If your business serves customers in both Brazil and the European Union, you are subject to two of the world’s most significant data protection frameworks: Brazil’s Lei Geral de Protecao de Dados Pessoais (LGPD, Law No. 13,709/2018) and the European General Data Protection Regulation (GDPR). While both laws share similar objectives and the LGPD was influenced by the GDPR, there are meaningful differences that directly affect your compliance strategy. This guide compares the two frameworks to help you build an integrated approach.
Origins and Foundations
GDPR. Adopted in 2016 and in force since May 2018, the GDPR is a regulation directly applicable across all 27 EU member states. It is founded on the principle that data protection is a fundamental right (Article 8 of the EU Charter of Fundamental Rights). It is prescriptive, detailed, and accompanied by an extensive body of case law and guidance from national authorities.
LGPD. Enacted in 2018 and in force since September 2020, the LGPD was broadly inspired by the GDPR but adapted to the Brazilian legal context. It incorporates elements from the Consumer Protection Code, the Marco Civil da Internet (Internet Civil Framework), and the Federal Constitution (Article 5, items X and XII). The ANPD, created in 2020, is still building out the complete regulatory framework.
Scope of Application
Who is protected
GDPR: Any natural person (data subject) located in the European Union, regardless of nationality or residence.
LGPD: Any natural person whose personal data is processed in operations carried out in Brazilian territory, aimed at offering goods or services to individuals in Brazil, or involving data collected in Brazil (Article 3).
Which businesses must comply
GDPR: Any organization, anywhere in the world, that processes personal data of individuals in the EU, provided it offers goods or services to EU residents or monitors their behavior (Article 3). No revenue threshold or minimum data volume.
LGPD: Any organization, anywhere in the world, that carries out data processing operations under the conditions of Article 3. Also no revenue threshold.
Both laws have extraterritorial reach, meaning businesses outside Brazil or the EU may be required to comply. For a detailed understanding of LGPD obligations, see our complete LGPD guide.
Legal Bases for Processing
This is one of the areas where the two laws are most similar, but with important differences.
GDPR: Six legal bases (Article 6) — consent, contract performance, legal obligation, vital interests, public interest task, and legitimate interests.
LGPD: Ten legal bases (Article 7) — the six from the GDPR plus credit protection, health protection, research studies by research bodies, and regular exercise of rights.
| Legal basis | GDPR | LGPD |
|---|---|---|
| Consent | Article 6(1)(a) | Article 7, I |
| Legal obligation | Article 6(1)(c) | Article 7, II |
| Contract execution | Article 6(1)(b) | Article 7, V |
| Legitimate interest | Article 6(1)(f) | Article 7, IX |
| Protection of life | Article 6(1)(d) | Article 7, VII |
| Public task | Article 6(1)(e) | Article 7, III |
| Credit protection | Not provided | Article 7, X |
| Health protection | Included in vital interests | Article 7, VIII (standalone basis) |
| Research | Included in public task | Article 7, IV (standalone basis) |
| Exercise of rights | Included in legal obligation | Article 7, VI (standalone basis) |
The LGPD is more granular in its legal bases, creating standalone bases for situations that the GDPR treats as subcategories of broader bases.
Consent
GDPR: Must be freely given, specific, informed, and unambiguous (Article 7). The burden of proof lies with the controller. Consent for sensitive data must be explicit (Article 9).
LGPD: Must be free, informed, and unambiguous, provided in writing or by other means that demonstrate the data subject’s expression of will (Article 8). For sensitive data, consent must be specific and highlighted (Article 11).
The practical differences are subtle but relevant. The GDPR requires consent to be “specific” for each purpose, while the LGPD requires it “for determined purposes.” The LGPD also specifies that written consent must appear in a clause that is highlighted from other contractual clauses.
Data Subject Rights
Both laws confer a robust set of rights, but with notable differences:
| Right | GDPR | LGPD |
|---|---|---|
| Access | Article 15 | Article 18, I and II |
| Rectification | Article 16 | Article 18, III |
| Erasure | Article 17 (right to be forgotten) | Article 18, IV (anonymization, blocking, or deletion) |
| Portability | Article 20 | Article 18, V |
| Objection | Article 21 | Article 18, IV (partially) |
| Review of automated decisions | Article 22 | Article 20 |
| Information about sharing | Implicit in Articles 13-14 | Article 18, VII (explicit right) |
| Response time | 1 month (extendable to 3) | 15 days for confirmation; reasonable period for others |
A notable difference: the LGPD explicitly guarantees the right to information about entities with which data has been shared (Article 18, VII), while the GDPR treats this as part of transparency obligations. The LGPD also provides for review of automated decisions (Article 20) but without the requirement of human intervention that the GDPR establishes in Article 22.
Sensitive Data
GDPR: Special categories of data (Article 9) — racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. Processing is prohibited except under specific exceptions.
LGPD: Sensitive data (Article 5, II) — racial or ethnic origin, religious conviction, political opinion, trade union or religious, philosophical, or political organization membership, health data, sex life, genetic data, or biometric data.
The categories are similar but not identical. The LGPD includes “philosophical conviction” and “membership in philosophical or political organizations,” which have no direct equivalent in the GDPR. The GDPR explicitly includes “political opinions,” while the LGPD uses “political opinion.”
International Data Transfers
GDPR: Transfers outside the EEA require an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or another approved mechanism (Chapter V). The process is rigorous and well-regulated.
LGPD: Article 33 lists several conditions for international transfer, including countries with an adequate level of protection, specific contractual clauses, standard clauses, global corporate rules, and specific consent. The ANPD is still regulating the mechanisms, and the framework is not as developed as the European one.
In practice, businesses that already have GDPR SCCs can adapt them for the LGPD, but should await the ANPD’s final regulations to ensure full compliance.
Penalties and Enforcement
| Aspect | GDPR | LGPD |
|---|---|---|
| Maximum fine | EUR 20M or 4% of global turnover | BRL 50 million or 2% of revenue in Brazil |
| Calculation base | Global turnover | Revenue in Brazil (not global) |
| Authority | National DPAs (CNIL, etc.) | ANPD |
| Direct sanctioning power | Yes | Yes |
| Non-monetary sanctions | Processing prohibition | Blocking, deletion, suspension, prohibition |
| Private right of action | Yes (Article 82) | Yes (Civil Code + Consumer Code) |
The GDPR has potentially much larger monetary penalties (global vs Brazil-only base). However, the LGPD offers severe non-monetary sanctions — suspension or prohibition of processing activities can be more devastating for a business than a financial fine.
DPO / Encarregado
GDPR: Mandatory for public authorities, large-scale systematic monitoring, or large-scale processing of sensitive data (Article 37).
LGPD: Mandatory for all controllers (Article 41). The ANPD may establish exemptions for small-scale processing agents.
The LGPD is broader in this requirement: while the GDPR limits the obligation to specific situations, the LGPD imposes it as a general rule.
Compliance Strategy for Dual-Jurisdiction Businesses
1. Start with GDPR compliance. European requirements are generally more restrictive. Solid GDPR compliance covers the majority of LGPD obligations.
2. Add LGPD-specific elements. The four additional legal bases, the 15-day response period for confirmation, the explicit right to information about sharing, and the non-monetary sanctions require specific attention.
3. Adapt the penalty calculation base. The GDPR calculates on global turnover; the LGPD on revenue in Brazil. This may affect your risk analysis.
4. Follow the ANPD. The Brazilian authority is still building its regulatory framework. Regulations on international transfers, impact reports, and adequacy criteria are under development.
5. Document everything. Processing records (GDPR Article 30), incident registers (both), and data subject request records (both) are essential for demonstrating compliance.
To check your site’s compliance in seconds, use our free compliance scanner. For more depth, see our complete LGPD guide and our guide on LGPD privacy policy requirements.
Conclusion
The LGPD and the GDPR share origins and objectives but differ in details that matter in practice. The LGPD has more legal bases, a broader scope for DPO requirements, and potentially more severe non-monetary sanctions. The GDPR has larger financial penalties, more detailed data subject rights, and a more mature regulatory framework. For businesses operating in both jurisdictions, the most effective approach is to build on GDPR compliance and supplement with LGPD specifics. Inaction is not an option: the regulatory risks on both sides of the Atlantic continue to grow.