GDPR vs. Brazil LGPD
Home Resources Articles EU GDPR vs. Brazil LGPD

EU GDPR vs. Brazil LGPD

by Usercentrics
Sep 15, 2020
GDPR vs. Brazil LGPD
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Book now
Get your free data privacy audit now!
Start scan

General Requirements similarities and differences 

 

GDPR  LGPD 
Who does it apply to? = Extraterritorial application/effect The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not (Art. 3).  Any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens. 
Personal data  Any piece of information that relates to an identifiable person. According to Art. 5 Personal Data is any information of an identified or identifiable natural person 
Data subject rights In chapter 3 the GDPR grants data subjects the following eight fundamental rights:

  1. the right to be informed;
  2. the right of access;
  3. the right to rectification;
  4. the right to be forgotten;
  5. the right to restrict processing;
  6. the right to data portability;
  7. the right to object to processing and 
  8. the rights in relation to automated decision-making and profiling
 Article 18 explains the nine fundamental rights, which are essentially the same rights as the GDPR but LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit

The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.

They are found in Article 18 and empower individuals with the rights to:

  1. confirmation of the existence of the processing of their data,
  2. access their data,
  3. correct incomplete, inaccurate or out-of-date data,
  4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD,
  5. have their data be portable, i.e. handed over to another service or processor if requested,
  6. have their data deleted,
  7. information about public and private entities with which the controller has shared data,
  8. information about the possibility of denying consent and the consequences,
  9. revoke consent.
Data protection officers  GDPR outlines when a DPO is required (Art. 37). Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO.
Legal basis for processing data  In the GDPR there are 6 legal bases for processing personal data. They are listed in Article 6 para. 1 of the GDPR and are the following:

  1. Consent (lit. a)
  2. Contractual performance (lit. b)
  3. Compliance with a legal obligation (lit. c)
  4. Vital interests (lit. d)
  5. Public interest (lit. e)
  6. Legitimate interests (lit. f)
 Article 7, the LGPD lists 10 legal bases. Also, the protection of credit (referring to a credit score) is a legal basis for the processing of data which is a real difference from the GDPR. LGPD’s legal bases for processing

The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are: 

  1. With the consent of the data subject,
  2. To comply with a legal or regulatory obligation of the controller,
  3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments,
  4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data,
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party,
  6. To exercise rights judicial, administrative or arbitration procedures,
  7. To protect the life or physical safety of the data subject or a third party,’
  8. To protect health, in a procedure carried out by health professionals or by health entities,
  9. To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail,
  10. To protect credit.
Reporting data breaches Report a data breach within 72 hours No guidance for what constitutes a “reasonable time period” as the national data protection agency has not yet been established.
Fines  Pay to up to € 20 million or 4% of annual global revenue, whichever is higher.  2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly € 11 million)

Would you like to learn more about Consent Management
and all the  possibilities our CMP offers for a data privacy compliance implementation? 

We would be happy to advise you.

 

Request a Demo

 

Related Articles

Top 30 questions about the European Union’s Digital Markets Act (DMA)

Digital Markets Act uncovered: top 30 DMA questions answered

We provide answers to the most frequently asked questions about the Digital Markets Act (DMA). Gain insights into the...

New Hampshire Privacy Act (NHPA)

New Hampshire Privacy Act (NHPA): An Overview

The New Hampshire Privacy Act is the 14th state-level data privacy law passed in the United States. It was...

Products

Regulations

Legal

Resources

Company

© Copyright 2024 Usercentrics GmbH Terms & Conditions Terms & Conditions USA Privacy Policy Legal Notice Trust Center
Partnerships and certifications
CMP_BadgeG2 badge - Spring 2025iab-logo-84huc-patentedBVDWiapp Bronze MemberWeb Content Accessibility Guidelines (WCAG) certification is considered the gold standard for web accessibility.ISO TÜV_Small (2)