Book a call
Book a call

GDPR and Brazil LGPD: How They Overlap and Where They Don't

For tech companies serving customers in both the EU and Brazil, GDPR and the Lei Geral de Proteção de Dados (LGPD) impose related but distinct obligations. The two frameworks share substantial structure, having both drawn from common privacy principles. This page covers what each requires, where they overlap, and how to coordinate compliance.

By Julian Gage Last reviewed: 10 April 2026

Key takeaways

  • GDPR and Brazil’s LGPD impose related but distinct obligations, and because LGPD is substantially modeled on GDPR, combined compliance is more straightforward than for many other jurisdictional pairings.
  • They overlap substantially across lawful basis, data subject rights, controller and processor roles, DPO appointment, DPIA, breach notification, and security obligations.
  • Key differences include GDPR’s strict 72-hour breach notification versus LGPD’s “reasonable time”, and GDPR’s Article 27 EU Representative requirement, which LGPD has no equivalent for.
  • Both require notification of personal data breaches to the supervisory authority, with GDPR at 72 hours and ANPD guidance suggesting 2 business days for serious incidents.
  • We coordinate GDPR outsourced DPO with LGPD compliance work, covering Brazil-specific notice sections, the DPO/Encarregado function, transfer mechanisms, and coordinated breach response.

What each framework is

GDPR is EU privacy law applicable from 2018. Enforced by member state supervisory authorities. Maximum fines of €20 million or 4 percent of global annual turnover.

LGPD is Brazilian privacy law, Lei nº 13.709/2018. Effective August 2020 with enforcement beginning August 2021. Enforced by the Autoridade Nacional de Proteção de Dados (ANPD). Maximum fines of 2 percent of revenue in Brazil, capped at 50 million reais per violation.

The two frameworks were drafted around similar privacy principles, with LGPD substantially modeled on GDPR. The structural similarity makes combined compliance more straightforward than for many other jurisdictional pairings.

Where they overlap

Substantial overlap exists across:

  • Lawful basis for processing. Both require a legal basis for processing personal data. The 10 LGPD legal bases substantially overlap with GDPR’s six lawful bases, with adaptations.
  • Data subject rights. Both grant similar rights including access, correction, deletion, portability, restriction, opposition, and information.
  • Controller and processor roles. Both define controller and processor with similar obligations. Both require controller-processor agreements.
  • DPO appointment. Both require DPO appointment (LGPD calls it Encarregado). LGPD does not have the same specific Article 37-style threshold structure but practically most controllers appoint a DPO.
  • DPIA. Both require risk assessments for high-risk processing (LGPD calls it Relatório de Impacto à Proteção de Dados Pessoais or RIPD).
  • Breach notification. Both require notification of personal data breaches to the supervisory authority. LGPD timeline is “reasonable time” with ANPD guidance suggesting 2 business days for serious incidents. GDPR is 72 hours.
  • Security obligations. Both require appropriate security measures.
  • Transparency. Both require transparent information to data subjects about processing.

Where they do not overlap

LGPD-specific elements not directly in GDPR:

  • Specific legal basis for “regular exercise of rights.” LGPD includes specific lawful bases including credit protection, health care, and regular exercise of rights in judicial, administrative, or arbitration proceedings.
  • Brazilian portability rules. LGPD portability includes the right to data portability to another service or product provider, with operational implications.
  • DPO public contact. LGPD requires DPO contact to be publicly accessible.
  • Brazilian residency considerations for sensitive data processing.

GDPR-specific elements not directly in LGPD:

  • Strict 72-hour breach notification timeline. LGPD’s “reasonable time” is generally interpreted as longer than 72 hours, though ANPD has tightened expectations.
  • Specific Article 22 automated decision-making rights with carve-out structure.
  • Standard Contractual Clauses framework for international transfers. LGPD has international transfer mechanisms but they are less developed.
  • Specific Article 27 EU Representative requirement. LGPD does not have an equivalent for non-Brazilian companies.
  • EU-specific sectoral rules (ePrivacy, NIS2, DORA, AI Act).

International data transfers

GDPR Chapter V requires specific mechanisms for transfers outside the EEA. LGPD Article 33 requires specific bases for transfers from Brazil including adequacy decision, specific safeguards (similar to SCCs), or legal exception.

For companies operating in both jurisdictions, transfer mechanisms must address:

  • EU-Brazil transfers. ANPD has not been included in EU adequacy decisions. Most companies use SCCs (EU SCCs and Brazilian contractual safeguards) for EU-to-Brazil transfers.
  • Brazil-EU transfers. Similar mechanisms in reverse.
  • US transfers from both jurisdictions. EU-US DPF for the EU; LGPD-specific transfer mechanisms for Brazil-US transfers.

DPO and Encarregado

Many companies operating in both jurisdictions appoint a single global privacy lead who serves as DPO under GDPR and Encarregado under LGPD, often with local Brazilian support for ANPD engagement and Portuguese language work.

The Encarregado contact must be publicly accessible per ANPD guidance, typically through the privacy notice.

How to integrate the two

Single global privacy program meeting the stricter standard. Where GDPR is stricter (most areas), build to GDPR. Where LGPD is stricter or has unique requirements, add Brazil-specific elements.

Privacy notice with Brazil section. Add LGPD-specific disclosures including Encarregado contact, data subject rights in Brazil, and Brazilian processing legal bases.

DPA template covering both. A single DPA template can cover GDPR Article 28 requirements and LGPD controller-processor requirements with minor additions.

Coordinated breach response. Build for the stricter 72-hour GDPR timeline and Brazilian “reasonable time” expectation, with notification triggers for both authorities where breaches affect both jurisdictions.

Single DPIA template addressing both GDPR DPIA and LGPD RIPD requirements.

Brazilian language support. Privacy notices and data subject communications typically need Portuguese.

How Engage Compliance helps

For clients serving Brazilian customers alongside EU and US, we coordinate GDPR outsourced DPO with LGPD compliance work. For specific Brazilian regulatory engagement and Portuguese-language operations, we coordinate with Brazilian privacy practitioners.

Coverage includes:

  • LGPD-specific privacy notice sections.
  • DPO/Encarregado function (with Brazilian coordination where needed).
  • International transfer mechanisms covering Brazil.
  • Coordinated breach response across jurisdictions.
  • DPA templates addressing both frameworks.

For Brazil-specific ANPD engagement requiring Portuguese language and local presence, we coordinate with Brazilian specialist firms.

Get started

If you serve Brazilian customers alongside EU operations, book a consultation.

This page is general information, not legal advice.

Free risk assessment Book a free intro call

FAQ

Frequently asked questions

Does LGPD compliance mean we are also GDPR compliant?

No. Because LGPD is substantially modeled on GDPR, the two overlap substantially, but they remain distinct frameworks. The practical approach is a single global program built to the stricter standard, which is usually GDPR, with Brazil-specific elements added.

What is the breach notification timeline under LGPD compared to GDPR?

GDPR requires notification to the supervisory authority within 72 hours. LGPD requires notification within a 'reasonable time', with ANPD guidance suggesting 2 business days for serious incidents.

Does LGPD have an equivalent of the GDPR EU Representative?

No. LGPD has no Article 27-style EU Representative requirement for non-Brazilian companies.

Can one person serve as both our DPO and our Encarregado?

Yes. Many companies appoint a single global privacy lead who serves as DPO under GDPR and Encarregado under LGPD, often with local Brazilian support for ANPD engagement. The Encarregado contact must be publicly accessible, typically through the privacy notice.

How do EU to Brazil data transfers work?

Brazil is not covered by an EU adequacy decision, so most companies use Standard Contractual Clauses together with Brazilian contractual safeguards for EU-to-Brazil transfers, with similar mechanisms in reverse.

Related

ServiceOutsourced DPO servicesGuideFractional DPO pricing benchmark 2026PricingOutsourced DPO cost guideGuideGDPR and China PIPL