GDPR and Brazil LGPD: How They Overlap and Where They Don't

For tech companies serving customers in both the EU and Brazil, GDPR and the Lei Geral de Proteção de Dados (LGPD) impose related but distinct obligations. The two frameworks share substantial structure, having both drawn from common privacy principles. This page covers what each requires, where they overlap, and how to coordinate compliance.

What each framework is

GDPR is EU privacy law applicable from 2018. Enforced by member state supervisory authorities. Maximum fines of 20 million euros or 4 percent of global annual turnover.

LGPD is Brazilian privacy law, Lei nº 13.709/2018. Effective August 2020 with enforcement beginning August 2021. Enforced by the Autoridade Nacional de Proteção de Dados (ANPD). Maximum fines of 2 percent of revenue in Brazil, capped at 50 million reais per violation.

The two frameworks were drafted around similar privacy principles, with LGPD substantially modeled on GDPR. The structural similarity makes combined compliance more straightforward than for many other jurisdictional pairings.

Where they overlap

Substantial overlap exists across:

  • Lawful basis for processing. Both require a legal basis for processing personal data. The 10 LGPD legal bases substantially overlap with GDPR's six lawful bases, with adaptations.

  • Data subject rights. Both grant similar rights including access, correction, deletion, portability, restriction, opposition, and information.

  • Controller and processor roles. Both define controller and processor with similar obligations. Both require controller-processor agreements.

  • DPO appointment. Both require DPO appointment (LGPD calls it Encarregado). LGPD does not have the same specific Article 37-style threshold structure but practically most controllers appoint a DPO.

  • DPIA. Both require risk assessments for high-risk processing (LGPD calls it Relatório de Impacto à Proteção de Dados Pessoais or RIPD).

  • Breach notification. Both require notification of personal data breaches to the supervisory authority. LGPD timeline is "reasonable time" with ANPD guidance suggesting 2 business days for serious incidents. GDPR is 72 hours.

  • Security obligations. Both require appropriate security measures.

  • Transparency. Both require transparent information to data subjects about processing.

Where they do not overlap

LGPD-specific elements not directly in GDPR:

  • Specific legal basis for "regular exercise of rights." LGPD includes specific lawful bases including credit protection, health care, and regular exercise of rights in judicial, administrative, or arbitration proceedings.

  • Brazilian portability rules. LGPD portability includes the right to data portability to another service or product provider, with operational implications.

  • DPO public contact. LGPD requires DPO contact to be publicly accessible.

  • Brazilian residency considerations for sensitive data processing.

GDPR-specific elements not directly in LGPD:

  • Strict 72-hour breach notification timeline. LGPD's "reasonable time" is generally interpreted as longer than 72 hours, though ANPD has tightened expectations.

  • Specific Article 22 automated decision-making rights with carve-out structure.

  • Standard Contractual Clauses framework for international transfers. LGPD has international transfer mechanisms but they are less developed.

  • Specific Article 27 EU Representative requirement. LGPD does not have an equivalent for non-Brazilian companies.

  • EU-specific sectoral rules (ePrivacy, NIS2, DORA, AI Act).

International data transfers

GDPR Chapter V requires specific mechanisms for transfers outside the EEA. LGPD Article 33 requires specific bases for transfers from Brazil including adequacy decision, specific safeguards (similar to SCCs), or legal exception.

For companies operating in both jurisdictions, transfer mechanisms must address:

EU-Brazil transfers. ANPD has not been included in EU adequacy decisions. Most companies use SCCs (EU SCCs and Brazilian contractual safeguards) for EU-to-Brazil transfers.

Brazil-EU transfers. Similar mechanisms in reverse.

US transfers from both jurisdictions. EU-US DPF for the EU; LGPD-specific transfer mechanisms for Brazil-US transfers.

DPO and Encarregado

Many companies operating in both jurisdictions appoint a single global privacy lead who serves as DPO under GDPR and Encarregado under LGPD, often with local Brazilian support for ANPD engagement and Portuguese language work.

The Encarregado contact must be publicly accessible per ANPD guidance, typically through the privacy notice.

How to integrate the two

Single global privacy program meeting the stricter standard. Where GDPR is stricter (most areas), build to GDPR. Where LGPD is stricter or has unique requirements, add Brazil-specific elements.

Privacy notice with Brazil section. Add LGPD-specific disclosures including Encarregado contact, data subject rights in Brazil, and Brazilian processing legal bases.

DPA template covering both. A single DPA template can cover GDPR Article 28 requirements and LGPD controller-processor requirements with minor additions.

Coordinated breach response. Build for the stricter 72-hour GDPR timeline and Brazilian "reasonable time" expectation, with notification triggers for both authorities where breaches affect both jurisdictions.

Single DPIA template addressing both GDPR DPIA and LGPD RIPD requirements.

Brazilian language support. Privacy notices and data subject communications typically need Portuguese.

How Engage Compliance helps

For clients serving Brazilian customers alongside EU and US, we coordinate GDPR fractional DPO with LGPD compliance work. For specific Brazilian regulatory engagement and Portuguese-language operations, we coordinate with Brazilian privacy practitioners.

Coverage includes:

  • LGPD-specific privacy notice sections.

  • DPO/Encarregado function (with Brazilian coordination where needed).

  • International transfer mechanisms covering Brazil.

  • Coordinated breach response across jurisdictions.

  • DPA templates addressing both frameworks.

For Brazil-specific ANPD engagement requiring Portuguese language and local presence, we coordinate with Brazilian specialist firms.

Get started

If you serve Brazilian customers alongside EU operations, book a consultation.