, IV, by contrast, applies to all processing, regardless of legal basis, whenever the data are unnecessary, excessive, or processed in violation of the LGPD.

The distinction matters procedurally:

• A data subject whose data are processed with consent may invoke either Article 18, VI (unconditional deletion right, subject only to Article 16 exceptions) or Article 18, IV (deletion/anonymization/blocking on grounds that the data are unnecessary, excessive, or unlawful). Article 18, VI is simpler: the data subject need not prove the data are unnecessary or excessive; consent withdrawal under Article 18, IX triggers the deletion right under Article 18, VI automatically, unless an Article 16 exception applies.

• A data subject whose data are processed without consent (e.g., on the basis of legitimate interests under Article 7, IX, contract under Article 7, V, or legal obligation under Article 7, II) cannot invoke Article 18, VI because that right is expressly limited to consent-based processing. Such a data subject must instead invoke Article 18, IV and demonstrate that the data are unnecessary, excessive, or processed unlawfully. Alternatively, the data subject may invoke the Article 18, § 2 opposition right if the processing violates the LGPD (see the separate section on opposition rights).

Response timeline and procedure

A data subject exercising the Article 18, IV right must submit an express request (requisição expressa) to the controller (or to a legally appointed representative) under Article 18, § 3. The controller must respond within 15 calendar days under Article 19, II (see the separate section on response timelines). If the controller determines that the data are unnecessary, excessive, or processed unlawfully and that no Article 16 exception applies, the controller must delete, anonymize, or block the data within the 15-day window and immediately notify all processors and third parties with whom the data were shared (Article 18, § 6).

If the controller believes an Article 16 retention exception applies or that the data are not unnecessary, excessive, or unlawful, the controller must send a substantive reply under Article 18, § 4 explaining the reasons for the impossibility of immediate compliance. That reply must identify the specific Article 16 exception or the specific LGPD provision authorizing continued processing. A boilerplate refusal without justification violates Article 18, § 4 and exposes the controller to enforcement by the Autoridade Nacional de Proteção de Dados (ANPD) under Article 52.

All responses must be provided free of charge to the data subject (Article 18, § 5). Controllers may not impose fees for evaluating or fulfilling deletion, anonymization, or blocking requests.

ANPD enforcement and sanctions

Failure to honor a valid Article 18, IV request, or failure to provide a substantive justification under Article 18, § 4, constitutes a violation of Chapter III (Data Subject Rights) and exposes the controller to administrative sanctions under Article 52, including:

• Warning with a deadline for corrective measures (Article 52, I);
• Simple fine of up to 2% of the private entity's revenue in Brazil in the prior fiscal year, capped at R$ 50 million per infraction (Article 52, II);
• Daily fine, subject to the same cap (Article 52, III);
• Publicization of the infraction (Article 52, IV);
• Suspension of the processing activity relating to the violation for up to six months (Article 52, VI(b));
• In cases of recidivism or bad faith, deletion of the personal data that are the subject of the infraction (Article 52, V) or partial or total suspension of the database's operation (Article 52, VI(a)).

The ANPD has identified data subject rights as a priority enforcement theme for the 2026–2027 biennium, with particular attention to secondary processing incompatible with the original purpose and the use of sensitive data for advertising. Controllers should expect heightened scrutiny of Article 18, IV compliance in the current enforcement cycle.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5, 6, 12, 16, 18, and 52 Source: LGPD — English Translation, ANPD

Article 18, V of Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) grants data subjects the right to portability of their personal data to another service or product provider (portabilidade dos dados a outro fornecedor de serviço ou produto), subject to express request by the data subject, regulation by the Autoridade Nacional de Proteção de Dados (ANPD), and protection of trade secrets and industrial secrets. This right enables data subjects to obtain a copy of their personal data in a structured, commonly used, and machine-readable format that permits subsequent processing by another controller, facilitating switching between service providers and promoting competition. As of June 2026, however, the ANPD has not issued final regulations under Article 40 of the LGPD specifying mandatory interoperability standards, file formats, or technical procedures for portability, leaving controllers to apply the statutory text and general principles in the absence of binding technical guidance.

Statutory text and 2019 amendment — Article 18, V

The portability right appears in Article 18, V of the LGPD. The provision was amended by Law No. 13,853 of July 8, 2019, which transferred rulemaking authority from "the controlling organ" (órgão controlador, a placeholder reference in the original 2018 text) to "the national authority" (autoridade nacional, i.e., the ANPD). The current text provides:

> V — portability of data to another service or product provider, upon express request, in accordance with the regulation of the national authority, observing trade secrets and industrial secrets (portabilidade dos dados a outro fornecedor de servio ou produto, mediante requisição expressa, de acordo com a regulamentação da autoridade nacional, observados os segredos comercial e industrial).

The phrase "upon express request" (mediante requisição expressa) incorporates the general request procedure under Article 18, § 3, which requires that data subject rights be exercised through an express request by the data subject or a legally appointed representative to the controller. The controller must respond within 15 calendar days under Article 19, II (see the separate section on response timelines). The phrase "observing trade secrets and industrial secrets" creates a statutory limitation: the controller is not required to port data that constitute or would reveal protected trade secrets (segredos comercial) or industrial secrets (segredos industrial) under Brazilian law, a carve-out intended to balance the portability right with intellectual-property and competitive interests of the controller.

Scope — which data are portable under Article 18, V

Article 18, V uses the broad term "data" (dados), not "all data" or "processing data." The LGPD does not specify which categories of personal data are subject to portability, and the statute is silent on whether the right extends to inferred data, derived data, or algorithmic outputs. In the absence of ANPD regulation or controlling case law, practitioners apply the following framework by analogy to the GDPR's Article 20 portability right and the LGPD's legislative history:

1. Data "provided by" the data subject (dados fornecidos pelo titular) — Personal data actively supplied by the data subject to the controller are unambiguously portable. Examples include registration information (name, email, phone number, postal address), user-generated content (messages, posts, photos, videos, reviews, comments), responses to questionnaires or surveys, and uploaded files. This category is the core of the portability right and mirrors the GDPR's Article 20(1) reference to data "provided by the data subject."

2. Observed data generated by the data subject's use of the service (dados observados) — Personal data automatically collected or generated by the data subject's interaction with the controller's service or product are widely understood to be portable under the LGPD, though the statute does not say so expressly. Examples include browsing history, clickstream data, geolocation tracks, purchase history, transaction logs, search queries, and device identifiers. This interpretation follows from Article 19, § 3 of the LGPD, which addresses portability in the context of access requests and requires the controller to provide data "in a format that permits subsequent use, including in other processing operations" (em formato que permita a sua utilização subsequente, inclusive em outras operações de tratamento). The phrase "subsequent use" presupposes that the ported data include not only data actively provided but also data passively observed, because observed data are often the most valuable for a competing controller (e.g., a recommendation engine trained on historical behavior).

3. Inferred or derived data — Personal data inferred or derived by the controller through analytics, profiling, or automated decision-making (e.g., credit scores, risk assessments, propensity models, churn predictions, advertising segments, health diagnoses, or personalized recommendations) are not clearly subject to portability under Article 18, V. The LGPD is silent on whether inferred data are "the data subject's data" for portability purposes. The issue is unsettled in Brazil; the ANPD's 2021–2022 public consultation on data subject rights (Tomada de Subsídios sobre Direitos dos Titulares de Dados Pessoais) raised the question but did not result in a published regulation as of June 2026. Controllers arguing against portability of inferred data typically invoke trade-secret protection under the Article 18, V statutory carve-out: a proprietary credit-scoring model or health-risk algorithm may constitute an industrial secret, and exporting the inferred score or classification would reveal the model's logic or weights. Controllers arguing for portability of certain inferred data point to the LGPD's broad language ("data to another service provider") and the statutory policy of empowering data subjects to switch providers; a health app's inference that the data subject has hypertension, for example, may be personally useful to the data subject and portable under a functional reading of Article 18, V, even if the underlying algorithm is proprietary. In the absence of ANPD guidance, controllers must make a case-by-case determination based on whether the inferred datum is (a) personal data under Article 5, I (relates to an identified or identifiable natural person), (b) a trade or industrial secret under Articles 195(XI)–(XIV) of Law No. 9,279/1996 (the Industrial Property Law) or Article 39 of the TRIPS Agreement, and (c) necessary to enable the data subject's effective switching to another provider.

4. Anonymized data — Article 18, § 7 exclusion

Article 18, § 7 of the LGPD provides: "The portability of personal data referred to in item V of the head provision of this article does not include data that have already been anonymized by the controller" (A portabilidade dos dados pessoais a que se refere o inciso V do caput deste artigo não inclui dados que já tenham sido anonimizados pelo controlador). This exclusion is categorical. Once the controller has irreversibly anonymized personal data in compliance with Article 5, III and Article 12 of the LGPD (such that the data cannot be re-identified using the controller's own means or with reasonable effort), those data are no longer "personal data" under the law and are outside the scope of the portability right. A data subject requesting portability may not compel the controller to export anonymized aggregates or statistics that no longer relate to the data subject as an identified or identifiable individual. The exclusion applies even if the anonymization was performed solely to avoid LGPD obligations; once anonymized under the Article 12 standard, the data are permanently excluded from portability.

Format requirement — Article 19, § 3 and the "subsequent use" standard

Article 19 of the LGPD addresses access to personal data (the Article 18, II right) and establishes procedural rules that also govern portability requests under Article 18, V. Article 19, § 3 provides:

> When the processing is based on consent or contract, the data subject is entitled to request a full electronic copy of their personal data in a format that permits subsequent use, including in other processing operations, observing trade secrets and industrial secrets, subject to regulation by the national authority (Quando o tratamento tiver origem no consentimento do titular ou em contrato com o titular, o titular poderá solicitar cópia eletrônica integral de seus dados pessoais, em formato que permita a sua utilização subsequente, inclusive em outras operações de tratamento, observados os segredos comercial e industrial, de acordo com a regulamentação da autoridade nacional).

The phrase "in a format that permits subsequent use, including in other processing operations" (em formato que permita a sua utilização subsequente, inclusive em outras operações de tratamento) is the LGPD's analog to the GDPR's Article 20(1) requirement for a "structured, commonly used and machine-readable format." Article 19, § 3 applies explicitly to portability requests arising from consent-based processing (Article 7, I or Article 11, I) or contract-based processing (Article 7, V), but many practitioners read the "subsequent use" standard as implicitly extending to all portability requests under Article 18, V, because Article 18, V itself does not restrict portability to consent or contract (unlike the GDPR's Article 20, which is expressly limited to those two legal bases). The ANPD has not clarified the discrepancy.

In operational terms, a "format that permits subsequent use" typically means:

• Structured — data organized in a consistent schema (rows, columns, key-value pairs, or nested objects) rather than unstructured free text or scanned images;
• Machine-readable — data encoded in a format a computer program can parse without manual intervention (JSON, XML, CSV, SQL database export, or an open API) rather than a human-readable format like PDF or Word;
• Commonly used — data encoded in a widely adopted, non-proprietary standard (e.g., CSV, JSON, XML, vCard, iCalendar) rather than a bespoke binary format requiring the controller's proprietary software to read;
• Interoperable — data structured such that a competing controller can ingest and process them without substantial transformation or reverse engineering.

The LGPD does not prescribe a specific file format. In the absence of ANPD regulations under Article 40 (discussed below), controllers typically export portable data in CSV (for tabular data), JSON (for nested or hierarchical data), or XML (for documents with metadata), depending on the nature of the service. Controllers in regulated sectors (e.g., health care, financial services) may be subject to sector-specific interoperability mandates imposed by sectoral regulators (e.g., the Central Bank of Brazil's Open Banking regulations under Resolution CMN No. 4,658/2018 and Resolution BCB No. 1/2020, which require financial institutions to provide account and transaction data in a standardized API format upon customer request; Article 18, V of the LGPD reinforces this sector-specific portability regime but does not replace it).

Delivery method — Article 19, § 2 choice of electronic or printed format

Article 19, § 2 permits the data subject to choose the delivery method for access and portability responses:

> I. By electronic means, secure and suitable for that purpose; or > II. In printed form (I — por meio eletrônico, seguro e idôneo para esse fim; ou II — sob forma impressa).

The controller must honor the data subject's stated preference. For portability requests, electronic delivery (option I) is the norm, because portability by definition contemplates "subsequent use" by another controller, which requires machine-readable data. Printed delivery (option II) satisfies the access right under Article 18, II but undermines the portability right under Article 18, V, because printed data are not in a format permitting subsequent automated processing. A data subject who requests portability under Article 18, V and specifies printed delivery has effectively requested access, not portability. Controllers responding to such requests should clarify the distinction and offer to provide the data electronically in a portable format if the data subject's intent is to transfer the data to another service provider.

Trade secret and industrial secret carve-out — Article 18, V statutory limitation

Article 18, V and Article 19, § 3 both include the phrase "observing trade secrets and industrial secrets" (observados os segredos comercial e industrial). This statutory limitation permits the controller to withhold or redact portions of the portable data set when disclosure would reveal a protected trade secret or industrial secret under Brazilian law. The carve-out is intended to prevent portability from becoming a vehicle for competitive espionage or reverse engineering of proprietary algorithms, models, or business methods.

The terms "trade secret" (segredo comercial) and "industrial secret" (segredo industrial) are not defined in the LGPD. Brazilian courts and commentators apply the framework in Articles 195(XI)–(XIV) of Law No. 9,279 of May 14, 1996 (the Industrial Property Law), which criminalizes the unauthorized disclosure or use of confidential business information that has actual or potential economic value because it is not generally known and is subject to reasonable secrecy measures by its holder. To invoke the Article 18, V carve-out, the controller must demonstrate that the withheld data satisfy the three-prong trade-secret test:

1. Secrecy — the information is not publicly known and is not readily accessible to persons in the industry;
2. Economic value — the information derives actual or potential economic value from not being generally known to, and not being readily ascertainable by, competitors or the public;
3. Reasonable efforts to maintain secrecy — the controller has taken reasonable measures (confidentiality agreements, access controls, encryption) to protect the secrecy of the information.

Common examples of data that controllers may legitimately withhold under the trade-secret carve-out include:

• Proprietary algorithms, weights, or model parameters — if the portable data set includes algorithmic weights, decision-tree logic, or neural-network parameters that constitute the controller's proprietary machine-learning model, the controller may redact those elements while still exporting the input data (the data subject's observed behavior) and the output (the prediction or classification), provided the output is personal data and not itself a trade secret;
• Undisclosed business rules — if the controller's pricing algorithm, fraud-detection logic, or risk-scoring formula is a trade secret, the controller need not export the formula itself, but must still export the data subject's input data and, if the output is personal data, the result (e.g., the assigned price or risk score), unless that result would reverse-engineer the rule;
• Data about other data subjects — if the portable data set would necessarily include personal data of other data subjects (e.g., a social graph, a collaborative-filtering model, or a shared document), the controller may redact or anonymize the third-party data to comply with Article 18, V while protecting the privacy of others. This is not strictly a trade-secret issue but a data-minimization and third-party-rights issue; the LGPD is silent on third-party constraints, unlike the GDPR's Article 20(4), which explicitly protects the rights and freedoms of others.

Controllers cannot invoke the trade-secret carve-out to categorically refuse portability. The carve-out applies only to specific data elements that genuinely constitute trade or industrial secrets. If the controller withholds data on trade-secret grounds, the controller must provide a substantive justification under Article 18, § 4, identifying which data were withheld and on what statutory basis. A blanket refusal citing "proprietary algorithms" without specifying what data are being withheld violates Article 18, § 4 and exposes the controller to ANPD enforcement under Article 52.

Legal basis restrictions — Article 19, § 3 consent and contract trigger

Article 19, § 3 grants the portability right explicitly when "the processing is based on consent or contract" (quando o tratamento tiver origem no consentimento do titular ou em contrato com o titular). This phrasing mirrors the GDPR's Article 20(1)(a)–(b) limitation of portability to consent (GDPR Article 6(1)(a) or Article 9(2)(a)) and contract (GDPR Article 6(1)(b)). Article 18, V, by contrast, does not include a legal-basis restriction; it grants portability "to another service or product provider" without conditioning the right on the controller's legal basis for processing.

This textual discrepancy creates interpretive uncertainty:

• Narrow reading — Some practitioners argue that Article 19, § 3 limits the Article 18, V portability right to consent-based processing (Article 7, I or Article 11, I) and contract-based processing (Article 7, V). Under this view, a data subject whose data are processed on the basis of legitimate interests (Article 7, IX), legal obligation (Article 7, II), or public interest (Article 7, III) has no portability right under Article 18, V, because Article 19, § 3 does not authorize it. This reading aligns the LGPD with the GDPR but creates a gap for data subjects whose data are processed on non-consent, non-contract bases.

• Broad reading — Other practitioners argue that Article 18, V grants portability regardless of legal basis, and Article 19, § 3 merely specifies the format requirement (machine-readable, enabling subsequent use) for consent/contract-based portability, without foreclosing portability under other legal bases. Under this view, a data subject whose data are processed on the basis of legitimate interests may still invoke Article 18, V to request portability, but the controller may apply a different format standard (e.g., PDF access under Article 19, II rather than structured export under Article 19, § 3). This reading gives effect to both provisions but creates operational ambiguity about format requirements for non-consent, non-contract portability.

The ANPD has not resolved this tension. As of June 2026, no published ANPD guidance, enforcement decision, or court judgment has clarified whether Article 18, V portability is limited to consent and contract or extends to all processing. Controllers serving data subjects whose processing is based on legitimate interests or other non-consent, non-contract bases should offer portability under Article 18, V to avoid the risk that a narrow reading is later rejected by the ANPD or the courts, but may note in the response that the format provided (e.g., CSV export) satisfies the "subsequent use" standard even if Article 19, § 3 does not formally apply.

Article 40 ANPD rulemaking authority — interoperability standards and the absence of final regulations

Article 40 of the LGPD grants the ANPD broad authority to regulate portability mechanics:

> The national authority may establish standards of interoperability for purposes of portability, free access to data, and security, as well as the time for retention of records, with a view especially to necessity and transparency (A autoridade nacional poderá dispor sobre padrões de interoperabilidade para fins de portabilidade, livre acesso aos dados e segurana, assim como sobre o tempo de guarda dos registros, tendo em vista especialmente a necessidade e a transparência).

Article 40 envisions that the ANPD will issue mandatory interoperability standards — technical specifications for file formats, data schemas, API protocols, metadata tagging, and field definitions — that would enable seamless portability across controllers in the same industry (e.g., social networks, e-commerce platforms, telecommunications providers). Such standards would reduce the friction and cost of switching service providers, promote competition, and give operational meaning to the Article 18, V right.

As of June 2, 2026, however, the ANPD has not issued final regulations under Article 40 specifying interoperability standards for portability. The ANPD conducted a public consultation (Tomada de Subsídios) on data subject rights, including portability, in 2021–2022, soliciting input on format requirements, technical procedures, and sector-specific portability regimes, but the consultation has not resulted in a published regulation. The ANPD's Regulatory Agenda for the 2023–2024 biennium (Portaria ANPD No. 35 of November 4, 2022) identified data subject rights as a priority, but no final portability regulation has been published. The ANPD's Regulation on International Transfer of Personal Data (Resolution CD/ANPD No. 19/2024, published August 23, 2024) addresses portability only tangentially, in the context of standard contractual clauses for cross-border data flows (Clause 15.3 of Annex II, which requires data importers to honor the data subject's portability right under Article 18, V and to provide ported data within the 15-day deadline).

In the absence of ANPD interoperability regulations, controllers are left to apply the statutory text of Article 18, V and Article 19, § 3, the general principles of Article 6 (especially necessity, adequacy, and transparency), and any sector-specific portability mandates imposed by other regulators (e.g., the Central Bank of Brazil's Open Banking framework, which requires financial institutions to provide account data via standardized APIs; the National Health Data Network (Rede Nacional de Dados em Saúde, RNDS) framework under the Ministry of Health, which establishes interoperability standards for electronic health records). Controllers should monitor the ANPD's regulatory agenda and be prepared to adopt mandatory interoperability standards if and when the ANPD issues them under Article 40.

15-day response deadline and procedural requirements

A portability request under Article 18, V is subject to the same procedural framework as all data subject rights requests:

• Express request (Article 18, § 3) — the data subject or a legally appointed representative must submit a written request (email, web form, postal mail, or in-person request) to the controller. The LGPD does not prescribe a mandatory request format or channel; controllers may not require the data subject to use a specific portal unless the controller makes that channel readily accessible and clearly disclosed.

• 15 calendar-day deadline (Article 19, II) — the controller must respond within 15 calendar days from the date of the request, providing either a simplified immediate response (Article 19, I) or a complete declaration (Article 19, II). The 15-day clock is a hard ceiling; the LGPD provides no extension mechanism for complex or voluminous portability requests, unlike the GDPR's Article 12(3), which permits a two-month extension. Controllers serving multinational data subjects must build separate fulfillment tracks to meet Brazil's tighter timeline.

• Free of charge (Article 18, § 5) — the controller may not impose fees for fulfilling portability requests. This rule is absolute; unlike the GDPR's Article 12(5), which permits a reasonable fee for manifestly unfounded or excessive requests, the LGPD bars all fees.

• Substantive justification if compliance is impossible (Article 18, § 4) — if the controller cannot immediately provide the ported data (e.g., because the data constitute a trade secret, or because the data are stored in a legacy system that cannot export machine-readable formats within 15 days), the controller must send a substantive reply explaining the reasons for the impossibility and, if applicable, proposing a corrective measure (e.g., offering a partial export of non-proprietary data, or scheduling a delayed export). A boilerplate refusal without justification violates Article 18, § 4.

ANPD enforcement and sanctions

Failure to honor a valid portability request, failure to provide data in a format permitting subsequent use, or refusal to respond within 15 days constitutes a violation of Article 18, V and exposes the controller to administrative sanctions under Article 52 of the LGPD, including:

• Warning with a deadline for corrective measures (Article 52, I);
• Simple fine of up to 2% of the private entity's revenue in Brazil in the prior fiscal year, capped at R$ 50 million per infraction (Article 52, II);
• Daily fine, subject to the same cap (Article 52, III);
• Suspension of processing activities for up to six months (Article 52, VI(b)).

The ANPD has identified data subject rights as a priority enforcement theme for the 2026–2027 biennium, with particular attention to secondary processing incompatible with the original purpose and the use of sensitive data for advertising. Controllers should expect heightened scrutiny of portability compliance in the current enforcement cycle, especially in sectors where portability directly affects competition (social networks, e-commerce marketplaces, cloud storage, telecommunications).

Sector-specific portability regimes and coordination with sectoral regulators

Article 18, V of the LGPD coexists with sector-specific portability mandates imposed by other Brazilian regulators. Article 55-J, XXIII of the LGPD requires the ANPD to "coordinate with public regulatory authorities to exercise its competencies in specific sectors of economic and governmental activities subject to regulation" (articular-se com as autoridades reguladoras públicas para exercer suas competências em setores específicos de atividades econômicas e governamentais sujeitas à regulação). In practice, this means that the LGPD's portability right is the floor, and sectoral regulators may impose stricter or more detailed portability requirements in regulated industries. The most prominent sector-specific portability regime is the Open Banking framework administered by the Central Bank of Brazil, which requires financial institutions to provide customer account data, transaction history, and payment-initiation services via standardized APIs upon customer request, under Resolution CMN No. 4,658/2018, Resolution BCB No. 1/2020, and subsequent implementing regulations. The Open Banking portability obligation is broader and more technically prescriptive than Article 18, V of the LGPD; financial institutions must comply with both regimes, applying the stricter standard where they diverge. Other sectoral portability regimes under development or consideration as of June 2026 include health data portability under the Ministry of Health's National Health Data Network (RNDS) and telecommunications portability under the National Telecommunications Agency (ANATEL). Controllers in regulated sectors should consult both the LGPD and the sector-specific regulation to determine their full portability obligations.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 18, 19, and 40 Source: Lei nº 13.853, de 8 de julho de 2019 (amendment to Article 18, V) Source: Decreto nº 10.474, de 26 de agosto de 2020 (ANPD competencies, Article 2, XIII(c))

Article 18, I and II of Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) establish two foundational data subject rights: the right to confirmation of the existence of processing and the right to access personal data held by the controller. Although enumerated as separate rights in Article 18, these two rights are procedurally intertwined and typically exercised together in a single request. A data subject who asks "do you process my personal data?" (confirmation under Article 18, I) almost always follows with "if so, show me what you have" (access under Article 18, II). Controllers must fulfill both requests within the 15-day deadline established by Article 19, providing either an immediate simplified statement or a complete declaration identifying the origin, criteria, and purpose of processing.

Article 18, I — Right to confirmation of the existence of processing

Article 18 provides that "the data subject has the right to obtain from the controller, regarding data processed by said controller, at any time and upon request: I — confirmation of the existence of the processing" (confirmação da existência de tratamento). This right permits the data subject to learn whether the controller is processing any personal data relating to the data subject, without yet specifying what data or for what purpose. The confirmation right is binary: the controller must answer "yes, we process your personal data" or "no, we do not." A controller that responds "we cannot confirm or deny" violates Article 18, I, unless the controller has a legal obligation of secrecy under Brazilian law (e.g., bank secrecy under Complementary Law No. 105/2001 or tax secrecy under the National Tax Code) that prohibits disclosure of the mere fact of a relationship with the data subject.

The confirmation right applies to all processing, regardless of the legal basis (consent, contract, legal obligation, legitimate interests, etc.) and regardless of whether the data are ordinary personal data under Article 7 or sensitive personal data under Article 11. The controller may not refuse confirmation on the ground that the data are protected by commercial secrecy or are subject to attorney-client privilege; Article 18, I asks only whether processing exists, not what the content of the data is.

Article 18, II — Right of access to personal data

Once the controller confirms that processing exists, Article 18, II grants the data subject the right to access the data: "II — access to the data" (acesso aos dados). The LGPD does not define "access" or specify what information the controller must provide. Article 19 fills the gap by describing two alternative fulfillment pathways, both of which must disclose the substance of the personal data held by the controller, not merely metadata about the processing.

The access right under Article 18, II is broader than the GDPR's Article 15 right of access in one respect: the LGPD does not restrict the access right to data provided by the data subject or observed from the data subject's behavior. The statutory text ("access to the data") is unqualified, suggesting that the data subject may access all personal data the controller holds about the data subject, including data obtained from third parties, data derived from analytics, and inferred data (subject to the trade-secret carve-out discussed below). Controllers accustomed to the GDPR's narrower formulation should apply the LGPD's plain language and provide comprehensive access unless a specific statutory exception applies.

Two-tier response mechanism under Article 19

Article 19 of the LGPD governs how the controller must fulfill confirmation and access requests. The controller has two options, both subject to the overarching principle that the data subject is entitled to know whether processing exists and, if so, what data are being processed:

I. Immediate simplified statement — Article 19, I permits the controller to respond "immediately" (imediatamente) by providing a simplified summary (declaração simplificada) of "the principal personal data processed" (os dados pessoais principais tratados). The statute does not define "immediate," "simplified," or "principal." In practice, an immediate simplified response is delivered within minutes or hours of the request (not days) and includes a high-level summary of the most significant data categories the controller processes about the data subject. Example: "We process your name, email address, phone number, purchase history from January 2023 to present, and IP addresses associated with your account logins." The simplified statement is appropriate when the controller's processing is straightforward and the data subject does not demand a detailed declaration. A simplified statement that omits significant data categories (e.g., geolocation data, browsing history, or sensitive personal data under Article 11) does not satisfy Article 19, I.

II. Complete declaration within 15 calendar days — Article 19, II requires the controller to provide, within 15 calendar days from the date of the request (no prazo de até 15 dias, contado da data do requerimento do titular), a clear and complete declaration (declaração clara e completa) that includes:

• The origin of the data (a origem dos dados) — where and how the controller obtained the personal data (collected directly from the data subject, obtained from a third party, scraped from public sources, inferred from behavioral analytics, purchased from a data broker, etc.);

• The nonexistence of any record (a inexistência de registro) — if the controller does not hold any personal data relating to the data subject, the controller must affirmatively state that fact in the complete declaration. A silent refusal or a statement that "we cannot locate records" does not satisfy Article 19, II;

• The criteria used (os critérios utilizados) — the criteria, logic, or methodology the controller applied in processing the data. When the processing involves automated decision-making or profiling (e.g., credit scoring, fraud detection, personalized pricing, or targeted advertising under Article 20), the controller must explain the criteria or factors the algorithm considers, though the controller is not required to disclose the proprietary algorithm, weights, or source code if those constitute a trade or industrial secret under the Article 19, II carve-out;

• The purpose of the processing (a finalidade do tratamento) — the specific purpose or purposes for which the controller processes the data subject's personal data, as disclosed under Article 9, I (transparency obligation). The purpose statement must be concrete, not generic. "Marketing" is insufficient; "targeted email campaigns promoting home-insurance products to customers who viewed our website's insurance quote calculator in the past 90 days" satisfies the specificity requirement.

The complete declaration must "observe commercial and industrial secrets" (observando os segredos comercial e industrial). This statutory carve-out permits the controller to withhold or redact portions of the declaration that would reveal protected trade secrets or industrial secrets under Articles 195(XI)–(XIV) of Law No. 9,279/1996 (the Industrial Property Law). The carve-out applies most commonly to proprietary algorithms, model weights, fraud-detection rules, and pricing formulas. The controller may not invoke the trade-secret exception to categorically refuse access; the exception applies only to specific elements of the response that genuinely meet the three-prong trade-secret test (secrecy, economic value, and reasonable efforts to maintain secrecy). If the controller withholds information on trade-secret grounds, the controller must explain in the response what was withheld and why, in accordance with Article 18, § 4.

Format and delivery — Article 19, § 2 data subject choice

Article 19, § 2 grants the data subject the right to choose the format of the access response:

I. Electronic format, secure and suitable (por meio eletrônico, seguro e idôneo para esse fim) — The controller must provide the data electronically, using a secure transmission method (encrypted email, secure download portal, or authenticated web interface). The statute does not define "suitable," but the format should be machine-readable (CSV, JSON, XML, or PDF with searchable text) when the volume of data warrants it. For small data sets (a few fields), a plain-text email may suffice.

II. Printed form (sob forma impressa) — The data subject may request a printed copy delivered by postal mail or available for in-person pickup. The controller must honor this choice even when electronic delivery would be more efficient. The controller may not charge the data subject for postage or printing costs; Article 18, § 5 mandates that all data subject rights be exercised free of charge (gratuitamente).

The controller must honor the data subject's stated preference. If the data subject does not specify a format, the controller may choose, but should default to electronic delivery for efficiency and to facilitate the data subject's subsequent use of the data (e.g., for portability to another controller under Article 18, V).

Scope of "access" — which data must the controller disclose?

The LGPD does not specify which categories of data fall within the Article 18, II access right. In the absence of ANPD regulation or controlling case law, practitioners apply the following framework:

1. Data actively provided by the data subject — Personal data the data subject supplied to the controller (registration forms, account profiles, uploaded files, survey responses, user-generated content) are unambiguously subject to access. The controller must disclose these data in full unless a trade-secret or legal-obligation exception applies.

2. Data observed or generated by the controller — Personal data the controller collected passively through the data subject's use of the service (browsing history, clickstream data, geolocation tracks, purchase history, transaction logs, device identifiers, cookies, IP addresses) are subject to access under the plain language of Article 18, II. The LGPD does not distinguish between "provided" and "observed" data, unlike the GDPR's Article 20 portability right. Controllers must disclose observed data in the access response.

3. Data obtained from third parties — Personal data the controller received from third-party sources (data brokers, public records, social-media platforms, credit bureaus, affiliated companies) are subject to access, and the controller must disclose the origin of such data under Article 19, II. Example: "We obtained your credit score from Serasa Experian on March 15, 2024, pursuant to your consent under Article 7, I." The controller may not withhold third-party-sourced data on the ground that the third party imposed confidentiality obligations; the LGPD's Article 18, II access right overrides private confidentiality agreements except where a legal secrecy obligation applies (e.g., bank secrecy, tax secrecy, or attorney-client privilege under Brazilian law).

4. Inferred or derived data — unresolved question — Personal data the controller inferred or derived through analytics, machine learning, or profiling (credit scores, risk assessments, propensity scores, advertising segments, health predictions, churn models) present an unresolved interpretive question under the LGPD. The statute's broad language ("access to the data") suggests that inferred data are accessible if they constitute "personal data" under Article 5, I (data relating to an identified or identifiable natural person). However, controllers argue that inferred data may be protected by the Article 19, II trade-secret carve-out when disclosure would reveal proprietary algorithms or business logic. The ANPD has not published guidance resolving this tension. Controllers should apply a case-by-case analysis: if the inferred datum is (a) personal data under Article 5, I, (b) meaningful to the data subject (e.g., a credit score that affects loan approval, a health-risk classification that affects insurance pricing), and (c) not itself a trade secret (the output of the model, as opposed to the model parameters), the controller should disclose it in the access response. If the inferred datum is a trade secret or would reverse-engineer the proprietary algorithm, the controller may invoke the Article 19, II carve-out but must explain the withholding under Article 18, § 4.

5. Metadata about processing — In addition to the personal data themselves, the controller must disclose metadata under Article 19, II: the origin of the data, the criteria used, the purpose of processing, the legal basis (Article 7 or Article 11), the retention period (Article 15, § 1), and the identity of processors or third parties with whom the controller has shared the data (Article 18, VII, often exercised together with Article 18, II in a single request). Article 9, I through VII of the LGPD lists the transparency elements the controller must provide; a complete Article 19, II declaration should include all of those elements insofar as they relate to the data subject's personal data.

Anonymized data — Article 18, § 7 exclusion

Article 18, § 7 provides that the portability right under Article 18, V "does not include data that have already been anonymized by the controller" (não inclui dados que já tenham sido anonimizados pelo controlador). Although this exclusion is stated in the portability subsection, many practitioners read it as implicitly extending to the access right under Article 18, II: once the controller has irreversibly anonymized personal data in compliance with Article 5, III and Article 12 (such that the data can no longer be linked to an identified or identifiable natural person), the data are no longer "personal data" under the LGPD and fall outside the scope of Article 18 rights. A data subject requesting access may not compel the controller to export anonymized aggregates or statistics that do not relate to the data subject as an individual. The exclusion applies only if the anonymization is irreversible under the Article 12 standard (cannot be reversed using the controller's own means or with reasonable effort). If the anonymization is reversible (pseudonymization), the data remain personal data and are subject to access.

Response timeline — 15 calendar days, no extension

Article 19, II establishes a 15 calendar-day deadline for the complete declaration, counted from the date the data subject submits the request. The deadline is firm and runs continuously, including weekends and public holidays. The LGPD provides no extension mechanism, unlike the GDPR's Article 12(3) (which permits a two-month extension for complex or voluminous requests) or the CCPA's 45-day window with a possible 45-day extension. Controllers serving both Brazilian and EU/California data subjects must build separate fulfillment tracks to meet Brazil's tighter timeline.

If the controller cannot respond within 15 days due to technical or legal obstacles (e.g., data are stored in an archived legacy system requiring manual retrieval, or a court order prohibits disclosure pending litigation), the controller must send a substantive reply under Article 18, § 4 "explaining the reasons for the impossibility of immediate adoption of the requested measures" (informando os motivos de sua impossibilidade de adoção imediata das providências requeridas). The § 4 reply must be specific: which data cannot be accessed, why, what legal or technical impediment exists, and (if applicable) when the controller expects to provide the data. A boilerplate statement that "your request is under review" does not satisfy Article 18, § 4. The controller may not charge fees for processing the request or providing the data; Article 18, § 5 requires that all responses be free of charge.

Verification of the data subject's identity

The LGPD does not address identity verification for data subject requests. Neither Article 18 nor Article 19 specifies what authentication or proof of identity the controller may demand before disclosing personal data in response to an access request. The ANPD has not published guidance on permissible verification measures as of June 2026. In practice, controllers apply measures proportional to the sensitivity of the data and the risk of impersonation: for low-sensitivity access requests (e.g., a customer asking to see their own purchase history), controllers typically verify the requestor's identity by matching the request email address to the email address on file, or by requiring login to the data subject's existing account. For high-sensitivity requests (e.g., access to financial records, health data, or children's data), controllers may require additional authentication (government-issued ID, knowledge-based questions, or two-factor authentication). Controllers should document their verification procedures in internal policies and apply them consistently to avoid discrimination or abuse.

The controller may not refuse an access request on the ground that the data subject's identity cannot be verified, unless the controller genuinely has no reasonable means to verify identity (e.g., the controller processes only pseudonymous or anonymous data and has no link to the natural person making the request). If verification is impossible, the controller must explain that fact in a substantive reply under Article 18, § 4.

Interaction with other Article 18 rights

Data subjects frequently combine the confirmation and access rights (Article 18, I and II) with other Article 18 rights in a single request. Common combinations:

• Access + correction (Article 18, II + III) — "Show me what data you have, and correct the following errors."
• Access + deletion (Article 18, II + VI or Article 18, IV) — "Show me what data you have, and delete all of it" (if consent-based) or "delete the data that are excessive or unlawful" (if non-consent-based).
• Access + information about third-party sharing (Article 18, II + VII) — "Show me what data you have, and tell me which companies you shared them with."
• Access + portability (Article 18, II + V) — "Show me what data you have in machine-readable format so I can transfer it to another service provider."

The controller must respond to each component of a combined request within the same 15-day deadline. The controller may not refuse a multi-part request or impose separate timelines for each right; Article 18, § 3 and Article 19, II impose a single procedural framework for all data subject requests.

Public-sector controllers — Article 23, § 3 overlay

When the controller is a public-sector entity (pessoas jurdicas de direito público) subject to Article 23 of the LGPD, the procedures for exercising the confirmation and access rights are overlaid with the procedural frameworks of three additional statutes:

• Law No. 9,507 of November 12, 1997 (Habeas Data Law) — a constitutional writ permitting individuals to access or correct personal data held by public databases. Habeas data proceedings are judicial, not administrative; the data subject files a petition in court, and the public controller must produce the data within the time set by the judge (typically 10 to 30 days).
• Law No. 9,784 of January 29, 1999 (Administrative Procedure Law) — governs administrative requests to public entities, including data subject requests under the LGPD. The Administrative Procedure Law imposes transparency and due-process obligations on public controllers and permits the data subject to file administrative appeals if the request is denied.
• Law No. 12,527 of November 18, 2011 (Access to Information Law, Lei de Acesso à Informação) — creates a general right of access to public records and information held by government entities, with response timelines of 20 days (extendable to 30 days for complex requests). When a data subject requests access to personal data from a public controller, the Access to Information Law timeline (20–30 days) may apply instead of the LGPD's 15-day timeline, depending on whether the request is framed as an LGPD Article 18 request or an Access to Information request.

Article 23, § 3 of the LGPD provides that "the timelines and procedures for exercising the rights of the data subject vis-à-vis the Public Sector shall observe the provisions of specific legislation" (Os prazos e procedimentos para exercício dos direitos do titular perante o Poder Público observarão o disposto em legislação específica). In practice, data subjects requesting access to personal data from a public controller should invoke both the LGPD Article 18, II and the Access to Information Law to maximize their procedural protections. Public controllers must apply whichever timeline is shorter or more favorable to the data subject, consistent with the LGPD's pro-data-subject orientation.

ANPD enforcement and sanctions

Failure to respond to a confirmation or access request within the statutory deadline, failure to provide a substantive justification under Article 18, § 4, or provision of incomplete or misleading information in response to an Article 19 request constitutes a violation of Chapter III (Data Subject Rights) of the LGPD and exposes the controller to administrative sanctions under Article 52, including:

• Warning with a deadline for corrective measures (Article 52, I);
• Simple fine of up to 2% of the private entity's revenue in Brazil in the prior fiscal year, capped at R$ 50 million per infraction (Article 52, II);
• Daily fine, subject to the same cap (Article 52, III);
• Publicization of the infraction after due investigation and opportunity for defense (Article 52, IV);
• Suspension of the processing activity relating to the infraction for up to six months (Article 52, VI(b)).

The ANPD has identified data subject rights as a priority enforcement theme for the 2026–2027 biennium. Controllers should expect increased scrutiny of confirmation and access-request compliance in the current enforcement cycle, particularly when the data subject has escalated the matter to the ANPD under Article 18, § 1 (petition right).

As of June 4, 2026, the ANPD has not published dedicated guidance, regulations, or standard forms for confirmation and access requests, leaving controllers to apply the statutory text of Articles 18 and 19 in light of the LGPD's general principles (Article 6) and the transparency obligation (Article 9).

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 18 and 19 Source: LGPD — English Translation, ANPD