LGPD + Practical Requirements

Compliance Area	LGPD Article(s)	Practical Requirement	Actionable Step for Entain	Deadline/Frequency	Citation
I. Governance & Accountability	Art. 5, 23	Appoint a Data Protection Officer (Encarregado) who serves as the communication channel between the Controller, Data Subjects, and the ANPD.	Appoint a DPO (internal or external) and ensure functional independence from operational high-risk roles (e.g., Head of IT). Ensure they can communicate effectively in Portuguese.	Ongoing	1
	Art. 5, 23	Public disclosure of the DPO's contact information.	Publish the DPO's identity and contact details clearly and objectively on the Brazilian company website.	Immediate / Ongoing	1
	Art. 37	Maintain the Record of Processing Activities (ROT).	Create and maintain a comprehensive, up-to-date Data Map detailing all data flows, the specific legal basis (Art. 7/11), and retention periods for every data set.	Ongoing	2
	Art. 38	Data Protection Impact Assessment (DPIA).	Proactively conduct an RIPD/DPIA, especially for high-risk activities (large-scale processing of financial and behavioral data), documenting risks and mitigating security measures.	Initial / Upon major system change
II. Data Subject Rights (DSARs)	Art. 19, II	Provide a full access response to the Data Subject.	Provide a "clear and complete declaration" that details data origin, purpose, criteria used for automated decisions, and whether data is registered or not.	Within 15 days of the request date.	3
	Art. 18, IV	Enable the right to request anonymization.	Implement robust data mapping and technical capabilities to perform non-reversible anonymization of data deemed unnecessary, excessive, or non-compliant.	Upon Data Subject Request (within DSAR cycle)	5
	Art. 18	Ensure secure identity verification.	Implement mandatory, secure KYC procedures before providing data access to the Data Subject to prevent unauthorized release of sensitive financial information.	Upon Data Subject Request
III. International Data Transfers (IDTs)	Art. 33	Formalize the transfer mechanism to the EU parent entity.	Implement LGPD-specific Standard Contractual Clauses (SCCs) or utilize approved Binding Corporate Rules (BCRs).	Initial / Ongoing	6
	Art. 33 (BCRs)	Disclosure of approved BCRs.	If using ANPD-approved BCRs, make the complete text available to Data Subjects upon their request.	Within 15 days of the request date.	7
	Art. 33 (SCCs)	Contractual safeguards for minors' data.	Ensure SCCs include additional protective measures to guarantee that any processing of children/adolescent data complies with the Best Interest principle.	Initial / Contractual Renewal	8
IV. Security & Incident Management	Art. 48	Mandatory notification of relevant incidents to the ANPD.	Communicate the incident to the ANPD via the required electronic form if the incident causes "relevant risk or damage" (e.g., involves financial data or large-scale data).	Within 3 business days of obtaining a reasonable degree of certainty that the incident occurred.
	Art. 48	Notification to Data Subjects.	Communicate the incident to the affected Data Subjects in a clear, non-technical manner (if notification is required for the ANPD).	Within a "reasonable time" (must be swift to allow mitigation).	2
V. Processing Agents & Contracts	Art. 39	Mandate Operator processing instructions.	Ensure all contracts with third-party Operators (e.g., cloud providers, payment gateways) include a Data Processing Addendum (DPA) that clearly outlines the scope and method of processing.	Initial / Contractual Renewal	9
	Art. 42	Solidary Liability Mitigation.	Require Operators to adopt adequate technical security measures (Art. 46) and include indemnification clauses in the DPA, given the Controller and Operator can be held jointly responsible.	Initial / Contractual Renewal	6
VI. Legal Basis & Principles	Art. 7, X, 7, IX	Justify the legal basis for fraud prevention.	Anchor fraud prevention activities, especially financial checks, in specific bases like Protection of Credit (Art. 7, X) or Legal Obligation, which are safer than broad reliance on Legitimate Interest (Art. 7, IX).	Ongoing / Documented in ROT	11
	Art. 14	Data processing of children (under 12).	Require specific and prominent parental consent for any processing of a child's data (under 12), employing reasonable efforts to verify the parent's identity using available technology.	Ongoing	12
	Art. 20	Non-Discrimination and review of automated decisions.	Implement systems for human oversight, periodic audits, and a Right to Explanation mechanism to prevent profiling and automated decisions (e.g., risk scoring) from leading to discriminatory outcomes.	Ongoing / Upon Data Subject Request	13