Every time you open a financial app, complete an online purchase, or register for a digital service in Brazil, your personal data is being collected, processed, and stored. The entity doing this has legal obligations toward you — obligations established by one of the most important laws in Brazil's recent history.
The LGPD — Lei Geral de Proteção de Dados Pessoais (General Personal Data Protection Law) — came into full force in September 2020 and fundamentally changed the relationship between organizations and the individuals whose data they handle.
Yet despite its importance, most Brazilian consumers have only a vague awareness of what the LGPD actually requires and, crucially, what rights it gives them. This article explains the law in clear, practical terms — what it covers, what it does not cover, what legal bases allow companies to process your data, and what you can do when your rights are violated.
The LGPD (Law 13,709/2018) is Brazil's comprehensive data protection legislation. It establishes rules for how organizations — public and private — must collect, store, use, share, and delete personal data belonging to individuals located in Brazil.
The law was inspired by Europe's General Data Protection Regulation (GDPR) and shares many of its core principles, while being adapted to Brazil's specific legal and economic context.
The LGPD is enforced by the ANPD (Autoridade Nacional de Proteção de Dados), Brazil's data protection authority, which has the power to investigate complaints, impose fines of up to 2% of revenue (capped at R$50 million per violation), and require organizations to change their data practices.
This is the first critical point: personal data is any information that identifies or makes a natural person identifiable.
This definition is deliberately broad. It includes:
The LGPD also establishes a special category of sensitive personal data, which receives heightened protection:
The key insight — and one that surprises many people — is that data does not need to be secret or confidential to be protected by the LGPD. Even publicly available information must be processed in compliance with the law's requirements.
One of the LGPD's most important contributions is establishing that companies cannot process your data simply because they want to. Every processing activity must have a legal basis — a specific legitimate reason defined by the law.
There are 10 legal bases in total. These are the most relevant for consumers interacting with financial and payment services:
The company asks for your explicit, informed, specific agreement to process your data for a defined purpose. Consent must be freely given — it cannot be a condition for accessing a service unless the processing is strictly necessary.
Important: You can withdraw consent at any time. The company must make this easy to do.
The company has a legitimate business interest in processing your data that does not override your rights and freedoms. This basis requires careful balance — the company must demonstrate that its interest is real, proportionate, and that it has considered the impact on you.
Your data can be processed when it is necessary to fulfill a contract you have with the company, or to take steps before entering into one (such as a credit assessment).
When processing is required to comply with a legal duty — for example, anti-money laundering regulations that require financial institutions to identify their customers — your consent is not needed.
Data can be processed when necessary for a company to exercise or defend legal claims.
In genuine emergencies where life is at risk, data may be processed without consent.
The practical implication: When a payment institution processes your CPF, transaction history, or biometric data for KYC compliance or regulatory reporting, it typically operates under the legal obligation basis — not consent. This means your preference not to have this data processed does not prevent the processing from occurring. The law recognizes that certain public interests — preventing financial crime, protecting the financial system — outweigh individual data preferences in specific circumstances.
The LGPD grants every individual in Brazil nine specific rights regarding their personal data. These are enforceable against any organization subject to the law:
You have the right to know whether a company holds personal data about you and to access that data in full.
How to exercise it: Submit a formal data access request to the company's Data Protection Officer (DPO) or designated channel.
You can require a company to correct incomplete, inaccurate, or outdated personal data.
You can request that unnecessary, excessive, or unlawfully processed data be anonymized, blocked, or deleted.
Important limitation: This right does not apply when the data is being processed under a legal obligation basis — for example, data retained for regulatory compliance cannot be deleted simply because you request it.
You can request that your personal data be transferred to another service provider in a structured, machine-readable format. This is particularly relevant in Brazil's Open Finance context.
You have the right to know which third parties your data has been shared with, and why.
Before giving consent, you have the right to be informed about what will happen to your data if you do not consent — and what the consequences of consenting are.
When processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
You can object to processing carried out under the legitimate interest basis if you believe your rights and freedoms override the company's interest.
When a significant decision affecting you (credit approval, fraud flagging, account blocking) is made solely through automated processing, you have the right to request human review.
Payment institutions — including digital banks, payment processors, and fintech platforms — are among the most data-intensive organizations subject to the LGPD. They collect and process:
Under the LGPD, these institutions must:
Appoint a Data Protection Officer (DPO) responsible for overseeing compliance and serving as the point of contact for data subject requests and the ANPD.
Maintain records of processing activities documenting what data is processed, for what purpose, on which legal basis, and for how long.
Implement appropriate security measures to protect personal data against unauthorized access, accidental loss, or destruction. The BACEN (Banco Central do Brasil) has issued its own cybersecurity resolution (Resolution 4,893/2021) that establishes additional security requirements for payment institutions.
Notify the ANPD and affected individuals in the event of a data breach that poses risk to data subjects — within a reasonable timeframe (ANPD guidelines suggest 72 hours for critical incidents).
Honor data subject rights requests within 15 days of receipt.
If a company fails to respond to your data rights request, refuses to delete data without legitimate grounds, shares your data without authorization, or suffers a breach that affects you:
Step 1 — Contact the company directly. Use the official DPO or data protection channel listed in their privacy policy. Document your request with date, content, and any response received.
Step 2 — Escalate to the ANPD. File a complaint at gov.br/anpd. The ANPD accepts complaints from individuals and has the authority to investigate and sanction non-compliant organizations.
Step 3 — Consider legal action. The LGPD explicitly states that data subjects may seek compensation for material and moral damages resulting from violations. Individual claims and class actions are both legally available.
Step 4 — Report financial institution violations to BACEN. For payment-specific violations — particularly those related to KYC data, financial transaction data, or cybersecurity — the Banco Central is an additional relevant authority.
The LGPD is not just a compliance framework — it is an architecture of trust. By establishing clear rules for how personal data must be handled, it creates the conditions under which consumers can engage with digital financial services with confidence.
For the millions of Brazilians who have entered the digital financial system through Pix, digital wallets, and fintech apps in recent years, knowing that their data is protected by law — and that they have enforceable rights when that protection fails — is foundational to continued participation.
Institutions that treat LGPD compliance as a genuine commitment rather than a checklist contribute to this trust. Those that treat it as a box to tick undermine it.
The LGPD gives Brazilian consumers real, enforceable rights over their personal data — including in the financial services context where that data is most sensitive and most consequential.
Understanding these rights is not just academic. It is a practical tool for navigating the digital economy more safely, holding institutions accountable when they fall short, and making informed decisions about who deserves your data — and your trust.
OneKey Payments is fully compliant with Brazil's LGPD, maintaining documented data processing records, a designated DPO, robust security standards aligned with BACEN Resolution 4,893/2021, and transparent privacy policies across all operations.
Learn how OneKey Payments handles your data → Compliance & Regulation | Brazil Operations
.jpg)
.jpg)
.jpg)
