# [EU GDPR vs. Brazil LGPD](https://usercentrics.com/knowledge-hub/eu-gdpr-vs-brazil-lgpd/) **Author:** [Tilman Harmeling](https://usercentrics.com/person/tilman-harmeling/) · Published Sep 15, 2020 · 3 min read --- ## General Requirements similarities and differences | | GDPR | LGPD | | --- | --- | --- | | **Who does it apply to? = Extraterritorial application/effect** | The whole point of the GDPR is to protect data belonging to **EU citizens and residents**. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not (Art. 3). | Any business or organization that processes the **personal data of people in Brazil,** regardless of where that business or organization itself might be located. LGPD applies to **any individual whose data has been collected or is being processed while inside the territory of Brazil**, and not only Brazilian citizens. | | [**Personal data**](https://usercentrics.com/knowledge-hub/personally-identifiable-information-vs-personal-data/) | **Any piece of information that relates to an identifiable person.** | According to Art. 5 Personal Data is **any information of an identified or identifiable natural person** | | **Data subject rights** | In chapter 3 the GDPR grants data subjects the following **eight fundamental rights:** 1. the right to be informed; 2. the right of access; 3. the right to rectification; 4. the right to be forgotten; 5. the right to restrict processing; 6. the right to data portability; 7. the right to object to processing and 8. the rights in relation to automated decision-making and profiling | **Article 18** explains the **nine fundamental rights**, which are essentially the same rights as the GDPR but LGPD split "The right to information about public and private entities with which the controller has shared data" out of the GDPR's more general **"Right to be informed"** to make it more explicit. [The LGPD (*Lei Geral de Proteção de Dados*)](https://usercentrics.com/lgpd/) creates **nine rights** for data subjects. They are found in **Article 18** and empower individuals with the rights to: 1. confirmation of the existence of the processing of their data, 2. access their data, 3. correct incomplete, inaccurate or out-of-date data, 4. anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD, 5. have their data be portable, i.e. handed over to another service or processor if requested, 6. have their data deleted, 7. information about public and private entities with which the controller has shared data, 8. information about the possibility of denying consent and the consequences, 9. revoke consent. | | **Data protection officers** | GDPR outlines when a DPO is required (Art. 37). | Article 41 in the LGPD simply says, "The controller shall appoint an officer to be in charge of the processing of data," which suggests that any organization that processes the data of people in Brazil will need to hire a DPO. | | **Legal basis for processing data** | **In the GDPR there are 6 legal bases for processing** **personal data**. They are listed in Article 6 para. 1 of the GDPR and are the following: 1. Consent (lit. a) 2. Contractual performance (lit. b) 3. Compliance with a legal obligation (lit. c) 4. Vital interests (lit. d) 5. Public interest (lit. e) 6. Legitimate interests (lit. f) | Article 7, the LGPD lists **10 legal bases**. Also, the protection of credit (referring to a credit score) is a legal basis for the processing of data which is a real difference from the GDPR. LGPD's legal bases for processing. The ten legal bases in the LGPD (Article 7) for lawful processing of personal data are: 1. With the consent of the data subject, 2. To comply with a legal or regulatory obligation of the controller, 3. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments, 4. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data, 5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party, 6. To exercise rights judicial, administrative or arbitration procedures, 7. To protect the life or physical safety of the data subject or a third party, 8. To protect health, in a procedure carried out by health professionals or by health entities, 9. To fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail, 10. To protect credit. | | **Reporting data breaches** | Report a data breach within **72 hours** | **No guidance for what constitutes a "reasonable time period"** as the national data protection agency has not yet been established. | | **Fines** | Pay to up to **$23.72 million or 4% of annual global revenue,** whichever is higher. | "**2% of a private legal entity's, group's, or conglomerate's revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals"** (this works out to roughly $13.05 million) | --- Would you like to learn more about Consent Management and all the possibilities our CMP offers for a **data privacy** **compliance implementation?** **We would be happy to advise you.** [Request a Demo](https://usercentrics.com/book-a-consultation/) --- ## Products - [Usercentrics Web CMP](https://usercentrics.com/website-consent-management/) - [Usercentrics App CMP](https://usercentrics.com/in-app-sdk/) - [Usercentrics CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) - [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) - [Server-side Tagging Solution](https://usercentrics.com/server-side-tracking-solution/) - [Preference Manager](https://usercentrics.com/preference-management/) - [Audience Unlocker](https://usercentrics.com/audience-unlocker/) - [Integrations](https://usercentrics.com/integrations/) - [Web Compliance Scan](https://usercentrics.com/privacy-compliance-scanner/) - [App Compliance Scan](https://usercentrics.com/app-data-privacy-audit/) - [ROAS Calculator](https://usercentrics.com/roas-calculator/) ## Solutions - [Data Privacy Regulatory Compliance](https://usercentrics.com/data-privacy-regulatory-compliance/) - [Marketing Performance Optimization](https://usercentrics.com/marketing-performance-optimization/) - [Migration](https://usercentrics.com/migration/) - [Media & Publishing](https://usercentrics.com/media-publishing/) - [Retail & Ecommerce](https://usercentrics.com/retail-ecommerce/) - [Banking, Finance & Insurance](https://usercentrics.com/banking-finance-insurance/) - [Healthcare & Pharmaceuticals](https://usercentrics.com/healthcare-pharmaceuticals/) - [Gaming](https://usercentrics.com/gaming/) - [Education](https://usercentrics.com/education/) - [Automotive](https://usercentrics.com/automotive/) - [Travel & Hospitality](https://usercentrics.com/travel/) ## Regulations & Frameworks - [GDPR (EU)](https://usercentrics.com/gdpr/) - [GDPR (UK)](https://usercentrics.com/uk-gdpr/) - [CCPA (California)](https://usercentrics.com/ccpa/) - [TCF v2.3 (IAB)](https://usercentrics.com/cmp-for-publishers/) - [DMA (EU)](https://usercentrics.com/digital-markets-act-dma/) - [Amazon Consent Signal](https://usercentrics.com/usercentrics-cmp-and-amazon-consent-signal/) - [Google Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-google-consent-mode-v2/) - [Microsoft UET Consent Mode (EU)](https://usercentrics.com/usercentrics-cmp-and-microsoft-consent-mode/) - [Microsoft Clarity Consent Mode](https://usercentrics.com/usercentrics-cmp-and-microsoft-clarity-consent-mode/) - [View all regulations](https://usercentrics.com/regulations-and-frameworks/) ## Resources - [Blog](https://usercentrics.com/knowledge-hub/) - [Whitepapers](https://usercentrics.com/whitepapers/) - [Checklists](https://usercentrics.com/checklists/) - [Courses](https://courses.usercentrics.com/) - [Case Studies](https://usercentrics.com/case-studies/) - [Privacy-Led Marketing](https://usercentrics.com/privacy-led-marketing/) - [Events](https://usercentrics.com/webinar/) - [CONSENTED Podcast](https://usercentrics.com/consented/) - [Guides](https://usercentrics.com/guides/) - [Release Notes](https://releases.usercentrics.com/en) - [Developer Documentation](https://usercentrics.com/docs/) - [RFI Template](https://usercentrics.com/resources/usercentrics-rfi-template/) - [Customer Directory](https://usercentrics.com/usercentrics-customer-directory/) ## Company - [About Us](https://usercentrics.com/about-us/) - [Press](https://usercentrics.com/press/) - [Our Offices](https://usercentrics.com/contact/) - [Trust Center](https://trust.usercentrics.com/) - [Careers](https://usercentrics.com/career/) - [Open Positions](https://apply.workable.com/usercentrics/) - [Diversity & Inclusion](https://usercentrics.com/dei/) ## Support - [General Support](https://support.usercentrics.com/hc/en-us) - [Contact Sales](https://usercentrics.com/book-a-consultation/) - [Technical Support](https://support.usercentrics.com/hc/en-us/requests/new) - [Billing & Account](https://support.usercentrics.com/hc/en-us/categories/12253804608156-Account-and-billing) - [Suggest a Feature](https://support.usercentrics.com/hc/en-us/requests/new?ticket_form_id=10610312381340) - [Partner Login](https://partnerportal.usercentrics.com/) - [Partner Program](https://usercentrics.com/partner-program-overview/) - [Affiliate Program](https://usercentrics.com/affiliates/) ## Legal - [Terms & Conditions](https://usercentrics.com/terms-and-conditions/) - [Terms & Conditions USA](https://usercentrics.com/terms-and-conditions-usa/) - [Privacy Policy](https://usercentrics.com/privacy-policy/) - [Legal Notice](https://usercentrics.com/legal-notice/) - [Legal Documents](https://usercentrics.com/legal-documents/) - [Accessibility Statement](https://usercentrics.com/accessibility-statement-wcag-compliance/) © 2026 Usercentrics GmbH