Lgpd Data Processing Agreements

LGPD Data Processing Agreements: What You Need to Know

Brazil`s General Data Protection Law (LGPD) took effect in September 2020, bringing the country in line with many other jurisdictions in protecting the privacy of individuals. The LGPD regulates the processing of personal data and imposes strict obligations on companies that collect and handle such data. One of these obligations is the requirement to have a data processing agreement (DPA) in place with any third-party vendor that processes personal data on behalf of the company. In this article, we`ll take a closer look at LGPD DPAs and what you need to know about them.

What is a Data Processing Agreement?

A DPA is a legal document that outlines the terms and conditions under which a data processor (a third-party vendor that processes personal data on behalf of a data controller) can perform its services. The DPA establishes the rights and obligations of both the data controller (the company that collects and controls personal data) and the data processor, ensuring that the latter acts in accordance with the LGPD. A DPA is a crucial tool for companies to manage their data processing risks and comply with regulatory requirements.

Why is a DPA Required Under LGPD?

LGPD requires companies to ensure that any third-party vendor that processes personal data on their behalf does so in compliance with the law. A DPA is the best way to ensure that the data processor assumes responsibility for complying with LGPD and implements adequate technical and organizational measures to protect the data. Under LGPD, companies that fail to have a DPA in place with their data processors risk facing significant fines and reputational damage.

What Should Be Included in an LGPD DPA?

An LGPD DPA should include the following information:

– The nature and purpose of the data processing: The DPA should identify the type of data being processed and the purposes for which it is being processed.

– Obligations of the data processor: The DPA should outline the data processor`s obligations under LGPD, including its confidentiality obligations, data protection measures, and reporting requirements.

– Rights of the data controller: The DPA should specify the data controller`s rights to access and control the personal data being processed by the data processor.

– Sub-processors: The DPA should outline the data processor`s obligations with respect to sub-processors, including obtaining prior consent from the data controller and imposing similar obligations on sub-processors.

– Data breach notification: The DPA should specify the timeframe within which the data processor must notify the data controller of a data breach.

– Indemnification: The DPA should include provisions for indemnification in case of breach of LGPD or the DPA.


An LGPD DPA is a crucial document for companies that process personal data and engage third-party vendors to do so on their behalf. By ensuring that their data processors comply with LGPD, companies can protect their own reputation and avoid facing significant fines for non-compliance. If you`re unsure about the requirements for an LGPD DPA or need help drafting one, consult with an experienced SEO copy editor for guidance.

This entry was posted in Uncategorized. Bookmark the permalink.