GDPR vs LGPD: EU and Brazilian Privacy Laws Compared
Brazil's LGPD (Lei Geral de Protecao de Dados) was closely modeled on the GDPR and came into effect in 2020. While both laws share similar principles around data protection, the LGPD defines 10 legal bases for processing (compared to GDPR's 6) and has a different penalty structure. The ANPD (Autoridade Nacional de Protecao de Dados) serves as Brazil's enforcement authority.
| Feature | GDPR | LGPD |
|---|---|---|
| Geographic Scope | European Union and EEA member states | Brazil (applies to processing of data of individuals in Brazil) |
| Who It Applies To | Any organization processing EU residents' data | Any organization processing personal data of individuals in Brazil, regardless of location |
| Consent Requirements | Opt-in consent required; 6 legal bases for processing | Opt-in consent required; 10 legal bases for processing |
| Cookie & Tracking Rules | Non-essential cookies require explicit prior consent under ePrivacy Directive | No specific cookie law, but consent principles apply to online tracking |
| Individual Rights | Access, rectification, erasure, portability, restriction, objection | Access, correction, anonymization, deletion, portability, information on sharing, review of automated decisions |
| Maximum Penalties | Up to EUR 20 million or 4% of annual global turnover | Up to 2% of revenue in Brazil, capped at BRL 50 million per infraction |
| Enforcement Body | National Data Protection Authorities in each EU member state | ANPD (Autoridade Nacional de Protecao de Dados) |
Key Differences
The LGPD provides 10 legal bases for processing personal data, compared to GDPR's 6. In addition to the familiar consent, contract, legal obligation, vital interests, public interest, and legitimate interests, the LGPD includes credit protection, health protection, research by study bodies, and regular exercise of rights in judicial or administrative proceedings.
Penalties differ significantly in scale. GDPR fines can reach up to EUR 20 million or 4% of global annual turnover. LGPD penalties are capped at 2% of the company's revenue in Brazil (not global), up to BRL 50 million per infraction. While this is substantial, it is generally considered less severe than GDPR's global turnover-based calculation.
Both laws grant similar individual rights, but the LGPD includes a specific right to information about public and private entities with which data has been shared, and a right to review automated decisions. The GDPR has a broader right to data portability and more detailed provisions around automated decision-making, including profiling.
How Pryvii Helps
Pryvii supports scanning against both GDPR and LGPD requirements. It checks your website for Portuguese-language privacy notices, appropriate consent mechanisms, and required disclosures about data sharing with third parties. The multi-regulation scan highlights gaps specific to each law.
Frequently Asked Questions
Is the LGPD basically a copy of the GDPR?
The LGPD was heavily influenced by the GDPR and shares many principles, but it is not identical. Key differences include more legal bases for processing (10 vs 6), a different penalty structure (capped at 2% of Brazil revenue), and some unique provisions around credit protection and health data processing.
Do I need a DPO under both laws?
GDPR requires a Data Protection Officer in specific circumstances, such as when processing is carried out by a public authority or involves large-scale systematic monitoring. The LGPD requires all data controllers to appoint a DPO (called an encarregado), though the ANPD has relaxed this for small businesses.
Can I transfer data between the EU and Brazil?
Data transfers require appropriate safeguards under both laws. Brazil does not yet have a GDPR adequacy decision from the EU. Transfers typically rely on Standard Contractual Clauses or other approved mechanisms. The LGPD also restricts international transfers and requires adequate protection in the receiving country.
Related Comparisons
Check Your Compliance
Scan your website against multiple regulations in minutes.