Brazil LGPD Cloud Compliance - Lei Geral de Proteção de Dados Guide
Brazil's Lei Geral de Proteção de Dados (LGPD) mirrors GDPR in scope and structure, applying to any organisation that processes personal data of individuals located in Brazil. BACEN additionally imposes data localisation requirements on the Brazilian financial sector. For enterprises operating in Brazil, cloud infrastructure must be designed with both frameworks in mind.
Regulation
Brazil LGPD
Authority
Autoridade Nacional de Proteção de Dados (ANPD)
In effect
August 2020
Who this regulation applies to
Any organisation that processes personal data of individuals located in Brazil, regardless of the organisation's headquarters.
Enforced by: Autoridade Nacional de Proteção de Dados (ANPD) and the Banco Central do Brasil (BACEN)
Key requirements - and how Gewape Cloud Infrastructure addresses them
What the Brazil LGPD mandates, and the specific infrastructure controls Gewape Cloud Infrastructure provides in response.
Legal bases for processing and purpose limitation
The LGPD requires a defined legal basis for each processing activity. Cloud configurations must support purpose limitation - data processed for one function must not be accessible for unrelated purposes.
How Gewape Cloud addresses this
Gewape Cloud's tenant architecture provides granular access controls and network segmentation. Your data environment is isolated by design, supporting LGPD purpose limitation requirements.
International data transfer restrictions
The LGPD restricts transfer of personal data to countries without adequate data protection, unless approved mechanisms are in place. BACEN requires that certain financial data be stored and processed within Brazil.
How Gewape Cloud addresses this
For Brazil private cloud engagements, Gewape Cloud Infrastructure scopes dedicated in-country infrastructure so Brazilian data residency, backup location, support access, and compliance evidence can be documented for ANPD and BACEN review.
Security measures and incident response
Data controllers and processors must adopt technical and organisational security measures to protect personal data. The ANPD expects documented security controls and incident response procedures.
How Gewape Cloud addresses this
Gewape Cloud Infrastructure scopes Brazil private cloud environments around encryption, TLS, RBAC, MFA, DDoS protection, and security monitoring. Security documentation is prepared during procurement and customer review.
Data Processing Agreements with operators
When a controller engages a processor (operator) to process personal data, the LGPD requires a written agreement. The agreement must bind the processor to processing only as instructed and to maintaining adequate security measures.
How Gewape Cloud addresses this
Gewape Cloud Infrastructure provides an LGPD-aligned Data Processing Agreement for enterprise customers. Available for review during procurement under NDA.
Frequently asked questions
Ready to start your Brazil LGPD compliance review?
Our team works with regulated enterprises through their cloud procurement and compliance process. We provide the documentation, contractual terms, and infrastructure evidence you need.