Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained

Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

Why Legitimate Interest Matters—But Remains Risky

Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the “legitimacy” of the interest and balance it against data subject rights.

The ANPD’s “Guia Orientativo sobre o Legítimo Interesse” (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

The ANPD’s Three-Step Balancing Test

The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

• Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
• Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
• Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

How This Affects Foreign Companies doing business in Brazil

Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

Foreign companies should:

• Revisit their legal bases for processing data of Brazilian individuals.
• Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
• Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
• Update their privacy notices to reflect the legal basis and safeguards in place.
• Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

Strategic Guidance

If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

Here’s how to act now:

• Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
• Compare it with the GDPR LIA to identify overlaps and gaps.
• Align documentation—so your clients are ready in the event of a complaint or data subject request.
• Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

Final Thoughts

The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

Want to see the full guidance? The original document (in Portuguese) is available here.