GDPR vs LGPD: EU vs Brazil Privacy Law Comparison (2026)
The EU GDPR and Brazil's LGPD (Law No. 13.709/2018) share foundational principles but differ on three key structural points: the LGPD offers 10 lawful bases versus the GDPR's 6, caps fines at Brazilian revenue rather than global turnover, and routes all enforcement through a single national authority instead of 30-plus DPAs.
The EU's General Data Protection Regulation (GDPR) and Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) are two of the world's most consequential data protection frameworks. The LGPD was directly inspired by the GDPR, and the two laws share a common architecture. Yet they diverge in meaningful ways: legal bases, penalty structures, enforcement models, breach notification timelines, and DPO requirements all differ.
This comparison covers every significant structural difference between the two frameworks, including the transformative January 2026 mutual adequacy decision that now allows free data flow between the EU and Brazil.
Quick Answer: GDPR vs LGPD at a Glance
The GDPR applies across the entire European Economic Area. The LGPD applies to all data processing connected to Brazil. Both laws share core principles (purpose limitation, data minimization, transparency, accountability) and both require a data protection officer, data subject rights, breach notification, and international transfer controls.
The main differences: the LGPD offers more lawful bases (10 vs 6), caps fines at Brazilian revenue rather than global revenue, is enforced by a single national authority rather than 30+ DPAs, and historically required less prescriptive DPO independence rules. As of January 2026, the two regimes officially recognize each other as adequate, the single biggest development since both laws took effect.
The Two Regimes at a Glance
| Feature | GDPR | LGPD |
|---|---|---|
| Jurisdiction | EU/EEA (27 member states + Norway, Iceland, Liechtenstein) | Brazil |
| Enacted | April 14, 2016 | August 14, 2018 |
| Enforceable | May 25, 2018 | September 18, 2020 (fines: August 1, 2021) |
| Enforcing authority | 30+ national DPAs + EDPB | ANPD (single federal authority) |
| Lawful bases | 6 (Art. 6) | 10 (Art. 7) |
| Max fine | EUR 20M or 4% of global revenue | 2% of Brazil revenue, capped at BRL 50M per violation |
| Breach notification | 72 hours to DPA | ANPD recommends 2 business days (binding rule pending) |
| DPO required | Conditional (public bodies, high-risk/large-scale processing) | All controllers (with limited SME exemption via Resolution 2/2022) |
| Mutual adequacy | Yes: EU Implementing Decision (EU) 2026/179, January 27, 2026 | Yes: ANPD Resolution CD/ANPD No. 32, January 26, 2026 |
Shared DNA and Structural Similarities
The LGPD borrowed its foundational architecture from the GDPR deliberately. Brazilian legislators studied the GDPR and incorporated its core building blocks: data subject rights, controller/processor roles, lawful bases for processing, special categories of sensitive data, restrictions on international transfers, and a dedicated supervisory authority.
Both laws define personal data broadly to cover any information relating to an identified or identifiable natural person. Both recognize a distinct category of sensitive data requiring heightened protection. Both require controllers to implement appropriate technical and organizational security measures, conduct impact assessments for high-risk processing, and document their processing activities.
The practical result: a GDPR-compliant program provides a strong foundation for LGPD compliance. But the gaps are material enough that a GDPR program alone does not equal LGPD compliance.
Scope and Applicability
The GDPR's territorial reach is extraterritorial by design. It applies to any organization that processes personal data of individuals in the EEA, regardless of where the organization is established. An e-commerce company based in the United States that sells to EU residents is subject to the GDPR.
The LGPD applies to any processing operation carried out in Brazil, aimed at offering goods or services to individuals in Brazil, or involving personal data collected in Brazil. Like the GDPR, it does not require the organization to have a physical presence in Brazil.
The LGPD applies to both for-profit and nonprofit organizations. Exceptions include purely personal or household processing, journalistic or artistic purposes, academic research conducted for the public interest, public security, national defense, and criminal investigation. One meaningful difference: the LGPD applies to government data processing but exempts public entities from monetary fines. Government bodies can receive warnings, mandatory disclosure of violations, and processing suspension orders, but not the BRL 50 million financial penalties that apply to private companies.
Terminology Comparison
| GDPR Term | LGPD Equivalent |
|---|---|
| Data subject | Titular |
| Personal data | Dados pessoais |
| Special categories / sensitive data | Dados pessoais sensíveis (Art. 5, II) |
| Controller | Controlador |
| Processor | Operador |
| Data Protection Officer | Encarregado |
| Supervisory authority / DPA | ANPD |
The LGPD's definition of sensitive personal data closely mirrors the GDPR's special categories but explicitly includes philosophical belief (alongside religious belief) and treats data about children and adolescents as a standalone sensitive category requiring special treatment under Article 14 of the LGPD.
Lawful Bases for Processing: Six vs Ten
This is the most significant structural difference between the two frameworks.
The GDPR provides six lawful bases under Article 6: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.
The LGPD provides ten lawful bases under Article 7. It retains all six GDPR bases and adds four more:
| Legal Basis | GDPR | LGPD |
|---|---|---|
| Consent | Yes (Art. 6(1)(a)) | Yes (Art. 7, I) |
| Contract performance | Yes (Art. 6(1)(b)) | Yes (Art. 7, V) |
| Legal or regulatory obligation | Yes (Art. 6(1)(c)) | Yes (Art. 7, II) |
| Vital interests | Yes (Art. 6(1)(d)) | Covered under health protection and life protection |
| Public interest / public task | Yes (Art. 6(1)(e)) | Yes (Art. 7, III) |
| Legitimate interests | Yes (Art. 6(1)(f)) | Yes (Art. 7, IX) |
| Studies by research bodies | Subsumed under public interest | Yes, standalone basis (Art. 7, IV) |
| Exercise of rights in judicial, admin, or arbitration proceedings | Subsumed under legal obligation | Yes, standalone basis (Art. 7, VI) |
| Health or life protection | Subsumed under vital interests | Yes, standalone basis (Art. 7, VIII) |
| Credit protection | Not a separate basis | Yes, unique to LGPD (Art. 7, X) |
The credit protection basis is unique to Brazilian law. It reflects the economic importance of credit scoring and financial data systems in Brazil's market. A financial institution processing customer data to run a credit check can rely on this basis directly.
The health protection basis covers procedures by health professionals, health services, or sanitary authorities. It operates similarly to the GDPR's vital interests exception but is explicitly scoped to the health and sanitary sector rather than any life-threatening emergency.
For sensitive personal data, the GDPR requires explicit consent or one of the narrow exceptions in Article 9(2). The LGPD's Article 11 allows processing of sensitive data without consent when indispensable for legal obligations, public policy, research, exercise of rights, health protection, life protection, or fraud prevention.
Data Subject Rights Compared
Both frameworks give individuals comprehensive rights over their personal data, with significant overlap.
| Right | GDPR | LGPD |
|---|---|---|
| Confirmation of processing | Yes (Art. 15) | Yes (Art. 18, I) |
| Access to data | Yes (Art. 15) | Yes (Art. 18, II) |
| Rectification | Yes (Art. 16) | Yes (Art. 18, III) |
| Erasure / deletion | Yes, "right to be forgotten" (Art. 17) | Yes (Art. 18, VI) |
| Data portability | Yes (Art. 20) | Yes (Art. 18, V) |
| Restriction of processing | Yes (Art. 18) | No direct equivalent |
| Objection to processing | Yes (Art. 21) | Yes (Art. 18, IV: anonymization, blocking, or deletion) |
| Automated decision-making review | Yes, right to human review (Art. 22) | Yes (Art. 20), but human review not explicitly required |
| Information about sharing | Included in right of access | Explicit standalone right (Art. 18, VII) |
| Withdrawal of consent | Yes (Art. 7(3)) | Yes (Art. 18, IX) |
| Petition to the authority | Yes | Yes (Art. 18, para. 1) |
Two differences worth noting. First, the LGPD does not include an explicit right to restriction of processing comparable to GDPR Article 18. Data subjects can request anonymization, blocking, or deletion, but there is no mechanism to simply pause processing while a dispute is resolved.
Second, the LGPD's Article 20 grants the right to request a review of automated decisions, but unlike GDPR Article 22, it does not explicitly require human review. The ANPD's 2025-2026 regulatory agenda includes issuing binding guidance on automated decision-making rights, but that guidance had not been finalized as of May 2026.
On response timelines, the LGPD imposes a 15-day deadline for providing a detailed response to a data subject's access request. The GDPR gives controllers 30 days (extendable to three months for complex requests). The shorter LGPD window creates tighter operational pressure for organizations handling high volumes of requests.
Supervisory Authorities: ANPD vs EU DPAs
The structural difference in enforcement architecture is significant.
Under the GDPR, enforcement is distributed across 30-plus national Data Protection Authorities, coordinated by the European Data Protection Board (EDPB). For cross-border processing involving multiple EU member states, the "one-stop-shop" mechanism designates a lead DPA in the country of the controller's EU establishment, with other DPAs acting as "concerned authorities." This has produced landmark fines from Ireland's DPC (which supervises Meta, Google, and Apple for EU purposes) and France's CNIL.
The LGPD is enforced by a single federal authority: the ANPD. The ANPD was established in 2020 and elevated to a fully independent federal regulatory agency in February 2025, giving it functional, technical, decision-making, administrative, and financial autonomy. This independence insulates the ANPD from political pressure and puts it on par with Brazil's Central Bank and competition authority (CADE) in institutional terms.
The ANPD's enforcement capacity is still developing compared to the most active European DPAs. Its first significant enforcement actions came in 2023 and 2024. Through 2025, total ANPD fines and sanctions reached approximately BRL 98 million (roughly USD 20 million).
Penalties Compared
The penalty regimes differ both in scale and in calculation method.
| Enforcement Aspect | GDPR | LGPD |
|---|---|---|
| Maximum fine | EUR 20 million or 4% of global annual revenue (whichever is higher) | 2% of company's revenue in Brazil, capped at BRL 50 million (~USD 10 million) per violation |
| Revenue base | Global annual turnover | Brazilian revenue only (group or conglomerate) |
| Daily fine | Available in some member state jurisdictions | Yes (subject to BRL 50 million aggregate cap) |
| Non-monetary sanctions | Warnings, processing bans, data deletion orders | Warnings, public disclosure, data blocking/deletion, processing suspension |
| Government entities | Subject to fines in most member states | Exempt from monetary fines |
| Private right of action | Varies by member state | Yes, under consumer protection law and civil liability |
For large multinationals, the GDPR's 4% of global revenue base produces dramatically higher exposure. A company with USD 10 billion in global revenue faces a maximum GDPR fine of USD 400 million; the same company's maximum LGPD fine is capped at roughly USD 10 million regardless of global scale.
The LGPD also includes processing suspension as a sanction, which can be operationally significant even without a large monetary penalty. The ANPD used this power in its Meta case: in July 2024, the ANPD ordered Meta to immediately suspend its use of Brazilian users' personal data for AI training, backed by a daily fine of BRL 50,000 for non-compliance. The suspension was lifted by late August 2024 after Meta agreed to a monitored compliance plan. The ANPD found that Meta had inadequately relied on legitimate interest as the legal basis for AI training, lacked transparency about processing details, and failed to protect minors' data.
DPO and Encarregado Requirements
Both laws require a data protection officer (the LGPD calls the role encarregado), but the requirements differ substantially.
Under the GDPR, a DPO is mandatory only for: public authorities and bodies, organizations whose core activities involve regular and systematic monitoring of individuals at large scale, and organizations that process special categories of data or criminal conviction data at large scale (Article 37). The GDPR specifies that the DPO must have expert knowledge of data protection law, must operate independently, must report directly to senior management, and cannot be dismissed or penalized for performing their duties.
Under the LGPD, all controllers were originally required to appoint an encarregado regardless of size or processing scope. The ANPD subsequently issued Resolution CD/ANPD No. 2/2022, which exempts small-scale processing agents (small businesses, startups, and individual entrepreneurs) from the requirement unless they process high-risk data. The LGPD does not prescribe the encarregado's qualifications with the same specificity as the GDPR, and the independence requirements are less rigorous. The encarregado must be publicly identified (name and contact information must be published), but there is no mandatory direct reporting line to the board.
A practical gap: a company that is not a public body and does not conduct large-scale systematic monitoring may not need a GDPR DPO, but if it processes personal data of Brazilian individuals as a controller, it may still need an LGPD encarregado (unless the small-business exemption applies).
Data Breach Notification
The GDPR requires controllers to notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights. Affected individuals must be notified directly without undue delay when the breach poses a high risk.
The LGPD's Article 48 requires controllers to notify the ANPD and affected data subjects of security incidents that may cause significant risk or damage. The law does not specify a fixed notification window. The ANPD has recommended a "reasonable timeframe" of two business days for notification, but this remains guidance rather than a binding legal deadline as of May 2026. The ANPD has stated it plans to issue binding breach notification regulations as part of its regulatory agenda, but that rulemaking was still pending.
For multinational organizations, the practical approach is to apply the GDPR's 72-hour clock as the internal standard. Any breach requiring GDPR notification should simultaneously trigger the LGPD notification process if Brazilian data subjects are affected.
Data Protection Impact Assessments
Both laws provide for impact assessments but with different triggers and compliance structures.
The GDPR requires a Data Protection Impact Assessment (DPIA) under Article 35 whenever processing is likely to result in a high risk to individuals' rights. Three categories always require a DPIA: systematic evaluation involving profiling, large-scale processing of sensitive data, and large-scale systematic monitoring of public areas. Controllers must document the DPIA and, in some cases, consult the supervisory authority before proceeding.
The LGPD's Article 38 takes a reactive approach: the ANPD can request that a controller produce a Relatório de Impacto à Proteção de Dados Pessoais (RIPD) at any time. Controllers are not required to proactively conduct a RIPD before undertaking high-risk processing. However, the ANPD's 2025-2026 regulatory agenda lists DPIAs as a priority topic for new binding regulation, and organizations operating in Brazil should begin conducting RIPDs for high-risk processing now rather than waiting for the requirement to become mandatory.
International Data Transfers
The January 2026 Mutual Adequacy Decision
On January 27, 2026, the European Commission and Brazil simultaneously adopted mutual adequacy decisions. The EU adopted Implementing Decision (EU) 2026/179, recognizing Brazil as a country that provides a level of data protection essentially equivalent to the GDPR under Article 45. Brazil reciprocated through ANPD Resolution CD/ANPD No. 32 of January 26, 2026, recognizing the EU as an adequate jurisdiction under the LGPD.
The practical consequences are significant in both directions:
Transfers from the EU to Brazil can now proceed without Standard Contractual Clauses, Binding Corporate Rules, or any other Article 46 safeguard mechanism. The adequacy decision covers both public and private sector transfers, with the standard exclusion for national security, defense, and criminal investigation purposes.
Transfers from Brazil to the EU can proceed under the ANPD's adequacy finding without additional contractual safeguards.
The decision is subject to a formal review every four years. The EDPB's Opinion 28/2025 was broadly supportive but invited the European Commission to continue monitoring Brazil's implementation of DPIAs, onward transfer rules, transparency restrictions, and public authority access safeguards.
Resolution CD/ANPD No. 19/2024 and the SCC Framework
Before the adequacy decision, the key framework for outbound transfers from Brazil was ANPD Resolution 19/2024, published on August 23, 2024. That resolution established Brazil's Standard Contractual Clauses for international data transfers and set a one-year grace period for companies to incorporate them. The grace period expired on August 23, 2025, after which transfers from Brazil to non-adequate third countries required SCCs or another approved mechanism.
For transfers from Brazil to EU organizations, the ANPD's January 2026 adequacy finding now displaces the SCC requirement. For transfers to other jurisdictions, the Resolution 19/2024 framework (SCCs, Binding Corporate Rules, or specific contractual clauses) remains the required safeguard.
Organizations that executed Brazil-specific SCCs for EU-Brazil flows may wish to update their transfer documentation to reference the adequacy basis. The SCCs remain technically valid but are no longer legally required for that transfer leg.
Enforcement in Practice: The ANPD Record
The ANPD's first formal enforcement actions came in 2023. In 2024, the authority applied sanctions against three Brazilian public entities: the Regional Department of Education of the Federal District (SEEDF), the National Social Security Institute (INSS), and the Ministry of Health. All three cases involved failures in breach notification and inadequate security measures. Because these are government bodies, the sanctions were warnings and mandatory public disclosure rather than monetary fines.
The ANPD's most prominent private-sector action was the July 2024 suspension of Meta's AI training on Brazilian user data. The ANPD found that Meta's updated privacy policy inadequately relied on legitimate interest as the legal basis for AI training, failed to be transparent about processing details, created obstacles to the exercise of data subject rights, and lacked proper safeguards for minors' data. The suspension was enforced with a BRL 50,000 daily fine. Meta and the ANPD reached an agreement by late August 2024 under which Meta committed to a monitored compliance plan in exchange for the suspension being lifted.
Through 2025, total ANPD enforcement resulted in approximately BRL 98 million in fines and sanctions. The ANPD's institutional independence (secured in February 2025) and its stated 2026-2027 enforcement priorities signal a more active enforcement period ahead.
Recent Developments: 2024-2026 Regulatory Agenda
ANPD 2026-2027 Priority Issues
In December 2025, the ANPD published Resolution CD/ANPD No. 30, setting its Map of Priority Issues for the 2026-2027 biennium, and Resolution CD/ANPD No. 31/2025, updating its 2025-2026 regulatory agenda. The four priority enforcement and regulatory areas are:
- Data subject rights, with special focus on sensitive data used for advertising purposes
- Protection of children and adolescents under the Digital ECA, including age verification and privacy by default requirements
- Public authority compliance with the LGPD, including data governance and sharing rules between government entities
- AI and emerging technologies, including supervision of personal data use in AI systems
Binding regulations on DPIAs, automated decision-making rights, and breach notification timelines are all on the agenda for issuance.
Brazil's AI Bill
The Brazilian Senate passed AI Bill No. 2338/2023 on December 10, 2024, and forwarded it to the Chamber of Deputies in March 2025. The bill adopts a risk-based approach modeled closely on the EU AI Act, categorizing AI systems as excessive risk, high risk, or general use. Under the bill, the ANPD would serve as the primary regulator for AI systems that process personal data, with sector-specific regulators playing a concurrent role.
Final enactment remains uncertain. Political consensus in the Chamber of Deputies was still lacking as of early 2026, and Brazil's election cycle in 2026 reduces the likelihood of passage before 2027. Companies should monitor legislative progress but should not yet rely on the AI bill as a compliance baseline.
Dual-Compliance Guidance
Organizations operating under both the GDPR and LGPD should treat the frameworks as complementary rather than duplicative. The following areas need LGPD-specific attention even for GDPR-compliant programs.
Lawful bases. Map LGPD bases to every processing activity separately from your GDPR mapping. Activities relying on legitimate interests under the GDPR may have a more specific LGPD basis available (credit protection, health protection, research by research bodies). Document both.
DPO / encarregado. A company that does not trigger the GDPR's conditional DPO requirement may still need an encarregado under the LGPD unless the small-business exemption under Resolution CD/ANPD 2/2022 applies. The encarregado must be publicly named with contact information.
Breach notification. The LGPD has no fixed statutory clock. Treat the ANPD's two-business-day recommendation as your internal standard, running in parallel with the GDPR's 72-hour window.
DPIA / RIPD. Proactively conduct RIPDs for high-risk processing even though the LGPD does not yet require it. The ANPD can demand them at any time, and a binding proactive requirement is forthcoming.
Response timelines. The LGPD's 15-day deadline for detailed access responses is shorter than the GDPR's 30 days. Configure subject-access-request workflows to the tighter LGPD deadline.
International transfers. As of January 27, 2026, EU-Brazil data flows are covered by mutual adequacy in both directions. Update your Records of Processing Activities to reflect the adequacy basis rather than SCCs for those transfer legs. For transfers from Brazil to other non-adequate countries, Resolution 19/2024 SCCs remain required.
Government contractors. The LGPD's distinct treatment of public entities affects companies that process personal data as operators on behalf of Brazilian government agencies. Specific rules apply to government data sharing.
For a deep dive on the GDPR framework, see our complete EU data privacy laws guide. For Brazil's LGPD in isolation, see our Brazil data privacy laws guide.
This page reflects the law as of May 2026. Both the GDPR and LGPD continue to evolve through regulatory guidance and enforcement decisions. Consult a qualified attorney for advice specific to your organization.
Frequently Asked Questions
Is the LGPD basically a copy of the GDPR?
The LGPD was heavily inspired by the GDPR but is not a direct copy. It shares the same foundational principles (purpose limitation, data minimization, transparency, accountability) but diverges in several areas. The LGPD has 10 lawful bases versus the GDPR's 6, caps fines at 2% of Brazilian revenue rather than 4% of global revenue, is enforced by a single authority rather than a network of 30+ DPAs, and has a shorter response window for data subject access requests (15 days vs 30 days).
Which law has higher fines, GDPR or LGPD?
The GDPR has substantially higher maximum fines for large companies. GDPR penalties reach EUR 20 million or 4% of global annual turnover, whichever is higher. LGPD penalties cap at 2% of the company's revenue in Brazil, with a ceiling of BRL 50 million (approximately USD 10 million) per violation. For a multinational with USD 5 billion in global revenue, GDPR exposure reaches USD 200 million; LGPD exposure is capped at USD 10 million regardless of global scale.
Does the LGPD require consent for all data processing?
No. Like the GDPR, the LGPD provides multiple lawful bases for processing personal data. The LGPD actually offers more options than the GDPR, with 10 lawful bases including consent, legitimate interests, contract performance, legal obligation, credit protection, and health protection. Consent is one option among many, not the default requirement.
Does Brazil have an adequacy decision from the EU?
Yes. On January 27, 2026, the European Commission adopted Implementing Decision (EU) 2026/179, formally recognizing Brazil as providing adequate data protection under GDPR Article 45. Personal data can now flow from the EU to Brazil without Standard Contractual Clauses or other Article 46 safeguards. Brazil simultaneously adopted ANPD Resolution CD/ANPD No. 32, recognizing the EU as adequate under the LGPD.
Can a company use the same privacy policy for GDPR and LGPD compliance?
A single global privacy policy can address both frameworks, but it must include LGPD-specific disclosures. The policy must reference the applicable LGPD lawful bases, name the encarregado with contact information, describe rights available under Brazilian law including the 15-day access response window, and explain how to petition the ANPD. Many multinational companies maintain one policy with jurisdiction-specific sections.
Does the LGPD require a Data Protection Impact Assessment?
Not proactively by default. The LGPD's Article 38 gives the ANPD the power to request a Relatório de Impacto à Proteção de Dados Pessoais (RIPD) at any time, but does not require controllers to conduct one before high-risk processing begins. The GDPR's Article 35 requires proactive DPIAs before certain high-risk activities. The ANPD's 2025-2026 regulatory agenda includes a binding proactive DPIA requirement, so organizations should begin conducting RIPDs for high-risk processing now.
What was the ANPD's action against Meta?
In July 2024, the ANPD ordered Meta to immediately suspend its use of Brazilian users' personal data for AI training, backed by a daily fine of BRL 50,000 for non-compliance. The ANPD found Meta's updated privacy policy inadequately relied on legitimate interest as the legal basis for AI training, lacked transparency, and failed to protect minors' data. The suspension was lifted by late August 2024 after Meta agreed to a monitored compliance plan.
Sources and References
- Implementing Decision (EU) 2026/179 — EU Adequacy Decision for Brazil(eur-lex.europa.eu).gov
- LGPD Full Text — Lei No. 13.709/2018(planalto.gov.br).gov
- ANPD Official Site — Autoridade Nacional de Proteção de Dados(gov.br).gov
- European Commission — Data Protection Overview(commission.europa.eu).gov
- GDPR Article 6 — Lawfulness of Processing(gdpr-info.eu)
- GDPR Article 9 — Special Categories of Data(gdpr-info.eu)
- GDPR Article 35 — Data Protection Impact Assessment(gdpr-info.eu)
- GDPR Article 37 — Designation of the DPO(gdpr-info.eu)
- GDPR Article 33 — Breach Notification to Supervisory Authority(gdpr-info.eu)
- European Commission Press Release — EU-Brazil Adequacy Decision, January 2026(ec.europa.eu).gov
- EDPB Opinion 28/2025 — Draft EU Adequacy Decision for Brazil(edpb.europa.eu).gov
- US International Trade Administration — Brazil New International Transfer Rules(trade.gov).gov
- IAPP — ANPD Becomes Independent Regulatory Agency(iapp.org)