Skip to content
BlogLGPD ‘Right to Erasure’ & How to Comply

LGPD ‘Right to Erasure’ & How to Comply

Profile picture of Michael Waksman, former CEO of Jetico, wearing a suit and blue striped tie, smiling
Michael Waksman Former CEO 
SUMMARY: The LGPD Right to Erasure requires organizations to securely delete personal data when it is no longer needed or when a valid request is submitted by a Brazilian citizen. This guide clarifies when erasure is mandatory, which exemptions apply and how BCWipe helps permanently remove sensitive information without leaving recoverable traces. You will also find three practical steps to locate your data, assign responsibility and choose the right wiping method to meet LGPD requirements.

The LGPD ‘Right to Erasure’ is part of the new Brazilian data protection law. Similar to GDPR’s ‘Right to be Forgotten, the LGPD ‘Right to Erasure’ allows Brazilian citizens to request their personal data be removed from organization databases.

So, if your company handles personal data of Brazilian citizens, whether you’re inside or outside of Brazil, you are subject to the ‘Right to Erasure’.

Close-up of a computer keyboard with a finger pressing a key labeled "Compliance," symbolizing the importance of adhering to LGPD right-to-erasure requirements for data protection and privacy

Here we will look at the ‘Right to Erasure’ section of the regulation and share 3 steps on how to implement a successful LGPD compliance strategy.

LGPD in a Nutshell

  • When?
    The LGPD regulations were introduced in August 2018. While administrative sanctions do not come into effect until August 1, 2021, individuals and public prosecutors can already bring claims for damages and losses.
  • What?
    LGPD, or the Lei Geral de Proteção de Dados Pessoais, can be translated as the General Law for the Protection of Personal Data. The main objective of the LGPD is to regulate the processing of personal data in order to protect the privacy of Brazilian citizens. Brazil’s National Data Protection Agency (ANPD) will be responsible for enforcing administrative sanctions.
  • Who?
    The LGPD requires compliance for people, businesses, public institutions, and charities that process the data of Brazilian citizens, wherever they are based. The regulation applies to people and organizations that are processing:
    – Personal data in Brazil
    – Personal data that was collected in Brazil
    – Personal data to offer goods or services in Brazil

What Is the LGPD ‘Right to Erasure’?

The ‘Right to Erasure’ is covered in articles 5, 16, and 18 of the LGPD. The regulation requires companies to delete the personal data of an individual if it has been requested, even if the data has been collected based on consent.

The ‘Right to Erasure’ under LGPD is comparable to GDPR’s equivalent rule, officially known as the ‘Right to Erasure‘ but often referred to as the ‘Right to be Forgotten‘. Under the LGPD, both data controllers and processors must delete the subjects’ data for free if it has been requested. It’s also compulsory that data subjects (Brazilian citizens) are informed of their right to request for their data to be erased.

In addition, the LGPD states that data must be deleted if it was processed for reasons that are excessive, unnecessary, or unlawful.

LGPD ‘Right to Erasure’ & Exemptions

Article 16 of the LGPD includes some exemptions to the application of the ‘Right to Erasure’:

  • “Compliance with legal or regulatory obligation by the controller”
  • Personal data authorized for a “study by a research body”

In addition, the LGPD, including the ‘Right to Erasure’, generally doesn’t apply to processing of personal information done exclusively for:

  • Public safety
  • Academic purposes
  • Journalistic and artistic purposes

Prepare for the LGPD ‘Right to Erasure’

Follow these 3 steps to make sure your company or organization is ready to comply with the LGPD ‘Right to Erasure’.

Step 1: Find Out Where Your Data Resides

Regardless of where your data is stored, you always have to be aware of its location. Keep track of where it’s saved, how it’s being accessed, and how it’s being shared. Having this information at hand will help you to locate the files that need to be erased much faster.

Step 2: Assign a Data Protection Officer (DPO)

The LGPD requires businesses and organizations to appoint a Data Protection Officer (DPO), so make sure that you appoint someone to that role. Your DPO will serve as a link between your organization and its data subjects, which will also send a message to your customers (and compliance officers) that you are serious about protecting their data.

Step 3: Equip the Right Tools

The software that you should use can be determined by the type of data that you need to erase. For example, if personal data is stored on a computer that’s no longer needed, then you should use software to completely wipe your hard drive. Alternatively, if you only have a few specific files or folders that need to be erased on an active system, then you could use a tool to wipe selected data and still continue using your computer.

How Data Wiping Works

Deleting files by normal means will not help your company or organization to comply with the LGPD’s ‘Right to Erasure’ requirements. That’s because information saved to a hard drive will always leave behind residual data, or data remanence. To prevent data being restored and accessed by third parties with widely available file recovery software, you should choose to wipe sensitive data and permanently erase the information. Using data wiping software to securely erase your information assets is the safest and most effective way to dispose of personal data.

Learn more about securely wiping your data by reading our ultimate guide. You can also find 3 reasons to erase and repurpose your hard drive.

Frequently Asked Questions (FAQs)

What Exactly Does the LGPD Right to Erasure Require Companies to Do?

The LGPD requires organizations to delete a data subject’s personal information upon request even if it was originally collected with consent. Both data controllers and processors must perform deletion at no cost and inform individuals of this right. Data must also be erased if it was processed excessively, unnecessarily or unlawfully.

Are There Any Situations Where Companies Are Not Required to Erase Personal Data?

Yes. Article 16 outlines exemptions such as compliance with legal obligations or when data is used for authorized research. The LGPD also generally excludes processing done exclusively for public safety, academic purposes, journalism or artistic expression.

What’s the First Step Organizations Should Take to Prepare for LGPD Compliance?

Begin by mapping where personal data resides across systems, devices and cloud services. Knowing where information is stored, accessed and shared allows you to quickly locate files when erasure requests are submitted. This visibility also strengthens broader compliance and risk management efforts.

What Role Does the Data Protection Officer (DPO) Play in LGPD Compliance?

Organizations must appoint a DPO to act as the primary contact for data subjects and regulators. The DPO oversees data protection practices, helps coordinate responses to erasure requests and supports ongoing efforts to safeguard personal information.

Which Jetico Tools Support Compliance With the LGPD Right to Erasure?

BCWipe Total WipeOut wipes entire devices, and BCWipe securely erases selected files on active systems. Jetico’s data discovery and classification capabilities help organizations quickly locate personal data across endpoints, making LGPD erasure requests faster and more complete.

Back to all Blogs

News & Blogs

Stay updated with the latest news, insights, trends and expert tips on data protection and cybersecurity.

Immutable Backups: Why They Matter & How to Get Started

Check back here regularly for news and blogs

Latest News Latest Blogs

Enhance Your Data Protection Now

Request a free consultation with our data protection specialist to learn how our solutions can help you secure your endpoints.