Brazil — Lawful Bases for Processing

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), Lei nº 13.709 of 14 August 2018, establishes a closed list of ten legal bases (hipóteses) that authorize the processing of personal data. Article 7 provides that processing may only occur when at least one of these bases applies; controllers must identify and document the relevant basis before initiating processing.

The ten legal bases under Article 7 LGPD

I. Consent (consentimento) — Processing is lawful when the data subject provides consent. Article 5(XII) defines consent as a "free, informed, and unambiguous manifestation" by which the data subject agrees to processing for a specified purpose; consent must be given by a clear affirmative act and may be revoked at any time (Article 8).

II. Compliance with legal or regulatory obligation (cumprimento de obrigação legal ou regulatória) — Controllers may process personal data when required to do so by law or regulation. This basis covers statutory mandates such as tax-reporting obligations, labor-law record-keeping, and court orders.

III. Public administration / public policy (administração pública) — Public bodies may process data when necessary to execute public policies provided for in laws, regulations, contracts, agreements, or similar instruments. Chapter IV of LGPD (Articles 23–32) sets out special rules for public-sector processing, including transparency obligations and a requirement that processing serve a public-interest purpose defined by law (Article 23).

IV. Research (realização de estudos por órgão de pesquisa) — Research bodies may process personal data for the conduct of studies, provided the data are anonymized whenever possible. Article 7(IV) does not define "research body" (órgão de pesquisa); the Autoridade Nacional de Proteção de Dados (ANPD) has indicated in guidance that this basis applies to academic, scientific, and statistical research conducted by entities with a bona fide research purpose.

V. Performance of contract or pre-contractual steps (execução de contrato) — Processing is lawful when necessary to perform a contract to which the data subject is party, or to take pre-contractual steps at the data subject's request. This basis mirrors GDPR Article 6(1)(b) and covers activities such as order fulfillment, invoicing, and customer-service contact.

VI. Exercise of rights in legal proceedings (exercício regular de direitos) — Controllers may process data when necessary to exercise rights in judicial, administrative, or arbitral proceedings. This basis supports litigation activities, including the collection of evidence, filing of claims, and enforcement of judgments.

VII. Protection of life or physical safety (proteção da vida) — Processing is lawful when necessary to protect the life or physical safety of the data subject or a third party. This basis is narrow and limited to situations of real and immediate risk, such as emergency medical treatment.

VIII. Health protection (tutela da saúde) — Controllers may process data when necessary to safeguard health in procedures carried out by health professionals, health services, or health authorities. This basis overlaps with Article 11(II)(f), which permits processing of sensitive personal data (dados pessoais sensíveis) for health protection.

IX. Legitimate interests (interesses legítimos) — Processing is lawful when necessary to meet the legitimate interests of the controller or a third party, except where the data subject's fundamental rights and freedoms requiring data protection prevail. Article 10 requires controllers relying on legitimate interests to document the balancing test (teste de balanceamento) and to inform the ANPD on request. This is the LGPD's most flexible basis but requires a case-by-case assessment.

X. Credit protection (proteção do crédito) — Processing is lawful for credit-protection purposes, including activities governed by Brazil's credit-bureau framework. This basis permits credit scoring, credit-risk assessment, and the sharing of data with credit-reporting agencies under Lei nº 12.414/2011.

Distinct treatment of sensitive personal data

Article 7 governs general personal data. Processing of sensitive personal data (Article 5(II): data on racial or ethnic origin, religious belief, political opinion, trade-union membership, health, sex life, genetic or biometric data) requires one of the narrower bases set out in Article 11, which includes explicit consent, compliance with legal obligation, and specific public-interest grounds. A controller may not rely on Article 7(IX) legitimate interests to process sensitive data.

Effect of failing to establish a legal basis

Processing without a valid legal basis under Article 7 (or Article 11 for sensitive data) constitutes an infringement of LGPD. The ANPD may impose administrative sanctions under Article 52, including warnings, fines of up to 2% of revenue in Brazil (capped at R$50 million per infraction), data-processing suspension, and prohibition of processing activities. Data subjects also have a statutory right to claim material and moral damages under Article 42.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD)

Controllers relying on the legitimate-interests basis under Article 7(IX) LGPD must comply with the specific procedural and substantive requirements set out in Article 10, which imposes a three-part analytical framework and documentation obligations that go beyond the general legal-basis requirements.

Statutory requirements under Article 10 LGPD

Article 10 provides that legitimate interest "may only provide a legal basis for processing personal data for legitimate purposes, based on particular situations" (finalidades legítimas, consideradas a partir de situações concretas). The statute identifies two non-exhaustive examples of legitimate purposes:

I. Support and promotion of the controller's activities (apoio e promoção de atividades do controlador); and

II. Protection of the data subject's rights or provision of services that benefit the data subject, respecting the data subject's legitimate expectations and fundamental rights and freedoms (proteção, em relação ao titular, do exercício regular de seus direitos ou prestação de serviços que o beneficiem, respeitadas as legtimas expectativas dele e os direitos e liberdades fundamentais).

Three mandatory safeguards

Article 10 imposes three specific obligations on controllers using this basis:

1. Necessity (§1) — "When the processing is based on the legitimate interest of the controller, only the personal data strictly necessary for the intended purpose may be processed" (somente os dados pessoais estritamente necessários para a finalidade pretendida poderão ser tratados). This codifies a heightened necessity test beyond the general principle in Article 6(III): controllers must limit collection and processing to the minimum required to achieve the identified legitimate interest.

1. Transparency (§2) — "The controller shall adopt measures to ensure the transparency of data processing based on their legitimate interest" (O controlador deverá adotar medidas para garantir a transparência do tratamento de dados baseado em seu legtimo interesse). This requires affirmative disclosure to data subjects that processing is occurring under the legitimate-interests basis, the specific interest being pursued, and how the balancing was conducted.

1. ANPD reporting obligation (§3) — The Autoridade Nacional de Proteção de Dados (ANPD) "may request a data protection impact assessment from the controller, when processing is based on their legitimate interest, complying with trade and industrial secrecy" (A autoridade nacional poderá solicitar ao controlador relatório de impacto à proteção de dados pessoais, quando o tratamento tiver como fundamento seu interesse legítimo, observados os segredos comercial e industrial). This gives the ANPD authority to compel production of a DPIA (relatório de impacto à proteção de dados pessoais — RIPD) on demand, even for processing that does not otherwise meet the high-risk triggers under Article 38.

ANPD three-phase balancing test

In February 2024, the ANPD published its Guia Orientativo das Hipóteses Legais de Tratamento de Dados — Legítimo Interesse (Guidance on Legal Bases for Data Processing — Legitimate Interests), which prescribes a three-phase balancing test (teste de balanceamento) that controllers should document before relying on Article 7(IX):

Phase 1: Purpose (Finalidade) — The controller must identify a specific, concrete, and lawful purpose that constitutes a legitimate interest. The ANPD cautions that "interests that are too vague or speculative will not be sufficient" (interesses que sejam muito vagos ou especulativos não serão suficientes), citing the European Article 29 Working Party's Opinion 06/2014 on GDPR legitimate interests. Examples the ANPD recognizes include fraud prevention, direct marketing to existing customers, IT security, and internal administrative purposes.

Phase 2: Necessity (Necessidade) — The controller must demonstrate that the processing is necessary to achieve the identified purpose and that the purpose cannot reasonably be achieved by less intrusive means. This analysis must consider whether consent, contract performance, or another legal basis would be more appropriate, and whether pseudonymization or aggregation would suffice. The ANPD emphasizes that necessity is assessed objectively: subjective convenience or business preference does not satisfy the test.

Phase 3: Balancing and safeguards (Balanceamento e salvaguardas) — The controller must weigh the legitimate interest against the fundamental rights and freedoms of the data subject, taking into account:

• The nature of the personal data (with heightened scrutiny for data about children, adolescents, or vulnerable populations);
• The data subject's reasonable expectations in the context of the controller-subject relationship;
• The potential impact on the data subject if processing proceeds;
• Technical and organizational measures (safeguards) the controller will implement to mitigate risk.

If the data subject's rights and freedoms prevail, the controller may not rely on legitimate interests and must either obtain consent, identify a different legal basis, or refrain from processing.

Documentation requirements

Article 37 LGPD requires controllers to maintain records of processing operations (registro das operações de tratamento de dados pessoais — ROPA). The ANPD's guidance states that when processing is based on legitimate interests, the ROPA must document:

• The specific legitimate interest relied upon;
• The controller's balancing-test analysis, including the three phases described above;
• The data minimization steps taken to satisfy Article 10(§1);
• The transparency measures adopted under Article 10(§2); and
• For processing involving children or adolescents, evidence that their best interests were considered (Article 14(§1)).

The ANPD may request this documentation at any time under Article 10(§3). Failure to produce adequate documentation can support an administrative sanction for processing without a valid legal basis.

Prohibition for sensitive personal data

Controllers may not rely on Article 7(IX) legitimate interests to process sensitive personal data (dados pessoais sensíveis) as defined in Article 5(II) (data on racial or ethnic origin, religious belief, political opinion, trade-union membership, health, sex life, genetic or biometric data). Sensitive data require one of the narrower legal bases enumerated in Article 11. The ANPD guidance confirms this prohibition applies even when the balancing test would favor the controller, because the legislature chose to categorically exclude sensitive data from the legitimate-interests gateway.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 10 Source: ANPD, Guia Orientativo das Hipóteses Legais de Tratamento de Dados — Legítimo Interesse (February 2024)

When a controller relies on consent as the legal basis under Article 7(I) LGPD, it must comply with the specific form, documentation, and revocation requirements imposed by Article 8. These requirements are more stringent than those governing other legal bases and place the burden of proof squarely on the controller.

Statutory definition of consent

Article 5(XII) LGPD defines consent (consentimento) as a "free, informed, and unambiguous manifestation" by which the data subject agrees to the processing of personal data for a specified purpose (manifestação livre, informada e inequívoca pela qual o titular concorda com o tratamento de seus dados pessoais para uma finalidade determinada). The statute does not permit blanket or open-ended consent; every consent request must identify the specific processing purpose, and consent for one purpose does not authorize processing for a different purpose.

Form requirements under Article 8

Article 8 caput requires that consent "shall be provided in writing or by other means that demonstrate the manifestation of will of the data subject" (deverá ser fornecido por escrito ou por outro meio que demonstre a manifestação de vontade do titular). Controllers may use digital mechanisms—such as checkboxes, click-through banners, or electronic signature—provided the mechanism creates a record of the data subject's affirmative act.

Highlighted-clause rule for written consent (Article 8 §1)

When consent is obtained in writing and embedded within a broader contractual document, Article 8(§1) imposes a highlighting obligation: "If consent is provided in writing, it must appear in a clause that is distinct from other contractual clauses" (Caso o consentimento seja fornecido por escrito, esse deverá constar de cláusula destacada das demais cláusulas contratuais).

The statute requires that the consent language be visually or structurally separated so that the data subject can identify and evaluate the consent request independently from the rest of the contract. A controller may not bury consent in general terms-and-conditions or merge it with unrelated contractual obligations. The law does not prescribe a specific highlighting method; controllers commonly use bold type, borders, standalone clauses, separate signature lines, or physical placement on a distinct page to satisfy the "destacada" (distinct) requirement.

Burden of proof on the controller (Article 8 §2)

Article 8(§2) provides: "The controller bears the burden of proving that consent was obtained in compliance with the provisions of this Law" (Cabe ao controlador o ônus da prova de que o consentimento foi obtido em conformidade com o disposto nesta Lei).

This is a strict evidentiary rule. If a data subject later disputes that consent was freely given, or if the ANPD initiates an investigation, the controller must produce contemporaneous evidence demonstrating that:

• The data subject received clear information about the processing purpose before consenting;
• The consent mechanism met the "free, informed, and unambiguous" standard under Article 5(XII);
• The consent was specific to the processing in question; and
• If written consent was embedded in a contract, the clause was visually highlighted per Article 8(§1).

Controllers should retain timestamped consent records, the text of the consent notice presented to the data subject at the moment of collection, and evidence of any parental consent obtained for processing of children's data under Article 14. While the statute does not specify retention formats or durations for consent documentation, Article 8(§2) makes clear that inability to produce proof of valid consent will result in a finding that the processing lacked a lawful basis.

Right to revoke consent at any time

Article 18(IX) LGPD grants data subjects the right to "revoke consent, under the terms of Article 8(§5)" (revogação do consentimento, nos termos do §5 do art. 8). Although the published text of Article 8 does not contain a separately numbered §5 in the current statutory compilation, the statutory cross-reference in Article 18(IX) establishes the unconditional right to withdraw consent. Article 16(III) reinforces this by listing "communication by the data subject, including in exercise of the right to revoke consent as provided in Article 8(§5)" as one of the statutory grounds for termination of processing.

Upon revocation, the controller must cease processing based on that consent, subject to two narrow exceptions:

1. The controller may continue processing if a different legal basis under Article 7 applies independently (for example, contract performance under Article 7(V) or compliance with legal obligation under Article 7(II)); or

1. The controller has a retention obligation under separate Brazilian law (tax, labor, or consumer-protection statutes may require retention of transactional records even after consent is withdrawn).

The statute does not prescribe the mechanics of revocation—such as whether a one-click mechanism is required, or whether revocation must be "as easy" as granting consent. However, Article 18(§5) provides that data-subject rights requests "shall be fulfilled without cost to the data subject, within the time frames and under the terms provided for in regulation" (será atendido sem custos para o titular, nos prazos e nos termos previstos em regulamento). Controllers may not impose administrative fees, waiting periods, or substantive barriers to revocation.

Distinct consent required for sharing data with other controllers (Article 7 §5)

Article 7(§5) imposes an additional consent layer when a controller that obtained consent under Article 7(I) subsequently wishes to share or communicate personal data with other controllers: "The controller that obtained the consent referred to in item I of the caput of this article and that needs to communicate or share personal data with other controllers must obtain specific consent from the data subject for that purpose, except in the cases of waiver of consent provided for in this Law" (O controlador que obteve o consentimento referido no inciso I do caput deste artigo que necessitar comunicar ou compartilhar dados pessoais com outros controladores deverá obter consentimento específico do titular para esse fim, ressalvadas as hipóteses de dispensa do consentimento previstas nesta Lei).

This means that consent to processing by Company A does not automatically authorize Company A to disclose the data to Company B when both are acting as independent controllers. The data subject must be informed of the recipient controller's identity and purpose and must provide a separate affirmative consent. The exception clause allows sharing when one of the other Article 7 bases applies to the disclosure itself—for instance, sharing with a government authority under Article 7(II) (legal obligation) does not require new consent.

Consent for sensitive personal data: Article 11 controls

Controllers may not rely on Article 7(I) general consent to process sensitive personal data (dados pessoais sensíveis) as defined in Article 5(II) (data on racial or ethnic origin, religious belief, political opinion, union membership, health, sex life, genetic or biometric data). Sensitive data require one of the narrower legal bases enumerated in Article 11. Article 11(I) permits processing of sensitive data when the data subject (or the data subject's legal representative) provides "specific and highlighted consent for one or more specified purposes" (consentimento específico e destacado para finalidades específicas). This imposes requirements that parallel but are distinct from Article 8: the consent must separately and unambiguously identify the sensitive categories being processed, and the controller bears the same burden of proof under Article 8(§2) by cross-reference.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5(II), 5(XII), 7(I), 7(§5), 8, 11(I), 16(III), 18(IX), and 18(§5)

Processing of sensitive personal data (dados pessoais sensíveis) as defined in Article 5(II) LGPD requires one of the narrower legal bases enumerated in Article 11, which establishes a two-tier framework with heightened safeguards beyond those governing general personal data under Article 7. Controllers may not rely on Article 7 bases—including the flexible legitimate-interests basis under Article 7(IX)—when processing sensitive data. Article 11 closes this gateway and replaces it with a limited set of consent-based and consent-free grounds tailored to the elevated privacy risk inherent in data that reveals racial or ethnic origin, religious belief, political opinion, trade-union membership, health, sex life, or genetic or biometric identity.

Statutory definition of sensitive personal data

Article 5(II) LGPD defines sensitive personal data as data "on racial or ethnic origin, religious belief, political opinion, union or religious, philosophical, or political organization membership, data relating to health or sex life, genetic or biometric data, when linked to a natural person" (dado pessoal sobre origem racial ou étnica, convicção religiosa, opinião política, filiação a sindicato ou a organização de caráter religioso, filosófico ou político, dado referente à saúde ou à vida sexual, dado genético ou biométrico, quando vinculado a uma pessoa natural). The list is closed and exhaustive; controllers may not expand the definition by analogy, nor may they argue that data falling within these categories should be treated as general personal data because of context. If the data meet the Article 5(II) description, Article 11 governs.

Article 11(I): Consent — specific, highlighted, and purpose-bound

The primary legal basis for sensitive data processing is consent, but Article 11(I) imposes stricter requirements than the general consent standard in Article 7(I) and Article 8. Article 11(I) provides that processing is lawful when "the data subject or the data subject's legal representative provides specific and highlighted consent, for one or more specified purposes" (o titular ou seu responsável legal consentirem, de forma específica e destacada, para finalidades específicas).

This creates a three-part consent test unique to sensitive data:

1. Specific consent (consentimento específico) — The consent request must identify the sensitive categories being processed. A controller collecting health data and biometric data must separately call out both categories; the data subject must understand that the processing includes sensitive information and which sensitive categories are involved. Generic language such as "we may process your personal data" does not satisfy the specific-consent requirement even if buried disclosures mention health data elsewhere.

1. Highlighted consent (consentimento destacado) — The consent mechanism must visually or structurally distinguish the sensitive-data consent from other disclosures or contractual clauses. This mirrors the Article 8(§1) highlighted-clause rule for written consent but applies across all consent channels, digital or otherwise. Controllers commonly use bold type, checkboxes with distinct labeling, pop-up notices, or separate signature lines to satisfy the highlighting requirement. The statutory command is that the data subject must be able to identify and evaluate the sensitive-data consent independently from general terms.

1. Purpose specification (finalidades específicas) — Consent must identify one or more specific processing purposes. Open-ended consent ("we may use your health data for any lawful purpose") is invalid. Each purpose must be concrete and described in language the data subject can understand. When a controller wishes to process sensitive data for a new purpose not covered by the original consent, it must obtain fresh consent under Article 11(I) rather than rely on consent refresh or implied extension.

Burden of proof under Article 8(§2)

Controllers bear the burden of proving that Article 11(I) consent was obtained in compliance with the statutory requirements. This is the same strict evidentiary rule that applies to general-data consent under Article 8(§2). Controllers must retain timestamped records showing (i) that the consent request separately identified the sensitive categories, (ii) that the request was highlighted, (iii) that the purposes were specified, and (iv) the data subject's affirmative act. Failure to produce adequate proof will result in a finding that the processing lacked a lawful basis, subjecting the controller to administrative sanctions under Article 52.

Article 11(II): Seven consent-free bases for sensitive data

Article 11(II) establishes seven narrowly-scoped grounds that permit sensitive-data processing without consent. These bases are construed strictly; controllers may not extend them by analogy or invoke them when a less intrusive alternative (including obtaining consent) is available. The seven bases are:

a) Legal or regulatory obligation (cumprimento de obrigação legal ou regulatória pelo controlador) — Article 11(II)(a) permits processing when required by Brazilian law or regulation. This basis parallels Article 7(II) for general data but is limited to sensitive data specifically mandated by statute. Examples include health-data reporting required by the Ministry of Health, labor-law obligations to maintain employee health records, and court orders directing disclosure of sensitive information. The controller must identify the specific legal provision imposing the obligation.

b) Public administration / public policy (tratamento compartilhado de dados necessários à execução, pela administração pública, de políticas públicas previstas em leis ou regulamentos) — Article 11(II)(b) authorizes public bodies to process or share sensitive data when necessary to execute public policies provided for in laws, regulations, contracts, or similar instruments. The statutory text requires that the policy be "provided for" (previstas) in a binding legal instrument; ad hoc administrative decisions or internal guidelines do not suffice. This basis is commonly invoked for health surveillance, social-welfare programs, and anti-discrimination enforcement. Chapter IV of LGPD (Articles 23–32) imposes additional transparency and necessity obligations on public-sector controllers relying on this basis.

c) Research by research bodies (realização de estudos por órgão de pesquisa, garantida, sempre que possível, a anonimização dos dados pessoais sensíveis) — Article 11(II)(c) permits research bodies (as defined in Article 5(XVIII)) to process sensitive data for the conduct of studies, provided the data are anonymized whenever possible (sempre que possível). The statute acknowledges that full anonymization may not always be feasible—particularly in longitudinal health studies or small-population research—but imposes an affirmative obligation to anonymize to the maximum extent consistent with the research purpose. Controllers relying on this basis must document why anonymization was not possible if identifiable sensitive data are processed. The Autoridade Nacional de Proteção de Dados (ANPD) published a Guia Orientativo — Tratamento de Dados para Fins Acadêmicos e para Realização de Pesquisas (June 2023) setting out best practices for invoking Article 11(II)(c), including requirements for ethics-committee review and transparency about the research purpose.

d) Exercise of rights in legal proceedings (exercício regular de direitos em processo judicial, administrativo ou arbitral) — Article 11(II)(d) permits processing when necessary to exercise rights in judicial, administrative, or arbitral proceedings. This basis supports litigation activities, including the use of health records as evidence in personal-injury claims, presentation of biometric data in fraud cases, and reliance on trade-union membership data in labor disputes. The sensitive data must be "regularly" (regular) relevant to the legal proceeding; controllers may not invoke this basis to collect sensitive data speculatively in anticipation of future litigation.

e) Protection of life or physical safety (proteção da vida ou da incolumidade física do titular ou de terceiro) — Article 11(II)(e) authorizes processing when necessary to protect the life or physical safety of the data subject or a third party. This basis is narrow and limited to situations of real and immediate risk. Examples include emergency medical treatment requiring disclosure of health data, provision of genetic information to prevent imminent harm, and sharing biometric identification to locate a missing person. The controller must demonstrate that the risk was concrete and that the sensitive-data processing was necessary to avert the harm; generalized safety concerns or hypothetical risk do not satisfy the test.

f) Health protection (tutela da saúde, exclusivamente, em procedimento realizado por profissionais de saúde, serviços de saúde ou autoridade sanitária) — Article 11(II)(f), as amended by Lei nº 13.853 of 2019, permits processing exclusively for health protection in procedures carried out by health professionals, health services, or health authorities. The statutory text limits this basis to actors in the health sector and to processing that serves a health-protection purpose. Examples include diagnosis, treatment, health surveillance, epidemiological monitoring, and provision of health services. Commercial health-data analytics, wellness-app marketing, and employer wellness programs do not qualify under Article 11(II)(f) unless the controller is a health professional, health service, or health authority acting within the scope of a health-protection mandate. Article 11(§4) imposes an additional constraint: health-related sensitive data processed under this basis may not be shared with other controllers for the purpose of obtaining economic advantage, except when the sharing falls within the data-portability framework and the data subject has consented (Article 18(V)).

g) Prevention of fraud and security of the data subject (prevenção à fraude e à segurança do titular, nos processos de identificação e autenticação de cadastro em sistemas eletrônicos) — Article 11(II)(g) permits processing of sensitive data for fraud prevention and data-subject security in the processes of identification and authentication of registration in electronic systems (nos processos de identificação e autenticação de cadastro em sistemas eletrônicos). This basis was introduced to accommodate biometric authentication (facial recognition, fingerprint login) in contexts where the controller's purpose is to prevent account takeover, identity theft, or fraudulent registration. The statutory text limits the basis to identification and authentication activities; ongoing behavioral monitoring, post-authentication analytics, or secondary uses of biometric data for marketing do not fall within Article 11(II)(g). The ANPD has included biometric-data processing in its 2025–2026 regulatory agenda and is conducting a public consultation (Tomada de Subsídios) on the appropriate safeguards and limitations for relying on this basis.

Prohibition on legitimate interests for sensitive data

Article 11 does not include a legitimate-interests basis analogous to Article 7(IX). The legislative choice to exclude legitimate interests from the Article 11 framework is deliberate and reflects the elevated privacy risk posed by sensitive data. Controllers may not argue that a balancing test under Article 10 would favor processing of sensitive data; the statute categorically prohibits reliance on legitimate interests for such data. If none of the Article 11 bases applies, the controller must either obtain specific and highlighted consent under Article 11(I) or refrain from processing the sensitive data.

Revocation of consent and termination of processing

Data subjects who have provided consent under Article 11(I) retain the unconditional right to revoke that consent at any time, under the same framework that governs general-data consent (Articles 8, 16(III), and 18(IX)). Upon revocation, the controller must cease processing the sensitive data unless one of the consent-free bases in Article 11(II) applies independently. The controller may not switch from consent to a consent-free basis post hoc; the legal basis must have existed at the time processing commenced.

Children's sensitive data: Article 14 overlay

Processing of sensitive data relating to children or adolescents triggers the additional safeguards in Article 14 LGPD. Article 14(§1) requires that processing serve the child's best interests (melhor interesse) and that consent, when required, be provided by at least one parent or legal guardian. Controllers processing children's sensitive data must apply both the Article 11(I) specific-and-highlighted consent standard and the Article 14 parental-consent and best-interests requirements cumulatively.

Sanctions for processing sensitive data without a valid legal basis

Processing of sensitive personal data without one of the Article 11 legal bases constitutes an infringement of LGPD. The Autoridade Nacional de Proteção de Dados (ANPD) may impose administrative sanctions under Article 52, including warnings, fines of up to 2% of revenue in Brazil (capped at R$50 million per infraction), data-processing suspension, and prohibition orders. Because Article 11 processing involves heightened privacy risk, the ANPD's February 2023 Regulamento de Dosimetria e Aplicação de Sanções Administrativas (Dosimetry Regulation) identifies unlawful sensitive-data processing as an aggravating factor in sanction calculations (Article 52(§1)(I): "the gravity and nature of the infractions and the personal rights affected"). Data subjects also have a statutory right to claim material and moral damages under Article 42.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5(II), 11, 14, 16(III), 18(IX), 42, and 52

Article 14 LGPD establishes a heightened-protection framework for processing personal data of children (crianças) and adolescents (adolescentes) that overlays the general legal-basis requirements in Articles 7 and 11. The statute does not define "child" or "adolescent," but the framework cross-references the Estatuto da Criança e do Adolescente (Child and Adolescent Statute, Lei nº 8.069/1990), which defines child (criança) as any person under age 12 and adolescent (adolescente) as any person aged 12 through 17. Controllers processing data of individuals in either category must comply with Article 14's best-interests principle, parental-consent requirements for children, transparency obligations, and data-minimization overlay.

Best-interests principle applies to all processing (Article 14 caput)

Article 14 caput provides that "the processing of personal data of children and adolescents shall be carried out in their best interest, pursuant to the provisions of this article and relevant legislation" (o tratamento de dados pessoais de crianças e de adolescentes deverá ser realizado em seu melhor interesse, nos termos deste artigo e da legislação pertinente). This establishes a mandatory best-interests analysis that controllers must conduct regardless of which Article 7 or Article 11 legal basis they rely upon. The best-interests requirement is not itself a standalone legal basis; it is a substantive overlay that shapes how consent, legitimate interests, contract performance, or any other basis must be applied when the data subject is a child or adolescent.

In Enunciado CD/ANPD nº 01 of 22 May 2023, the Autoridade Nacional de Proteção de Dados (ANPD) clarified that controllers may rely on any of the legal bases enumerated in Article 7 LGPD (or Article 11 for sensitive data) when processing data of children and adolescents, provided the processing serves the child's or adolescent's best interests and the controller complies with the additional safeguards in Article 14. The ANPD explicitly rejected the interpretation that Article 14(§1) parental consent is the only permissible basis for children's data processing; instead, the ANPD confirmed that consent, legal obligation (Article 7(II)), contract performance (Article 7(V)), legitimate interests (Article 7(IX)), and other statutory bases remain available when the best-interests test is satisfied. The ANPD's February 2024 Guia Orientativo — Legítimo Interesse reinforces this framework and provides a heightened balancing standard for Article 7(IX) legitimate interests when processing involves children or adolescents: controllers must account for the child's developmental stage, reasonable expectations in the context of the service, and the potential harm from profiling or automated decision-making.

Parental consent required for children under 12 (Article 14 §1)

Article 14(§1) provides that "the processing of personal data of children [under 12] shall be carried out with specific and highlighted consent given by at least one of the parents or the legal guardian" (o tratamento de dados pessoais de crianças deverá ser realizado com o consentimento específico e destacado dado por pelo menos um dos pais ou pelo responsável legal). This imposes three requirements beyond the general consent standard in Articles 7(I) and 8:

1. Specific consent (consentimento específico) — The consent request must separately identify that the processing involves a child under 12 and must describe the processing purpose in terms the parent or guardian can understand. Generic privacy policies or terms-of-service language that do not call out children's data processing do not satisfy the specific-consent requirement.

1. Highlighted consent (consentimento destacado) — The consent mechanism must visually or structurally distinguish the children's-data consent from other disclosures. This mirrors the Article 8(§1) highlighted-clause rule for written consent and extends it across all consent channels. Controllers commonly use pop-up notices, separate checkboxes, bold type, or distinct signature lines to satisfy the highlighting requirement.

1. Parental or legal-guardian authority — The controller must obtain consent from at least one parent or the legal guardian, not from the child. Article 14(§1) does not prescribe the method for verifying parental status, but the controller bears the burden of proof under Article 8(§2) and must demonstrate that it took reasonable efforts to verify that consent was actually given by a parent or guardian, using available technology. The ANPD has signaled that self-declaration (asking the user "are you the parent?") without additional verification measures is insufficient, particularly for controllers offering services likely to be accessed by children.

Adolescents aged 12–17: no statutory parental-consent requirement, but best interests still applies

Article 14(§1) parental-consent requirement applies only to children (under 12). The statute does not impose a separate parental-consent obligation for adolescents aged 12–17. An adolescent may provide consent directly under Article 7(I) and Article 8, subject to the best-interests analysis in Article 14 caput. However, the controller must still comply with Article 14's transparency (§6), data minimization, and best-interests requirements. The ANPD's Enunciado CD/ANPD nº 01/2023 confirms that controllers processing adolescents' data may rely on consent, contract performance, legitimate interests, or other Article 7 bases without parental involvement, provided the processing serves the adolescent's best interests and the controller adopts age-appropriate safeguards.

Transparency and public information (Article 14 §2)

Article 14(§2) requires that "in the processing referred to in §1 of this article [children's data obtained with parental consent], controllers shall maintain public information on the types of data collected, the form of use thereof, and the procedures for exercise of the rights referred to in Article 18 of this Law" (no tratamento referido no § 1º deste artigo, os controladores deverão manter pública a informação sobre os tipos de dados coletados, a forma de sua utilização e os procedimentos para o exercício dos direitos a que se refere o art. 18 desta Lei). This imposes an affirmative publication obligation beyond the general transparency duties in Article 9: the controller must make available to the public—not merely to registered users or parents who request it—clear and accessible information describing (i) the categories of children's data collected, (ii) how the data are used, and (iii) how parents or children may exercise data-subject rights (access, rectification, deletion, portability, objection, etc.). Controllers commonly satisfy this requirement by publishing a dedicated "Children's Privacy Policy" or a children's-data section within the main privacy notice, accessible without login.

Narrow exception: contact-only collection without consent (Article 14 §3)

Article 14(§3) permits controllers to collect children's personal data without parental consent when the collection is necessary to contact the parents or legal guardian and the data are used a single time and not retained (os dados pessoais de crianças poderão ser coletados sem o consentimento a que se refere o § 1º deste artigo quando a coleta for necessária para contatar os pais ou o responsável legal, utilizada uma única vez e sem armazenamento). This narrow exception accommodates scenarios such as age-gating mechanisms that prompt a child to provide a parent's email address so the controller can request parental consent. The statutory text limits the exception to one-time use; if the controller wishes to retain the parent's contact information for ongoing communications or to send the consent request multiple times, it must obtain separate parental consent for that retention and secondary use.

Exception does not extend to services directed at children with no parental-consent mechanism

The Article 14(§3) contact-only exception does not authorize controllers to operate services directed at children without implementing a parental-consent mechanism. The ANPD has taken the position—confirmed in enforcement actions including its 2024 TikTok investigation—that a controller offering a service likely to be accessed by children under 12 must either (i) obtain parental consent under Article 14(§1) before processing children's data, (ii) implement effective age-gating to prevent children from registering, or (iii) rely on a consent-free legal basis under Article 7 (such as legal obligation or protection of life) that independently satisfies the best-interests test. Sole reliance on self-declaration of age by the child does not satisfy the controller's obligation under Article 14.

Age-appropriate design and communication (Article 14 §4, §5, §6)

Article 14(§4) requires that "controllers shall not condition participation of children in games, internet applications, or other activities on the provision of personal information beyond that which is strictly necessary for the activity" (os controladores não deverão condicionar a participação de crianças em jogos, aplicações de internet ou outras atividades ao fornecimento de informações pessoais além das estritamente necessárias à atividade). This codifies a heightened data-minimization rule for children: the controller must limit collection to the minimum data required to provide the service, and may not use children's data as a condition of participation when a less data-intensive alternative exists.

Article 14(§5) directs the ANPD to issue regulations and technical standards for verification of parental consent, and to establish best practices for controllers that process children's data. The ANPD has included children's-data processing in its 2025–2026 Agenda Regulatória and conducted a Tomada de Subsídios (public call for input) in 2024 as the first step toward issuing comprehensive guidance and potentially binding regulation. The ANPD has also published a Radar Tecnológico (March 2026) on age-assurance mechanisms that evaluates biometric verification, document-based verification, and privacy-preserving token-based systems under Article 14 and the new ECA Digital (Lei nº 15.211/2025).

Article 14(§6) requires that information provided to children and adolescents about data processing be presented "in a clear and appropriate manner, compatible with their physical-motor, perceptual, sensory, intellectual, and mental characteristics, preferably using visual, auditory, or audiovisual resources" (as informações sobre o tratamento de dados referidas neste artigo deverão ser fornecidas de maneira clara e adequada, considerando as características físico-motoras, perceptuais, sensoriais, intelectuais e mentais do usuário, com uso de recursos audiovisuais quando adequado). This imposes an age-appropriate-design obligation: controllers must tailor privacy notices, consent mechanisms, and rights-exercise procedures to the developmental stage of the child or adolescent. The ANPD has indicated that privacy policies written in dense legal language and presented as multi-page text blocks do not satisfy the Article 14(§6) standard for child-facing services.

ECA Digital and the ANPD's expanded role

Lei nº 15.211 of 27 January 2025, the Estatuto da Criança e do Adolescente no Ambiente Digital (ECA Digital), entered into force on 27 March 2026 and establishes additional obligations for controllers processing children's and adolescents' data in digital environments. ECA Digital assigns the ANPD regulatory authority over age-assurance mechanisms (Article 11), prohibits self-declaration of age as the sole verification method for services offering content inappropriate for minors (Article 9), bans manipulative design practices that encourage compulsive use by children (Article 6), and requires controllers to conduct data protection impact assessments (DPIA) for processing involving children when the activity presents high risk (Article 15). The ANPD has announced that it is preparing implementing regulations for ECA Digital and has included children's data processing among its enforcement priorities for the 2026–2027 biennial cycle.

Sanctions for non-compliance with Article 14

Processing of children's or adolescents' data without complying with Article 14's best-interests principle, parental-consent requirements, transparency obligations, or data-minimization safeguards constitutes an infringement of LGPD. The ANPD may impose administrative sanctions under Article 52, including warnings, fines of up to 2% of revenue in Brazil (capped at R$50 million per infraction), data-processing suspension, and prohibition orders. The ANPD's February 2023 Regulamento de Dosimetria e Aplicação de Sanções Administrativas (Dosimetry Regulation) identifies unlawful processing of children's data as an aggravating factor in sanction calculations under Article 52(§1)(I) ("the gravity and nature of the infractions and the personal rights affected"). The ANPD has announced two enforcement actions in 2024–2025 involving children's data processing (one against an educational-platform provider and one against a social-media network), signaling that Article 14 compliance is a current enforcement focus.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 14 Source: ANPD, Enunciado CD/ANPD nº 01, de 22 de maio de 2023 Source: Lei nº 15.211, de 27 de janeiro de 2025 (ECA Digital)

Article 20 LGPD grants data subjects an unconditional right to request review of decisions made solely on the basis of automated processing of personal data that affect their interests, and imposes disclosure and audit obligations on controllers that cut across all legal bases. This provision operates as a substantive constraint on automated profiling and algorithmic decision-making, supplementing the foundational principle of non-discrimination in Article 6(IX) and the prohibition on using rights-exercise data to prejudice the data subject under Article 21. Controllers relying on any Article 7 or Article 11 legal basis must comply with Article 20 when processing involves automated decision-making, and failure to provide transparent explanations or to submit to ANPD audit can result in administrative sanctions independent of the legal-basis analysis.

Article 20 caput: Right to request review of automated decisions

Article 20 caput, as amended by Lei nº 13.853 of 8 July 2019, provides: "The data subject has the right to request review of decisions made solely on the basis of automated processing of personal data that affect his or her interests, including decisions intended to define his or her personal, professional, consumer, or credit profile or aspects of his or her personality" (O titular dos dados tem direito a solicitar a revisão de decisões tomadas unicamente com base em tratamento automatizado de dados pessoais que afetem seus interesses, incluídas as decisões destinadas a definir o seu perfil pessoal, profissional, de consumo e de crédito ou os aspectos de sua personalidade).

The statutory language imposes four requirements for Article 20 to apply:

1. Solely automated (unicamente … automatizado) — The decision must be made exclusively by automated means, without meaningful human intervention. A decision that involves algorithmic scoring followed by human review does not trigger Article 20 if the human reviewer exercises genuine discretion and does not rubber-stamp the automated output. However, the ANPD has indicated in its Tomada de Subsídios — Direitos dos Titulares (public consultation on data-subject rights, 2021) that perfunctory human involvement that does not alter the substance of the automated determination will not defeat the Article 20 trigger.

1. Processing of personal data — The automated decision must be based on personal data as defined in Article 5(I). Decisions based solely on anonymized data or aggregated statistics that cannot be linked back to an identified or identifiable natural person do not fall within Article 20.

1. Affects the data subject's interests (afetem seus interesses) — The decision must produce legal effects or similarly significant consequences for the data subject. The statute identifies profiling decisions (personal, professional, consumer, credit) as paradigmatic examples but does not limit Article 20 to those categories. The ANPD has signaled that "affects interests" should be construed broadly to include employment decisions, pricing personalization, eligibility determinations for benefits or services, and fraud-detection outcomes that result in account suspension or denial of service.

1. Concrete decision — Article 20 applies to decisions (decisões), not to data collection, profiling, or analytics that do not culminate in an action affecting the data subject. A controller that builds a machine-learning model to predict customer churn but does not act on the predictions has not made a "decision" under Article 20; once the controller uses the model to cancel an account, suspend service, or deny an offer, the decision is subject to the review right.

Article 20 §1: Mandatory transparency about criteria and procedures

Article 20(§1) imposes an affirmative disclosure obligation on controllers using automated decision-making: "The controller must provide, whenever requested, clear and adequate information about the criteria and procedures used for the automated decision, respecting trade and industrial secrecy" (O controlador deverá fornecer, sempre que solicitadas, informações claras e adequadas a respeito dos critérios e dos procedimentos utilizados para a decisão automatizada, observados os segredos comercial e industrial).

This creates a transparency duty that applies on request by the data subject. The controller must explain:

• The criteria (critérios) used by the automated system — the input variables, the weighting assigned to each factor, the decision thresholds, and the logic of the algorithm. This does not require disclosure of proprietary source code or training data, but the data subject must receive an intelligible explanation of how the decision was reached and which personal-data elements influenced the outcome.

• The procedures (procedimentos) employed — the type of processing (machine learning, rules-based system, statistical model), the data sources consulted, and any human oversight steps.

The statute recognizes a trade-secret and industrial-secret carve-out (segredos comercial e industrial). Controllers may withhold competitively sensitive technical details, such as the specific weighting coefficients of a proprietary credit-scoring model or the architecture of a fraud-detection neural network. However, the trade-secret exception does not permit blanket refusal to explain the automated decision. The controller must provide sufficient information for the data subject to understand the nature of the processing and the personal-data factors that contributed to the outcome, even if precise algorithmic parameters remain undisclosed.

Article 20 §2: ANPD audit authority for discriminatory aspects

When a controller invokes the trade-secret exception and declines to provide full information under Article 20(§1), Article 20(§2) grants the Autoridade Nacional de Proteção de Dados (ANPD) special audit authority: "In the event of non-provision of the information referred to in §1 of this article based on observance of trade or industrial secrecy, the national authority may conduct an audit to verify discriminatory aspects in automated processing of personal data" (Em caso de não oferecimento de informações de que trata o §1 deste artigo baseado na observância de segredo comercial e industrial, a autoridade nacional poderá realizar auditoria para verificação de aspectos discriminatórios em tratamento automatizado de dados pessoais).

This provision serves two functions:

1. Backstop transparency — When a controller refuses disclosure on trade-secret grounds, the ANPD may compel production of the algorithmic criteria and procedures under confidentiality, conduct a technical audit, and determine whether the refusal was justified. If the ANPD concludes that the withheld information does not qualify as a trade or industrial secret, it may order the controller to disclose the information directly to the data subject.

1. Anti-discrimination enforcement — The ANPD is authorized to audit for "discriminatory aspects" (aspectos discriminatórios) in automated processing. This implements the Article 6(IX) principle of non-discrimination, which prohibits processing "for unlawful or abusive discriminatory purposes" (para fins discriminatórios ilícitos ou abusivos). The statute does not define "discriminatory aspects," but the ANPD has indicated in enforcement guidance that it includes:

• Use of protected-class proxies (e.g., relying on zip code as a proxy for race or economic status in credit scoring);
• Disparate-impact outcomes on vulnerable populations, even if intent to discriminate is absent;
• Manipulation or unfair treatment based on behavioral profiling (e.g., personalized pricing that exploits cognitive vulnerabilities);
• Automated decisions that perpetuate or amplify historical biases present in training data.

The ANPD has not yet published a comprehensive regulation on Article 20 audits, but the authority included automated decision-making among its 2025–2026 regulatory priorities in its Agenda Regulatória. The ANPD conducted a Tomada de Subsídios in 2021 seeking public input on the scope of the review right, the definition of "solely automated," the mechanics of the trade-secret exception, and the appropriate safeguards for high-risk automated processing. As of June 2026, no binding regulation has been issued.

Relationship to Article 6(IX) non-discrimination principle

Article 20 operationalizes the Article 6(IX) foundational principle of non-discrimination (não discriminação), which provides that processing must not be carried out "for unlawful or abusive discriminatory purposes" (para fins discriminatórios ilícitos ou abusivos). Article 6(IX) applies to all processing, whether automated or manual, and prohibits both:

• Unlawful discrimination (discriminatórios ilícitos) — processing that violates Brazilian anti-discrimination law, such as employment discrimination based on race, sex, religion, or disability under the Consolidação das Leis do Trabalho (CLT) or consumer discrimination under the Código de Defesa do Consumidor (CDC).

• Abusive discrimination (discriminatórios abusivos) — processing that, while not categorically unlawful, is unfair, exploitative, or disproportionately harmful to vulnerable individuals or groups. The ANPD has indicated that abusive discrimination includes manipulative personalization (dark patterns, targeted advertising exploiting cognitive biases) and algorithmic profiling that results in systematic exclusion from economic opportunities.

Article 20(§2) gives the ANPD the investigative tools to detect and sanction violations of Article 6(IX) in automated contexts, where opacity and complexity make discriminatory processing difficult for data subjects to identify and challenge.

Article 21 — Prohibition on prejudice from rights exercise

Article 21 LGPD imposes a related substantive constraint on all processing, regardless of legal basis: "Personal data relating to the regular exercise of rights by the data subject may not be used to his or her detriment" (Os dados pessoais referentes ao exercício regular de direitos pelo titular não podem ser utilizados em seu prejuzo). This prohibits controllers from retaliating against data subjects who exercise their Article 18 rights (access, rectification, deletion, portability, objection, revocation of consent, etc.). Examples include:

• Denying service or imposing less favorable terms on a customer who exercises the right to deletion;
• Using the fact that a data subject objected to processing under Article 18(§2) as a negative factor in a credit-scoring or fraud-detection algorithm;
• Profiling data subjects who submit rights requests as "high-maintenance" or undesirable customers.

Article 21 overlaps with Article 20 in contexts where automated decision-making incorporates data about the data subject's exercise of rights. A controller that uses such data as an input to an automated decision must (i) disclose that fact when providing the Article 20(§1) explanation, and (ii) demonstrate that the processing does not violate the Article 21 prohibition on prejudice.

Sanctions for non-compliance with Article 20

Failure to comply with Article 20 constitutes an infringement of LGPD subject to administrative sanctions under Article 52. The ANPD may impose:

• Warning with a deadline for corrective measures (Article 52(I));
• Fine of up to 2% of revenue in Brazil in the preceding fiscal year, capped at R$50 million per infraction (Article 52(II));
• Daily fine until the infringement is remedied (Article 52(III));
• Publicization of the infraction (Article 52(IV));
• Blocking or deletion of the personal data involved in the automated decision-making (Article 52(VI), (VII));
• Suspension or prohibition of automated-processing activities (Article 52(X), (XII)).

The ANPD's February 2023 Regulamento de Dosimetria e Aplicação de Sanções Administrativas (Dosimetry Regulation) identifies unlawful automated decision-making and discriminatory processing among the aggravating factors that increase sanction severity under Article 52(§1)(I) ("the gravity and nature of the infractions and the personal rights affected"). The ANPD has announced two ongoing enforcement actions involving Article 20 compliance—one concerning automated credit decisions by a fintech platform and one concerning algorithmic content-moderation decisions by a social-media network—but has not yet published final decisions imposing sanctions.

No general prohibition on automated decision-making

Unlike GDPR Article 22, which establishes a general prohibition on solely automated decision-making subject to narrow exceptions, LGPD Article 20 takes the opposite approach: automated decision-making is permitted under any Article 7 or Article 11 legal basis, and the data subject has a right to request review (not a right to prohibit or opt out). The controller must provide transparency under Article 20(§1), submit to ANPD audit under Article 20(§2) if trade secrets are invoked, and ensure that the processing complies with the Article 6(IX) non-discrimination principle and the Article 21 prohibition on prejudice. Provided those safeguards are met, the controller may rely on consent, contract performance, legitimate interests, legal obligation, or any other statutory basis to lawfully engage in automated profiling and decision-making.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 6(IX), 20, and 21