Loading…
If you already comply with GDPR, you're 80% of the way to LGPD. Both share ten guiding principles, similar data-subject rights, and a 72-hour-ish breach reporting regime. The divergence is in penalty mathematics (LGPD caps fines at 2% of revenue in Brazil or R$50M per violation), the small-controller exemption defined by ANPD Resolution CD/ANPD No. 2/2022, and the lack of a portability or automated-decision objection right. This guide tells you exactly where you can re-use GDPR work and where you need a delta.
| Dimension | 🇪🇺 GDPR | 🇧🇷 LGPD |
|---|---|---|
| Legal instrument | Regulation (EU) 2016/679 | Lei nº 13.709/2018 |
| Effective date | 25 May 2018 | Substantive provisions: Aug 2020; administrative sanctions: Aug 2021 |
| Territorial scope | EU + extraterritorial (Art. 3) | Processing in Brazil, or aimed at individuals in Brazil, or where data was collected in Brazil (Art. 3) |
| Lawful bases | Six (Art. 6) + special-category conditions (Art. 9) | Ten (Art. 7) — including legitimate interests, contract, legal obligation, public health, credit protection |
| Principles | Six (Art. 5) | Ten (Art. 6) — purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability |
| Data Protection Officer | Mandatory in defined cases (Art. 37) | Mandatory for all controllers; small-controller exemption via ANPD Res. CD/ANPD No. 2/2022 |
| Maximum fine | €20M or 4% global turnover (Art. 83(5)) | Up to 2% of revenue in Brazil from previous fiscal year, capped at R$50M per violation |
| Per-day fines | Not standard structure | Allowed under Art. 52(III) — up to R$50M per infraction per day |
| Other penalties | Warning, processing ban (Art. 58) | Public infraction notice, blocking of data, deletion of data, partial/full suspension (Art. 52) |
| Breach notification | 72 hours to Supervisory Authority (Art. 33) | 3 business days to ANPD per Resolution CD/ANPD No. 15/2024 when reasonable risk/damage |
| Regulator | 27 EU Member State DPAs + EDPB | Autoridade Nacional de Proteção de Dados (ANPD) |
| DPO/Encarregado | Data Protection Officer | Encarregado de Proteção de Dados |
| Local representative | Article 27 EU Representative mandatory | Not formally required, but ANPD expects a Brazil contact point |
| Right to portability | Yes (Art. 20) | Yes (Art. 18, V) |
| Right to object to automated decisions | Yes (Art. 22) | Right to review by natural person (Art. 20) |
| Right to information about sharing | Implicit (Arts. 13–15) | Explicit (Art. 18, VII) — list of public/private entities personal data was shared with |
| Cross-border transfer | SCC/BCR/adequacy (Chapter V) | ANPD-approved mechanisms — Resolution CD/ANPD No. 19/2024 |
| Children's data | Default age of consent 16 (Member State variation) | Specific consent of parent/legal guardian for under 12 (Art. 14) |
| Anonymisation | Out of scope if irreversible (Recital 26) | Out of scope (Art. 12) — but stricter standard than GDPR for irreversibility |
| Sanctions started | May 2018 | Aug 2021 (initial ANPD warnings and small fines began) |
Close — same purpose, similar structure, much of the same vocabulary — but with 10 lawful bases instead of 6, 10 principles instead of 6, and a different penalty mathematics. ANPD's enforcement style is also still developing.
Mostly. The delta is: appoint an Encarregado de Proteção de Dados, file the ANPD notification artefact for material breaches within 3 business days, ensure your privacy notice mirrors LGPD's 10 principles, and use ANPD-approved mechanisms (Res. 19/2024) for cross-border transfer.
Maximum administrative fine is 2% of revenue in Brazil per violation, capped at R$50M (~$10M USD). Daily fines can compound rapidly. ANPD also has injunctive powers (data blocking, deletion order) which can be more disruptive than the cash penalty.
Yes — Article 3(II) catches "the processing activity has the objective of offering or providing goods or services" to individuals in Brazil, regardless of where you're established.
Enforcement has been ramping since 2023. ANPD has issued multiple Resolutions clarifying breach notification, sandboxes, small-controller exemptions. Penalty levels remain modest compared to GDPR but the trajectory is clearly toward more active enforcement.
Not strictly required by LGPD, but operational. The Encarregado must respond to ANPD and data subjects in a meaningful way; a local contact point or representation service (like RegulatoryBridge Brazil) covers that need.
Map controls once, comply twice. RegulatoryBridge gives you a single DSAR pipeline, single DPO, single breach runbook — covering both frameworks.