bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,271 +1,271 @@
1
- # LGPD Article-by-Article Reference
2
-
3
- ## Law No. 13,709/2018 — Lei Geral de Proteção de Dados Pessoais (LGPD)
4
- *As amended by Law No. 13,853/2019 and subsequent ANPD resolutions*
5
-
6
- ---
7
-
8
- ## Chapter I — General Provisions (Arts. 1–10)
9
-
10
- ### Art. 1 — Purpose
11
- Establishes rules for processing personal data in Brazil to protect fundamental rights of freedom, privacy, and free development of personality.
12
-
13
- ### Art. 2 — Foundations
14
- LGPD is based on: respect for privacy; informational self-determination; freedom of expression, information, communication, and opinion; inviolability of honour and image; economic and technological development and innovation; free enterprise; consumer protection; human rights, free development of personality, dignity, and exercise of citizenship.
15
-
16
- ### Art. 3 — Scope
17
- Applies to processing in Brazil; offers/provision to individuals in Brazil; data collected in Brazil. Extraterritorial application to controllers and processors outside Brazil.
18
-
19
- ### Art. 4 — Exemptions
20
- Does not apply to: personal/household use; journalistic/artistic/academic (with Art. 7 basis); national security, defence, public safety, criminal investigation by public entities; data from outside Brazil with no communication to Brazilian agents.
21
-
22
- ### Art. 5 — Definitions
23
- Key terms:
24
- - **Personal data:** Information related to identified or identifiable natural person
25
- - **Sensitive personal data:** Racial/ethnic origin, religious belief, political opinion, union membership, religion, health or sex life data, genetic/biometric data
26
- - **Anonymised data:** Data not identifiable by reasonable means (not personal data)
27
- - **Data subject (titular):** Natural person to whom data relates
28
- - **Controller (controlador):** Natural or legal person who determines purposes/means of processing
29
- - **Processor (operador):** Natural or legal person who processes on behalf of controller
30
- - **DPO / Encarregado:** Person designated by controller to be contact point with data subjects and ANPD
31
- - **Processing:** Any operation on personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, modification, communication, transfer, diffusion, extraction)
32
- - **Consent (consentimento):** Free, informed, unambiguous expression of agreement for specific purpose
33
- - **Blocking (bloqueio):** Temporary suspension of any processing pending review
34
- - **Anonymisation:** Technical processes making data unable to identify person
35
- - **Pseudonymisation:** Processing removing identifiability with use of additional information
36
- - **International data transfer:** Transfer to foreign country or international organisation
37
-
38
- ### Art. 6 — Principles (10)
39
- Purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability.
40
-
41
- ### Art. 7 — Legal Bases (regular personal data — 10)
42
- I. Consent; II. Legal obligation; III. Public policy by public entity; IV. Research; V. Contract; VI. Exercise of rights in proceedings; VII. Vital interests; VIII. Health protection; IX. Legitimate interest; X. Credit protection.
43
-
44
- ### Art. 8 — Consent Requirements
45
- Must be in written or equivalent digital form; burden of proof on controller; may be revoked free of charge at any time; cannot be generic; bundled consents for unrelated processing invalid; cannot condition service on consent unless necessary.
46
-
47
- ### Art. 9 — Transparency
48
- Data subjects have right to easy/free access to information about: purposes, duration, identity of controller, DPO contact, shared data and recipients, data subjects' rights.
49
-
50
- ### Art. 10 — Legitimate Interest (LI)
51
- LI can only justify processing if: does not prevail over fundamental rights of data subject; limited to legitimate, specific purposes; data subject has a reasonable expectation. Controller must conduct LI assessment (balancing test). Sensitive data cannot use LI.
52
-
53
- ---
54
-
55
- ## Chapter II — Processing of Sensitive Data & Children's Data (Arts. 11–14)
56
-
57
- ### Art. 11 — Sensitive Data Processing
58
- Only permitted when:
59
- - Express and specific consent from data subject
60
- - Legal obligation
61
- - Shared by controller to comply with public policy
62
- - Studies by research bodies (anonymised)
63
- - Exercise of rights in proceedings
64
- - Protection of life/physical safety
65
- - Health care professionals/services
66
- - Prevention of fraud/safety of data subject
67
- - Protection of credit (LI prohibited for sensitive data)
68
-
69
- ### Art. 12 — Anonymised Data
70
- Anonymised data is not personal data. Risk of re-identification must be considered in context.
71
-
72
- ### Art. 13 — Research
73
- Processing for research permitted; anonymisation preferred; security measures must be adopted; results must be published in anonymised form.
74
-
75
- ### Art. 14 — Children's and Adolescents' Data
76
- Processing requires: specific and highlighted consent from parent/guardian; data collected only as necessary; no sharing with third parties without consent; best interests of children prioritised. Controllers must verify parental consent in reasonable manner.
77
-
78
- ---
79
-
80
- ## Chapter III — Data Subject Rights (Arts. 17–22)
81
-
82
- ### Art. 17 — Right of Ownership
83
- Every natural person has ownership of their personal data and guaranteed fundamental rights.
84
-
85
- ### Art. 18 — Rights List
86
- Data subjects may request from controller at any time:
87
- - **I** — Confirmation of processing
88
- - **II** — Access to data
89
- - **III** — Correction (inaccurate/incomplete/outdated)
90
- - **IV** — Anonymisation, blocking, or deletion of unnecessary/excessive/non-compliant data
91
- - **V** — Portability to another provider (ANPD to define format)
92
- - **VI** — Deletion of consent-based data (unless Art. 16 retention exception applies)
93
- - **VII** — Information about public/private entities with whom data was shared
94
- - **VIII** — Information about possibility of not providing consent and consequences
95
- - **IX** — Revocation of consent (Art. 8)
96
-
97
- Controller must respond: immediately (simplified); within 15 days (full access report); without undue delay (corrections/deletions).
98
-
99
- ### Art. 19 — Response Format
100
- Simplified response or through a complete declaration within 15 days from data subject's request. Must be free of charge.
101
-
102
- ### Art. 20 — Automated Decisions
103
- Data subject may request review of decisions made solely by automated processing (profiling, credit assessment, etc.). Controller must provide clear and adequate information about criteria and procedures. Human review must be available on request.
104
-
105
- ### Art. 21 — Protected Data
106
- Data subject data used to exercise rights cannot be used against the data subject.
107
-
108
- ### Art. 22 — Defence of Interests
109
- Rights may be exercised via consumer protection entities, agencies, ANPD, or judicially.
110
-
111
- ---
112
-
113
- ## Chapter IV — Processing by Public Entities (Arts. 23–32)
114
-
115
- ### Art. 23
116
- Public entities may process personal data for public interest; must inform purpose and necessity; cannot transfer to private entities except for specific Art. 26 reasons.
117
-
118
- ### Art. 26
119
- Sharing with private sector only where: indispensable for service delivery; for regulatory purpose; or research (anonymised).
120
-
121
- ### Art. 27
122
- International transfers by public entities for international cooperation: follow applicable treaties and ANPD guidance.
123
-
124
- ---
125
-
126
- ## Chapter V — International Transfer (Arts. 33–36)
127
-
128
- ### Art. 33 — Transfer Mechanisms
129
- Personal data may only transfer internationally to:
130
- - Countries/org with adequate protection (ANPD adequacy decision)
131
- - Agreements/standard contractual clauses (Art. 35)
132
- - Binding corporate rules (BCRs) — Art. 35, I
133
- - Specific consent for the transfer — Art. 33, VIII
134
- - ANPD authorisation — Art. 33, IX
135
-
136
- ### Art. 34 — Adequacy Assessment
137
- ANPD evaluates: rule of law; protection of human rights; independence of supervisory body; effective remedies; reciprocity; international conventions ratified by Brazil.
138
-
139
- ### Art. 35 — Contractual Clauses and BCRs
140
- Specific or standard contractual clauses must provide adequate protection level. BCRs authorised by ANPD. ANPD may publish standard contractual clauses (not yet done as of 2025).
141
-
142
- ### Art. 36 — Complementary Transfers
143
- Even where Art. 33 applies, ANPD may impose additional requirements for sensitive data or large-scale transfers.
144
-
145
- ---
146
-
147
- ## Chapter VI — Controllers and Processors (Arts. 37–45)
148
-
149
- ### Art. 37 — Record of Processing Activities (RoPA)
150
- Controllers and processors must maintain RoPA. ANPD may require disclosure. ANPD Resolution No. 2/2022 made RoPA mandatory for agents that: process data at large scale; are public authorities; or process sensitive data.
151
-
152
- ### Art. 38 — DPIA / RIPD (Relatório de Impacto à Proteção de Dados)
153
- ANPD may require DPIA for high-risk processing. Content defined by ANPD. Must be considered by the controller before processing begins.
154
-
155
- ### Art. 39 — Processor Instructions
156
- Processors must act per controller instructions. Processors may only act independently if legally required.
157
-
158
- ### Art. 40 — Standards
159
- ANPD may establish operational standards for controllers and processors.
160
-
161
- ### Art. 41 — DPO (Encarregado)
162
- Controllers must appoint a DPO. DPO must:
163
- - Receive complaints and communications from data subjects
164
- - Communicate with data subjects and ANPD
165
- - Guide internal employees and contractors
166
- - Perform other tasks as defined by controller or ANPD
167
-
168
- Controller must publish DPO identity and contact. ANPD may exempt certain controllers (ANPD Resolution No. 2/2022 exempts small/micro companies with limited scope).
169
-
170
- ### Art. 42 — Liability
171
- Controllers or processors causing damage by LGPD violation are liable to repair (individual or collective). Joint/several liability where multiple parties involved.
172
-
173
- ### Art. 43 — Exemptions
174
- Exempt if: did not carry out processing; processing not at fault; damage caused exclusively by data subject or third party.
175
-
176
- ### Art. 44 — Irregular Processing
177
- Processing irregular if: does not comply with law or security regulations; does not achieve stated purpose; does not meet transparency/security/data quality obligations.
178
-
179
- ### Art. 45 — Consumer Code
180
- Processing subject to LGPD does not exclude application of Consumer Protection Code where applicable.
181
-
182
- ---
183
-
184
- ## Chapter VII — Security, Good Practices, and Governance (Arts. 46–51)
185
-
186
- ### Art. 46 — Security Measures
187
- Technical and administrative security measures proportional to risk must be adopted by controllers and processors. ANPD may define minimum standards.
188
-
189
- ### Art. 47 — Internal Practices
190
- Agents must adopt policies, procedures, and governance mechanisms to: demonstrate effective compliance; implement data subject rights; assess effectiveness of measures; mitigate risks.
191
-
192
- ### Art. 48 — Incident Notification
193
- Security incidents that may cause relevant risk or harm to data subjects must be notified to ANPD and data subjects:
194
- - **Preliminary notification:** 3 working days from awareness (ANPD Resolution CD/ANPD No. 15/2024)
195
- - **Full report:** Within 20 working days
196
- - Must include: nature of data; number of affected subjects; technical measures taken/planned; risks of incident; reasons for delay (if any)
197
-
198
- ### Art. 49 — System Design
199
- Systems must be designed with security measures from conception (privacy by design) and default settings protective of privacy.
200
-
201
- ### Art. 50 — Good Practices
202
- Controllers and processors may develop good practice programmes; ANPD may accredit entities to manage complaints and promote standards.
203
-
204
- ### Art. 51 — National Strategy
205
- National data protection strategy for government entities.
206
-
207
- ---
208
-
209
- ## Chapter VIII — ANPD (Arts. 55-A to 55-L)
210
-
211
- ### Art. 55-A
212
- ANPD is a federal government body with technical autonomy, own budget, and decision-making authority. Part of the Presidency.
213
-
214
- ### Art. 55-J — ANPD Competencies
215
- - Issue regulations and guidance
216
- - Conduct inspections and audits
217
- - Apply administrative sanctions
218
- - Promote knowledge of LGPD
219
- - Cooperate with data protection authorities internationally
220
- - Require DPIAs
221
- - Define standards for international transfer mechanisms
222
-
223
- ---
224
-
225
- ## Chapter IX — Administrative Sanctions (Arts. 52–54)
226
-
227
- ### Art. 52 — Sanctions
228
- ANPD may apply (after investigation and opportunity to respond):
229
- | Sanction | Details |
230
- |----------|---------|
231
- | Warning | With deadline to adopt corrective measures |
232
- | Simple fine | Up to 2% of revenue in Brazil (previous FY); group cap R$50M per violation |
233
- | Daily fine | To compel compliance; same cap |
234
- | Publicisation | Public disclosure of violation after completion of investigation |
235
- | Blocking | Temporary blocking of personal data involved |
236
- | Deletion | Erasure of personal data related to violation |
237
- | Suspension | Partial suspension of processing up to 6 months (renewable once) |
238
- | Prohibition | Total prohibition of personal data processing activities |
239
-
240
- ### Art. 52, §1º — Aggravating/Mitigating Factors
241
- Gravity; intent; recurrence; good faith; cooperation; financial advantage; vulnerability of data subjects; internal controls; timely adoption of corrective measures; proportionality.
242
-
243
- ### Art. 53 — Financial Sanctions Methodology
244
- ANPD to define criteria for calculating fines, including: nature of violation; controller size; number of data subjects; economic advantage.
245
-
246
- ### Art. 54 — Statute of Limitations
247
- Administrative violations time-bar after 5 years. Count from date ANPD becomes aware of violation.
248
-
249
- ---
250
-
251
- ## Key ANPD Resolutions (as of 2025)
252
-
253
- | Resolution | Subject |
254
- |-----------|---------|
255
- | CD/ANPD No. 1/2021 | Internal regulation of ANPD |
256
- | CD/ANPD No. 2/2022 | RoPA requirements; DPO exemptions for small entities |
257
- | CD/ANPD No. 4/2023 | Simplified LGPD applicability for micro/small enterprises |
258
- | CD/ANPD No. 15/2024 | Security incident notification — 3 working day preliminary requirement |
259
- | Normative Instruction No. 1/2021 | DPO reporting requirements |
260
-
261
- ---
262
-
263
- ## LGPD Timeline
264
- | Date | Event |
265
- |------|-------|
266
- | 14 Aug 2018 | Law 13,709/2018 signed |
267
- | 9 Jul 2019 | Law 13,853/2019 — created ANPD, amended provisions |
268
- | 18 Sep 2020 | LGPD entered into force (except sanctions) |
269
- | 1 Aug 2021 | Administrative sanctions entered into force |
270
- | 2022 | ANPD Resolution No. 2 — RoPA/DPO rules |
271
- | 2024 | ANPD Resolution No. 15 — 3-day breach notification |
1
+ # LGPD Article-by-Article Reference
2
+
3
+ ## Law No. 13,709/2018 — Lei Geral de Proteção de Dados Pessoais (LGPD)
4
+ *As amended by Law No. 13,853/2019 and subsequent ANPD resolutions*
5
+
6
+ ---
7
+
8
+ ## Chapter I — General Provisions (Arts. 1–10)
9
+
10
+ ### Art. 1 — Purpose
11
+ Establishes rules for processing personal data in Brazil to protect fundamental rights of freedom, privacy, and free development of personality.
12
+
13
+ ### Art. 2 — Foundations
14
+ LGPD is based on: respect for privacy; informational self-determination; freedom of expression, information, communication, and opinion; inviolability of honour and image; economic and technological development and innovation; free enterprise; consumer protection; human rights, free development of personality, dignity, and exercise of citizenship.
15
+
16
+ ### Art. 3 — Scope
17
+ Applies to processing in Brazil; offers/provision to individuals in Brazil; data collected in Brazil. Extraterritorial application to controllers and processors outside Brazil.
18
+
19
+ ### Art. 4 — Exemptions
20
+ Does not apply to: personal/household use; journalistic/artistic/academic (with Art. 7 basis); national security, defence, public safety, criminal investigation by public entities; data from outside Brazil with no communication to Brazilian agents.
21
+
22
+ ### Art. 5 — Definitions
23
+ Key terms:
24
+ - **Personal data:** Information related to identified or identifiable natural person
25
+ - **Sensitive personal data:** Racial/ethnic origin, religious belief, political opinion, union membership, religion, health or sex life data, genetic/biometric data
26
+ - **Anonymised data:** Data not identifiable by reasonable means (not personal data)
27
+ - **Data subject (titular):** Natural person to whom data relates
28
+ - **Controller (controlador):** Natural or legal person who determines purposes/means of processing
29
+ - **Processor (operador):** Natural or legal person who processes on behalf of controller
30
+ - **DPO / Encarregado:** Person designated by controller to be contact point with data subjects and ANPD
31
+ - **Processing:** Any operation on personal data (collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, modification, communication, transfer, diffusion, extraction)
32
+ - **Consent (consentimento):** Free, informed, unambiguous expression of agreement for specific purpose
33
+ - **Blocking (bloqueio):** Temporary suspension of any processing pending review
34
+ - **Anonymisation:** Technical processes making data unable to identify person
35
+ - **Pseudonymisation:** Processing removing identifiability with use of additional information
36
+ - **International data transfer:** Transfer to foreign country or international organisation
37
+
38
+ ### Art. 6 — Principles (10)
39
+ Purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability.
40
+
41
+ ### Art. 7 — Legal Bases (regular personal data — 10)
42
+ I. Consent; II. Legal obligation; III. Public policy by public entity; IV. Research; V. Contract; VI. Exercise of rights in proceedings; VII. Vital interests; VIII. Health protection; IX. Legitimate interest; X. Credit protection.
43
+
44
+ ### Art. 8 — Consent Requirements
45
+ Must be in written or equivalent digital form; burden of proof on controller; may be revoked free of charge at any time; cannot be generic; bundled consents for unrelated processing invalid; cannot condition service on consent unless necessary.
46
+
47
+ ### Art. 9 — Transparency
48
+ Data subjects have right to easy/free access to information about: purposes, duration, identity of controller, DPO contact, shared data and recipients, data subjects' rights.
49
+
50
+ ### Art. 10 — Legitimate Interest (LI)
51
+ LI can only justify processing if: does not prevail over fundamental rights of data subject; limited to legitimate, specific purposes; data subject has a reasonable expectation. Controller must conduct LI assessment (balancing test). Sensitive data cannot use LI.
52
+
53
+ ---
54
+
55
+ ## Chapter II — Processing of Sensitive Data & Children's Data (Arts. 11–14)
56
+
57
+ ### Art. 11 — Sensitive Data Processing
58
+ Only permitted when:
59
+ - Express and specific consent from data subject
60
+ - Legal obligation
61
+ - Shared by controller to comply with public policy
62
+ - Studies by research bodies (anonymised)
63
+ - Exercise of rights in proceedings
64
+ - Protection of life/physical safety
65
+ - Health care professionals/services
66
+ - Prevention of fraud/safety of data subject
67
+ - Protection of credit (LI prohibited for sensitive data)
68
+
69
+ ### Art. 12 — Anonymised Data
70
+ Anonymised data is not personal data. Risk of re-identification must be considered in context.
71
+
72
+ ### Art. 13 — Research
73
+ Processing for research permitted; anonymisation preferred; security measures must be adopted; results must be published in anonymised form.
74
+
75
+ ### Art. 14 — Children's and Adolescents' Data
76
+ Processing requires: specific and highlighted consent from parent/guardian; data collected only as necessary; no sharing with third parties without consent; best interests of children prioritised. Controllers must verify parental consent in reasonable manner.
77
+
78
+ ---
79
+
80
+ ## Chapter III — Data Subject Rights (Arts. 17–22)
81
+
82
+ ### Art. 17 — Right of Ownership
83
+ Every natural person has ownership of their personal data and guaranteed fundamental rights.
84
+
85
+ ### Art. 18 — Rights List
86
+ Data subjects may request from controller at any time:
87
+ - **I** — Confirmation of processing
88
+ - **II** — Access to data
89
+ - **III** — Correction (inaccurate/incomplete/outdated)
90
+ - **IV** — Anonymisation, blocking, or deletion of unnecessary/excessive/non-compliant data
91
+ - **V** — Portability to another provider (ANPD to define format)
92
+ - **VI** — Deletion of consent-based data (unless Art. 16 retention exception applies)
93
+ - **VII** — Information about public/private entities with whom data was shared
94
+ - **VIII** — Information about possibility of not providing consent and consequences
95
+ - **IX** — Revocation of consent (Art. 8)
96
+
97
+ Controller must respond: immediately (simplified); within 15 days (full access report); without undue delay (corrections/deletions).
98
+
99
+ ### Art. 19 — Response Format
100
+ Simplified response or through a complete declaration within 15 days from data subject's request. Must be free of charge.
101
+
102
+ ### Art. 20 — Automated Decisions
103
+ Data subject may request review of decisions made solely by automated processing (profiling, credit assessment, etc.). Controller must provide clear and adequate information about criteria and procedures. Human review must be available on request.
104
+
105
+ ### Art. 21 — Protected Data
106
+ Data subject data used to exercise rights cannot be used against the data subject.
107
+
108
+ ### Art. 22 — Defence of Interests
109
+ Rights may be exercised via consumer protection entities, agencies, ANPD, or judicially.
110
+
111
+ ---
112
+
113
+ ## Chapter IV — Processing by Public Entities (Arts. 23–32)
114
+
115
+ ### Art. 23
116
+ Public entities may process personal data for public interest; must inform purpose and necessity; cannot transfer to private entities except for specific Art. 26 reasons.
117
+
118
+ ### Art. 26
119
+ Sharing with private sector only where: indispensable for service delivery; for regulatory purpose; or research (anonymised).
120
+
121
+ ### Art. 27
122
+ International transfers by public entities for international cooperation: follow applicable treaties and ANPD guidance.
123
+
124
+ ---
125
+
126
+ ## Chapter V — International Transfer (Arts. 33–36)
127
+
128
+ ### Art. 33 — Transfer Mechanisms
129
+ Personal data may only transfer internationally to:
130
+ - Countries/org with adequate protection (ANPD adequacy decision)
131
+ - Agreements/standard contractual clauses (Art. 35)
132
+ - Binding corporate rules (BCRs) — Art. 35, I
133
+ - Specific consent for the transfer — Art. 33, VIII
134
+ - ANPD authorisation — Art. 33, IX
135
+
136
+ ### Art. 34 — Adequacy Assessment
137
+ ANPD evaluates: rule of law; protection of human rights; independence of supervisory body; effective remedies; reciprocity; international conventions ratified by Brazil.
138
+
139
+ ### Art. 35 — Contractual Clauses and BCRs
140
+ Specific or standard contractual clauses must provide adequate protection level. BCRs authorised by ANPD. ANPD may publish standard contractual clauses (not yet done as of 2025).
141
+
142
+ ### Art. 36 — Complementary Transfers
143
+ Even where Art. 33 applies, ANPD may impose additional requirements for sensitive data or large-scale transfers.
144
+
145
+ ---
146
+
147
+ ## Chapter VI — Controllers and Processors (Arts. 37–45)
148
+
149
+ ### Art. 37 — Record of Processing Activities (RoPA)
150
+ Controllers and processors must maintain RoPA. ANPD may require disclosure. ANPD Resolution No. 2/2022 made RoPA mandatory for agents that: process data at large scale; are public authorities; or process sensitive data.
151
+
152
+ ### Art. 38 — DPIA / RIPD (Relatório de Impacto à Proteção de Dados)
153
+ ANPD may require DPIA for high-risk processing. Content defined by ANPD. Must be considered by the controller before processing begins.
154
+
155
+ ### Art. 39 — Processor Instructions
156
+ Processors must act per controller instructions. Processors may only act independently if legally required.
157
+
158
+ ### Art. 40 — Standards
159
+ ANPD may establish operational standards for controllers and processors.
160
+
161
+ ### Art. 41 — DPO (Encarregado)
162
+ Controllers must appoint a DPO. DPO must:
163
+ - Receive complaints and communications from data subjects
164
+ - Communicate with data subjects and ANPD
165
+ - Guide internal employees and contractors
166
+ - Perform other tasks as defined by controller or ANPD
167
+
168
+ Controller must publish DPO identity and contact. ANPD may exempt certain controllers (ANPD Resolution No. 2/2022 exempts small/micro companies with limited scope).
169
+
170
+ ### Art. 42 — Liability
171
+ Controllers or processors causing damage by LGPD violation are liable to repair (individual or collective). Joint/several liability where multiple parties involved.
172
+
173
+ ### Art. 43 — Exemptions
174
+ Exempt if: did not carry out processing; processing not at fault; damage caused exclusively by data subject or third party.
175
+
176
+ ### Art. 44 — Irregular Processing
177
+ Processing irregular if: does not comply with law or security regulations; does not achieve stated purpose; does not meet transparency/security/data quality obligations.
178
+
179
+ ### Art. 45 — Consumer Code
180
+ Processing subject to LGPD does not exclude application of Consumer Protection Code where applicable.
181
+
182
+ ---
183
+
184
+ ## Chapter VII — Security, Good Practices, and Governance (Arts. 46–51)
185
+
186
+ ### Art. 46 — Security Measures
187
+ Technical and administrative security measures proportional to risk must be adopted by controllers and processors. ANPD may define minimum standards.
188
+
189
+ ### Art. 47 — Internal Practices
190
+ Agents must adopt policies, procedures, and governance mechanisms to: demonstrate effective compliance; implement data subject rights; assess effectiveness of measures; mitigate risks.
191
+
192
+ ### Art. 48 — Incident Notification
193
+ Security incidents that may cause relevant risk or harm to data subjects must be notified to ANPD and data subjects:
194
+ - **Preliminary notification:** 3 working days from awareness (ANPD Resolution CD/ANPD No. 15/2024)
195
+ - **Full report:** Within 20 working days
196
+ - Must include: nature of data; number of affected subjects; technical measures taken/planned; risks of incident; reasons for delay (if any)
197
+
198
+ ### Art. 49 — System Design
199
+ Systems must be designed with security measures from conception (privacy by design) and default settings protective of privacy.
200
+
201
+ ### Art. 50 — Good Practices
202
+ Controllers and processors may develop good practice programmes; ANPD may accredit entities to manage complaints and promote standards.
203
+
204
+ ### Art. 51 — National Strategy
205
+ National data protection strategy for government entities.
206
+
207
+ ---
208
+
209
+ ## Chapter VIII — ANPD (Arts. 55-A to 55-L)
210
+
211
+ ### Art. 55-A
212
+ ANPD is a federal government body with technical autonomy, own budget, and decision-making authority. Part of the Presidency.
213
+
214
+ ### Art. 55-J — ANPD Competencies
215
+ - Issue regulations and guidance
216
+ - Conduct inspections and audits
217
+ - Apply administrative sanctions
218
+ - Promote knowledge of LGPD
219
+ - Cooperate with data protection authorities internationally
220
+ - Require DPIAs
221
+ - Define standards for international transfer mechanisms
222
+
223
+ ---
224
+
225
+ ## Chapter IX — Administrative Sanctions (Arts. 52–54)
226
+
227
+ ### Art. 52 — Sanctions
228
+ ANPD may apply (after investigation and opportunity to respond):
229
+ | Sanction | Details |
230
+ |----------|---------|
231
+ | Warning | With deadline to adopt corrective measures |
232
+ | Simple fine | Up to 2% of revenue in Brazil (previous FY); group cap R$50M per violation |
233
+ | Daily fine | To compel compliance; same cap |
234
+ | Publicisation | Public disclosure of violation after completion of investigation |
235
+ | Blocking | Temporary blocking of personal data involved |
236
+ | Deletion | Erasure of personal data related to violation |
237
+ | Suspension | Partial suspension of processing up to 6 months (renewable once) |
238
+ | Prohibition | Total prohibition of personal data processing activities |
239
+
240
+ ### Art. 52, §1º — Aggravating/Mitigating Factors
241
+ Gravity; intent; recurrence; good faith; cooperation; financial advantage; vulnerability of data subjects; internal controls; timely adoption of corrective measures; proportionality.
242
+
243
+ ### Art. 53 — Financial Sanctions Methodology
244
+ ANPD to define criteria for calculating fines, including: nature of violation; controller size; number of data subjects; economic advantage.
245
+
246
+ ### Art. 54 — Statute of Limitations
247
+ Administrative violations time-bar after 5 years. Count from date ANPD becomes aware of violation.
248
+
249
+ ---
250
+
251
+ ## Key ANPD Resolutions (as of 2025)
252
+
253
+ | Resolution | Subject |
254
+ |-----------|---------|
255
+ | CD/ANPD No. 1/2021 | Internal regulation of ANPD |
256
+ | CD/ANPD No. 2/2022 | RoPA requirements; DPO exemptions for small entities |
257
+ | CD/ANPD No. 4/2023 | Simplified LGPD applicability for micro/small enterprises |
258
+ | CD/ANPD No. 15/2024 | Security incident notification — 3 working day preliminary requirement |
259
+ | Normative Instruction No. 1/2021 | DPO reporting requirements |
260
+
261
+ ---
262
+
263
+ ## LGPD Timeline
264
+ | Date | Event |
265
+ |------|-------|
266
+ | 14 Aug 2018 | Law 13,709/2018 signed |
267
+ | 9 Jul 2019 | Law 13,853/2019 — created ANPD, amended provisions |
268
+ | 18 Sep 2020 | LGPD entered into force (except sanctions) |
269
+ | 1 Aug 2021 | Administrative sanctions entered into force |
270
+ | 2022 | ANPD Resolution No. 2 — RoPA/DPO rules |
271
+ | 2024 | ANPD Resolution No. 15 — 3-day breach notification |