BR

Brazil LGPD — Automated Decision-Making Provisions: AI Compliance Requirements

Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018) has been in force since September 18, 2020. Article 20 grants data subjects the right to request human review of any decision made solely on automated processing — including AI decisions — that affects them (profiling, scoring, creditworthiness, hiring, health assessments). Controllers must disclose the criteria and procedures used. The ANPD (National Data Protection Authority) enforces the LGPD with fines up to 2% of the company's revenue in Brazil, capped at R$50 million per violation. A comprehensive AI Bill (PL 2338/2023) passed the Senate in December 2024 and is pending final enactment.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

September 18, 2020

Maximum Penalty

2% of revenue in Brazil per violation, up to R$50,000,000 (approximately USD $10M); additional fines possible under AI Bill when enacted

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Automated Decision-Making Disclosure (LGPD Article 20)

Critical

When AI systems are used to make automated decisions that affect Brazilian data subjects (scoring, profiling, credit decisions, employment screening, health assessments, etc.): (1) Disclose that automated processing is used. (2) Explain the criteria and logic of the automated decision when requested. (3) Provide a mechanism for data subjects to request human review of any automated decision that significantly affects them.

Privacy Policy — AI and Automated Processing Section

High Priority

Update your privacy policy and data processing records to clearly describe: all AI systems that process personal data of Brazilian residents, the legal basis for each processing activity, and the automated decision-making processes that could significantly affect individuals.

Data Protection Officer — AI Oversight

Medium Priority

If required by LGPD (companies processing large amounts of personal data), ensure your DPO (Encarregado) is informed about and overseeing all AI systems that process personal data. Document this oversight for ANPD accountability purposes.

Frequently Asked Questions

Does Brazil LGPD — Automated Decision-Making Provisions apply to my business?

Brazil's Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018) has been in force since September 18, 2020. Article 20 grants data subjects the right to request human review of any decision made solely on automated processing — including AI decisions. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Brazil LGPD — Automated Decision-Making Provisions is: 2% of revenue in Brazil per violation, up to R$50,000,000 (approximately USD $10M); additional fines possible under AI Bill when enacted. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Brazil LGPD — Automated Decision-Making Provisions?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan