Warning
Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
LGPD — Lei Geral de Proteção de Dados
Brazil’s General Data Protection Law (LGPD — Law 13.709/2018) governs the processing of personal data of individuals located in Brazil.
Key concepts
| Term | Definition |
|---|---|
| Personal data | Any information that identifies or can identify a natural person (e.g. name, CPF, email, IP address) |
| Sensitive personal data | Special category: race, religion, health, biometric, genetic, sexual orientation, political opinion |
| Data subject | The individual whose personal data is being processed |
| Controller | The entity that decides the purpose and means of processing (Patria Investments) |
| Processor | Third party that processes data on behalf of the controller |
| DPO | Data Protection Officer — responsible for LGPD compliance at Patria |
Legal bases for processing
Processing of personal data is only permitted under one of these legal bases:
- Consent — explicit, informed, specific, and freely given
- Legitimate interest — proportional and necessary for a legitimate business purpose
- Contractual obligation — necessary to fulfil a contract with the data subject
- Legal obligation — required by law or regulation
- Vital interests — protection of life or physical safety
- Legitimate interests (research) — for studies by research bodies
Developer obligations
Info
If your system handles personal data, you must::
- [ ] Identify personal data fields in your data model and document them in the data catalog
- [ ] Apply the minimum necessary principle — collect only what is required
- [ ] Implement data retention rules — delete or anonymise data after the retention period
- [ ] Ensure personal data is encrypted at rest and in transit
- [ ] Log access to personal data for audit purposes
- [ ] Never use production personal data in Development or Staging environments
- [ ] Complete a Privacy Impact Assessment (PIA) for new features that process sensitive data
See also: Data Privacy for Developers
Data subject rights
Under LGPD, data subjects have the right to:
| Right | Description | Response SLA |
|---|---|---|
| Access | Confirm whether data is processed and receive a copy | 15 days |
| Correction | Fix inaccurate or incomplete data | 15 days |
| Deletion | Request erasure of data (subject to legal bases) | 15 days |
| Portability | Receive data in a structured, machine-readable format | 15 days |
| Objection | Object to processing based on legitimate interest | 15 days |
Requests are received by the DPO and fulfilled with support from the responsible tech team.
Data breach notification
Under LGPD, a breach involving personal data must be reported:
- Internally to the DPO immediately upon discovery
- To ANPD and affected individuals within 72 hours, if the breach poses significant risk
See Incident Response for the full process.
DPO contact
See Contacts for DPO contact details.