LGPD Data Subject Rights: A Comprehensive List of Individual Rights

Table of Contents

If you are in Brazil, you should know about LGPD data subject rights. These rights tell you how to handle customers’ personal data. This article will explain all these rights in a simple way. We’ll look at what each right means for businesses and for you.

Whether you run a business or just want to know how your data is used, this guide will help. Keep reading to learn about the rules that help protect consumers’ data in Brazil.

Let’s dive right in.

Key Takeaways

The LGPD is a big deal in Brazil for keeping your personal data safe. Businesses need to follow these rules, or they could face fines, lose customers, and more.

Customers have rights under the LGPD, like being able to see your data and asking businesses to fix or delete it. Knowing these rights helps customers take control of their data.

While there are some exemptions to the LGPD, businesses still have a big job to keep customer data safe and private.

What is the LGPD?

What is the LGPD (1).png

What is the LGPD (1).png

The LGPD stands for Lei Geral de Proteção de Dados, also known as Brazilian LGPD law.

In English, that means General Data Protection Law. It’s a Brazilian law that helps keep customers’ personal data safe. The law ensures that businesses follow the rules when they collect and use your data.

Just like you wouldn’t want strangers snooping around your home, you shouldn’t be messing around with customer data, either. The LGPD helps make sure that doesn’t happen.

So why does the LGPD matter? Well, in today’s world, data is everywhere. When you shop online, use social media, or even sign up for a newsletter, businesses collect your data. The LGPD sets rules on how they can do this.

LGPD is different from the GDPR, which is another set of data rules for the EU. Both have the same goal, to protect data. But they go about it in slightly different ways. For example, LGPD has different fines and rules for businesses.

Who Does the LGPD Apply to?

The LGPD applies to any business that collects or uses the data of people in Brazil. This means that even if a business is not located in Brazil, it must follow the LGPD if they have Brazilian customers.

If you are a person living in Brazil or if you buy things from a business in Brazil, this law protects you. This is why data protection officers in businesses and the National Data Protection Authority in Brazil work hard to make sure businesses follow the law.

LGPD Data Subject Rights

LGPD Data Subject Rights.png

LGPD Data Subject Rights.png

Let’s dig into the main topic: LGPD data subject rights. These are the rights that every Brazillian has under the LGPD. They help customers take control of their personal data. Businesses need to know these rights, too. That’s because they must follow the rules when they’re processing your data. If they don’t, you could get into big trouble:

Right to Confirm and Access

This is a customer’s right to access all the data your business has on them. For example, if they use your online shopping site, they can request information about their stored data. As businesses, you are required by law (the LGPD) to provide this information promptly upon request.

Right to Correct

Have customers ever filled out a form and made a mistake? Under the LGPD, they are given the authority to correct these errors. This provision implies that, as a business, you must provide an avenue for your customers to fix any inaccuracies in their data profile and ensure updates on your records correctly reflect these changes.

Right to Delete

If a customer chooses to discontinue using your services or platform, the LGPD grants them the power to insist that you delete all data associated with their profile. As businesses operating under these guidelines, you are obligated to comply and remove such designated information promptly. This is also known as the “right to be forgotten.”

Right to Portability

This right allows customers access to personal functional data, which they can transfer from one business entity (like yours) directly to another business of their choice. Your responsibility as a business is not only to allow for this smooth transition of data but also to ensure that it happens securely, with little to no risk of a breach.

The LGPD mandates that you ask your customers’ permission before gathering any sensitive personal information. As a business operator, you must make sure all consent requests are unambiguous and asked clearly whenever you intend to process data.

Right to Information

You have the right to know how businesses are using your data and who has their data. They have to tell you what they’re doing with it and why. This is important for corporate compliance and for keeping the trust of the people who use their services.

Right to Object

If a customer disagrees with how you use their data, they have every right under the LGPD to demand that your business discontinue this use. Consumers also have the right to revoke consent.

You must respect these objections as a business responsible for managing and processing customers’ personal data.

Businesses usually have a data protection officer to make sure they follow these rights. They often use data protection compliance services and compliance solutions to help them out. Sometimes, businesses might outsource compliance tasks to experts.

Other Data Subject Rights

Now that we’ve covered the main LGPD Data Subject Rights let’s look at some other rights your business must comply with.

These may not be discussed as much, but they’re still super important. Brazilian law has some extra protections for customers. Understanding these rights is part of a strong compliance plan:

Right to DPO Contact Information

The Data Protection Officer (DPO) is a person who makes sure a business follows data rules. Customers have the right to know who this person is and how to talk to them. You must make this info easy to find. It’s part of their data protection compliance services.

Right to File Complaints

If you think a business isn’t treating your data right, customers should be able to file a complaint. Customers should send this complaint to the National Data Protection Authority. They’re the ones who make sure businesses follow the LGPD. It’s important to avoid these complaints by sticking to compliance solutions.

Notification of Data Breaches

If your business experiences an issue and customer data is compromised, alerting the affected individuals is necessary. This process is known as a data breach notification. Your business must promptly notify customers so they can take steps toward safeguarding themselves.

Right to Be Forgotten (Good Practice)

Though the ‘right to be forgotten’ isn’t directly stated in the LGPD, it still remains a good practice. This means customers can request their data if they no longer wish for you to possess it. A large number of businesses adhere to this rule as it is part of the GDPR, another key legislation on data protection.

These extra rights help customers stay in control of their data. They also guide businesses in building a strong compliance training program. By knowing all these rights, both you and businesses can benefit. It makes sure everyone is following the rules.

What Are the LGPD Exemptions?

Let’s talk about something else you might be wondering: Are there any times when the LGPD rules don’t apply? Yes, there are some exemptions. An exemption means a business doesn’t have to follow all the LGPD rules for certain kinds of data processing. Understanding these exemptions is really important for corporate compliance.

One example of an exemption is for public safety. Let’s say the police need to look at some data to solve a crime. In this case, they might not have to follow all the LGPD rules. Another example is for scientific research. Sometimes, researchers need to use your data to study things like diseases.

But they still have to keep your sensitive personal data safe. Also, if you give your data to a business for a very specific reason, that’s another exemption. Like when you go to a doctor and give them your health information. 

They don’t have to ask your permission every time they use it to help treat you. They still need to keep your sensitive data safe from data breaches.

National Data Protection Authority checks to make sure these exemptions are used correctly. They can even fine businesses if they misuse an exemption. So it’s crucial for businesses to understand these exceptions as part of their compliance plan.

So, while there are some times when the LGPD rules don’t fully apply, these exemptions are not a free pass for businesses. They still have a big responsibility to protect your data in these special cases.

What Happens if You Aren’t Compliant with the LGPD?

What Happens if You Aren’t Compliant with the LGPD.png

What Happens if You Aren’t Compliant with the LGPD.png

Well, it’s not good news if you aren’t compliant with the LGPD. The National Data Protection Authority is like a watchdog. They keep an eye on businesses to make sure you are doing things right with your data. If they catch a business breaking the rules, there are penalties.

First, there are fines. A business could get fined a lot of money for not following LGPD rules. These fines can be really big, amounting to up to 50 million Brazilian reais per violation ($10 million or €9.3 million). 

This is why compliance services and having a data protection officer are so important for businesses.

Then there are other problems, like a bad reputation. Imagine you hear that a store you like was not keeping customer data safe. You’d probably think twice before shopping there again, right? A bad reputation can make your customers leave and go somewhere else.

Also, in extreme cases, people who run the business might even face criminal charges. This could happen if they misuse sensitive personal data or cause a data breach on purpose. Legal troubles like this can really hurt a business and the people who run it.


By now, you should have a good idea of what LGPD data subject rights are and why they matter to you and your business. Whether you’re someone who wants to know how your data is handled, or a business striving for corporate compliance, understanding LGPD is crucial. 

So, what’s your next step? If you’re a business, consider making LGPD compliance a top priority. This is where Captain Compliance can help. We offer compliance solutions and compliance training programs tailored to LGPD rules.

With the help of our experienced privacy professionals, you can be sure your business stays on the right side of the law. You’ll not only avoid hefty fines but also build trust with your customers, a win-win for everyone.

From data protection compliance services to help you understand your exemptions, reach out today because we are your go-to resource for all things LGPD.


What is the LGPD?

The LGPD stands for Lei Geral de Proteção de Dados or General Data Protection Law in English. It’s a law in Brazil that makes sure businesses handle your personal data carefully.

Here’s our article comparing Brazil’s LGPD and GDPR.

Who is the Data Protection Officer (DPO)?

The DPO is a special person in a business who makes sure the business follows all the LGPD rules. This person helps the business stay compliant and helps you understand your rights.

Curious about the role of a Data Protection Officer? Learn more here.

What is a Data Breach?

A data breach happens when someone gets unauthorized access to your data. If this happens, the business has to notify you quickly so you can take steps to protect yourself.

Worried about data breaches? Read our guide.

Are There Any Exemptions to the LGPD?

Yes, there are some special cases where businesses don’t have to follow all the LGPD rules. But even with these exemptions, they still have to handle your sensitive personal data carefully.

Learn more about the LGPD law here!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.