LGPD (Data Privacy Law) — Interface with Device Regulation
Brazil's LGPD (Lei Geral de Proteção de Dados Pessoais — General Data Protection Law, Lei 13.709/2018) is Brazil's comprehensive data privacy law, similar in scope to the EU's GDPR. Medical devices that collect, process, or transmit patient data must comply with both ANVISA's medical device regulations and the LGPD — a uniquely Brazilian regulatory intersection.
What LGPD covers for medical devices
The LGPD applies whenever a medical device or its associated software collects, stores, processes, or transmits personal data (dados pessoais) or sensitive personal data (dados pessoais sensíveis) — which includes health data.
Key LGPD obligations for medical device manufacturers and importers:
| Obligation | Detail |
|---|---|
| Legal basis | Must have a valid legal basis for processing health data (consent, legitimate interest, or vital interest most common) |
| Data minimisation | Collect only the data strictly necessary for the device's intended purpose |
| Privacy notice | Patients must be informed of how their data is collected and used |
| Data subject rights | Patients have the right to access, correct, delete, and port their data |
| Data protection officer (DPO) | Mandatory for companies processing significant amounts of health data |
| Data breach notification | Notify Brazil's data protection authority (ANPD) within 72 hours of a security incident |
| Cross-border data transfers | Restrictions on transferring Brazilian patient data outside Brazil without safeguards |
Intersection with ANVISA
ANVISA's cybersecurity and risk management requirements (ISO 14971, IEC 80001-2-2) overlap with LGPD privacy requirements for connected devices. Manufacturers should integrate LGPD compliance into the device's risk management process — treating data privacy risks as a category of hazard.
Official resources
Verify all information against official ANVISA sources before making regulatory decisions.