EU GDPR vs. Brazil LGPD
Table of contents
General Requirements similarities and differences
|Who does it apply to? = Extraterritorial application/effect||The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not (Art. 3).||Any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. LGPD applies to any individual whose data has been collected or is being processed while inside the territory of Brazil, and not only Brazilian citizens.|
|Personal data||Any piece of information that relates to an identifiable person.||According to Art. 5 Personal Data is any information of an identified or identifiable natural person|
|Data subject rights||In chapter 3 the GDPR grants data subjects the following eight fundamental rights:
||Article 18 explains the nine fundamental rights, which are essentially the same rights as the GDPR but LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit
The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects.
They are found in Article 18 and empower individuals with the rights to:
|Data protection officers||GDPR outlines when a DPO is required (Art. 37).||Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO.|
|Legal basis for processing data||In the GDPR there are 6 legal bases for processing personal data. They are listed in Article 6 para. 1 of the GDPR and are the following:
||Article 7, the LGPD lists 10 legal bases. Also, the protection of credit (referring to a credit score) is a legal basis for the processing of data which is a real difference from the GDPR. LGPD’s legal bases for processing
The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are:
|Reporting data breaches||Report a data breach within 72 hours||No guidance for what constitutes a “reasonable time period” as the national data protection agency has not yet been established.|
|Fines||Pay to up to €20 million or 4% of annual global revenue, whichever is higher.||“2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million)|
Would you like to learn more about Consent Management
and all the possibilities our CMP offers for a data privacy compliance implementation?
We would be happy to advise you.