GDPR vs LGPD: EU vs Brazil Privacy Law Comparison (2026)
The European Union's General Data Protection Regulation (GDPR) and Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) are two of the most consequential data protection frameworks in the world. The LGPD was directly inspired by the GDPR, and the two laws share a common DNA. Yet they diverge in key areas including legal bases, penalty structures, enforcement models, and DPO requirements.
This comparison covers every significant difference between the two frameworks to help multinational organizations understand their compliance obligations under both laws.
Origins and Effective Dates
The GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018. It replaced the 1995 Data Protection Directive and harmonized data protection law across the entire European Economic Area.
Brazil enacted the LGPD on August 14, 2018, just months after the GDPR took effect. The law entered into force on September 18, 2020, after a series of postponements. Administrative sanctions under the LGPD became enforceable on August 1, 2021. Brazil's data protection authority, the ANPD, was formally established in 2020 and elevated to an independent federal agency in 2022.
The timing was not coincidental. Brazilian legislators studied the GDPR extensively and modeled much of the LGPD on its structure. However, they also incorporated provisions from other frameworks and adapted the law to Brazil's legal traditions.
Scope and Applicability
Both laws have broad territorial reach. The GDPR applies to any organization that processes personal data of individuals in the EEA, regardless of where the organization is established. The LGPD applies to any processing of personal data carried out in Brazil, aimed at offering goods or services to individuals in Brazil, or involving personal data collected in Brazil.
The LGPD does not distinguish between for-profit and nonprofit organizations. Like the GDPR, it covers virtually all entities that process personal data, with exceptions for personal use, journalistic or artistic purposes, academic research, public safety, national defense, and criminal investigation.
One notable difference: the LGPD applies to data processing activities performed by the government, but grants public entities different treatment regarding penalties. Government bodies cannot receive fines under the LGPD, though they can face other sanctions like public disclosure of the violation.
Definitions and Terminology
The core terminology aligns closely, with some variations.
| Term | GDPR | LGPD |
|---|---|---|
| Protected individual | Data subject | Titular (data subject/holder) |
| Protected data | Personal data | Dados pessoais (personal data) |
| Sensitive data | Special categories of data (Art. 9) | Dados pessoais sensíveis (sensitive personal data, Art. 5) |
| Data collector | Controller | Controlador |
| Processing agent | Processor | Operador |
| Privacy officer | Data Protection Officer (DPO) | Encarregado (person in charge) |
| Supervisory body | Supervisory authority / DPA | ANPD |
The LGPD's definition of sensitive personal data closely mirrors the GDPR's special categories but adds "philosophical belief" alongside religious belief and explicitly includes data about children and adolescents as a distinct category requiring special treatment under Article 14 of the LGPD.
Legal Bases for Processing: 10 vs 6
This is one of the most significant structural differences between the two frameworks.
The GDPR provides six lawful bases for processing personal data under Article 6: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.
The LGPD provides 10 legal bases under Article 7, retaining all six GDPR bases and adding four more:
| Legal Basis | GDPR | LGPD |
|---|---|---|
| Consent | Yes (Art. 6(1)(a)) | Yes (Art. 7, I) |
| Contract performance | Yes (Art. 6(1)(b)) | Yes (Art. 7, V) |
| Legal or regulatory obligation | Yes (Art. 6(1)(c)) | Yes (Art. 7, II) |
| Vital interests | Yes (Art. 6(1)(d)) | No direct equivalent (covered by health protection) |
| Public interest / public task | Yes (Art. 6(1)(e)) | Yes (Art. 7, III: public administration) |
| Legitimate interests | Yes (Art. 6(1)(f)) | Yes (Art. 7, IX) |
| Studies by research bodies | Covered under public interest | Yes (Art. 7, IV) |
| Exercise of rights in judicial, administrative, or arbitration proceedings | Covered under legal obligation | Yes (Art. 7, VI) |
| Health protection | Covered under vital interests | Yes (Art. 7, VIII) |
| Credit protection | Not a separate basis | Yes (Art. 7, X) |
| Fraud prevention | Covered under legitimate interests | Explicitly referenced (Art. 11, II, g for sensitive data) |
The credit protection basis is unique to Brazilian law and reflects the importance of credit scoring systems in Brazil's economy. The health protection basis covers procedures performed by health professionals, health services, or sanitary authorities.
For sensitive personal data, the GDPR requires explicit consent or one of the narrow exceptions in Article 9(2). The LGPD's Article 11 allows processing of sensitive data based on consent or without consent when indispensable for specific purposes including legal obligations, public policy, research, exercise of rights, health protection, life protection, or fraud prevention.
Data Subject Rights
Both frameworks provide comprehensive rights to individuals, with significant overlap.
| Right | GDPR | LGPD |
|---|---|---|
| Confirmation of processing | Yes (Art. 15) | Yes (Art. 18, I) |
| Access to data | Yes (Art. 15) | Yes (Art. 18, II) |
| Rectification | Yes (Art. 16) | Yes (Art. 18, III) |
| Erasure / deletion | Yes, "right to be forgotten" (Art. 17) | Yes (Art. 18, VI) |
| Data portability | Yes (Art. 20) | Yes (Art. 18, V) |
| Restriction of processing | Yes (Art. 18) | No direct equivalent |
| Objection to processing | Yes (Art. 21) | Yes (Art. 18, IV: anonymization, blocking, or deletion of unnecessary data) |
| Automated decision-making review | Yes (Art. 22) | Yes (Art. 20: right to review) |
| Information about sharing | Included in access right | Yes (Art. 18, VII: information about shared entities) |
| Withdrawal of consent | Yes (Art. 7(3)) | Yes (Art. 18, IX) |
| Right to petition the authority | Yes | Yes (Art. 18, paragraph 1: petition to ANPD) |
A notable difference: the LGPD's Article 20 grants the right to request a review of automated decisions but does not explicitly require human review as the GDPR's Article 22 does. The ANPD has not yet issued detailed guidance on how this right should be implemented.
DPO Requirements
Both laws require a Data Protection Officer (called "encarregado" in the LGPD), but the requirements differ substantially.
Under the GDPR, a DPO is mandatory for public authorities, organizations whose core activities involve regular and systematic monitoring of individuals at scale, and organizations that process special categories of data at scale. The GDPR specifies detailed requirements: the DPO must have expert knowledge of data protection law, operate independently, report directly to senior management, and cannot be penalized for performing their duties (Article 37-39).
The LGPD originally required all controllers to appoint an encarregado, regardless of size or processing activities. The ANPD later issued Resolution CD/ANPD No. 2/2022 exempting small-scale processing agents (small businesses, startups, and individual entrepreneurs) from the DPO requirement unless they process high-risk data. The LGPD does not prescribe the encarregado's qualifications or mandate their independence with the specificity that the GDPR does.
International Data Transfers
Both frameworks restrict cross-border data transfers, following similar structures.
The GDPR allows transfers to countries with an EU adequacy decision and provides mechanisms including Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanisms. The [EU-US Data Privacy Framework](/world-laws/world-data-privacy-laws/eu-us-data-privacy-framework) governs transfers to certified US organizations.
The LGPD's Article 33 allows international transfers when:
- The receiving country provides an adequate level of protection (as determined by the ANPD)
- The controller offers guarantees through standard contractual clauses, binding corporate rules, or certifications
- The transfer is necessary for international legal cooperation, protection of life, public policy, or consent
As of March 2026, the ANPD has not yet issued its own adequacy determinations for specific countries. The ANPD published standard contractual clauses in 2024, though the framework remains less mature than the EU's. This gap creates practical challenges for companies that need to transfer data out of Brazil.
Enforcement and Penalties
The penalty structures differ significantly, both in maximum amounts and enforcement models.
| Enforcement Aspect | GDPR | LGPD |
|---|---|---|
| Enforcing authority | National DPAs (30+ authorities) | ANPD (single federal authority) |
| Maximum fine | EUR 20 million or 4% global revenue | 2% of company's revenue in Brazil, capped at BRL 50 million per violation (~USD 10 million) |
| Revenue calculation | Global annual turnover | Revenue in Brazil (group or conglomerate) |
| Daily penalty | Available in some jurisdictions | Yes (up to BRL 50 million total) |
| Non-monetary sanctions | Warnings, processing bans, data deletion orders | Warnings, publicity of violation, blocking/deletion of data, processing suspension |
| Government entities | Subject to fines | Exempt from fines (subject to other sanctions) |
| Private right of action | Varies by member state | Yes, under consumer protection and civil liability law |
The GDPR's 4% of global revenue calculation produces dramatically higher potential fines for large multinationals. The LGPD's 2% cap applies to revenue in Brazil specifically, and the BRL 50 million ceiling further limits exposure. However, the LGPD's sanctions regime includes the power to suspend processing activities, which can be operationally devastating.
The ANPD issued its first fines in 2023 and has gradually ramped up enforcement. The agency is still building capacity compared to established European DPAs like France's CNIL or Ireland's Data Protection Commission. Brazilian courts also handle data protection claims through consumer protection law (the Código de Defesa do Consumidor), creating a parallel enforcement path.
Data Breach Notification
The GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights. Affected individuals must be notified directly if the breach poses a high risk.
The LGPD's Article 48 requires controllers to notify the ANPD and the affected data subjects of security incidents that may cause significant risk or damage. However, the LGPD does not specify a fixed timeframe for notification. The ANPD recommends a "reasonable timeframe" of 2 business days, though this is guidance rather than a binding requirement as of 2026. The ANPD has indicated it plans to issue binding regulations on breach notification timelines.
Data Protection Impact Assessments
Both laws provide for impact assessments, but with different names and different triggers.
The GDPR requires a Data Protection Impact Assessment (DPIA) under Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms. The regulation specifies three scenarios that always require a DPIA: systematic evaluation of personal aspects (profiling), large-scale processing of sensitive data, and large-scale systematic monitoring of public areas.
The LGPD's Article 38 allows the ANPD to request that a controller produce a "Relatório de Impacto à Proteção de Dados Pessoais" (data protection impact report). Unlike the GDPR, the LGPD does not require controllers to proactively conduct impact assessments before high-risk processing. The ANPD can request the report at any time, but the obligation is reactive rather than proactive.
Practical Compliance for Multinational Organizations
Companies operating in both the EU/EEA and Brazil face overlapping obligations. The GDPR's stricter requirements in most areas mean that a GDPR-compliant program covers much of the LGPD's requirements. Key areas where LGPD-specific attention is needed:
- Additional legal bases: Companies relying on legitimate interests under the GDPR may find additional bases available under the LGPD (credit protection, health protection, research). Document which LGPD basis applies to each processing activity.
- DPO/Encarregado: The LGPD's broader DPO requirement (all controllers, with limited exemptions) may require appointing an encarregado even when a GDPR DPO is not required.
- Breach notification timeline: Without a fixed LGPD deadline, organizations should apply the ANPD's 2-business-day recommendation as an internal standard.
- Government contracts: The LGPD's distinct treatment of public entities affects companies that process data on behalf of Brazilian government agencies.
For more detail on the GDPR framework, see our complete GDPR guide. For Brazil's LGPD, see our Brazil data privacy laws guide.
This information reflects the law as of March 2026. Both the GDPR and LGPD continue to evolve through regulatory guidance and enforcement decisions. Consult an attorney for advice specific to your situation.
Sources and References
- LGPD Full Text (Lei No. 13.709/2018)(planalto.gov.br).gov
- GDPR Article 6 - Lawfulness of Processing(gdpr-info.eu)
- GDPR Article 9 - Special Categories of Data(gdpr-info.eu)
- GDPR Article 35 - Data Protection Impact Assessment(gdpr-info.eu)
- GDPR Article 37 - Designation of the DPO(gdpr-info.eu)
- ANPD (Autoridade Nacional de Proteção de Dados) Official Site(gov.br).gov
- European Commission - Data Protection(commission.europa.eu).gov
- GDPR 72-Hour Breach Notification Rule(gdpr-info.eu)