GDPR vs LGPD
Brazil's LGPD was heavily inspired by GDPR but has important differences — including a stricter 15-day DSAR deadline that catches many companies off guard.
At a Glance
Key differences between GDPR vs LGPD for mid-market companies (<200 employees).
Detailed Comparison
| Comparison Point | GDPR | LGPD |
|---|---|---|
| Jurisdiction | EU/EEA (27 member states) | Brazil (entire territory) |
| Effective Date | May 25, 2018 | September 18, 2020 |
| DSAR Response Deadline | 1 month (calendar) | 15 days (simplified format) |
| DSAR Extension | +2 months (complex requests) | No formal extension mechanism |
| Maximum Fine | €20M or 4% of global annual turnover | 2% of revenue in Brazil, capped at R$50M (~€9M) per infraction |
| Legal Bases for Processing | 6 legal bases (Art. 6) | 10 legal bases (Art. 7) — includes credit protection |
| Consent Model | Opt-in with specific purpose | Opt-in with specific purpose (similar) |
| DPO Requirement | Required for public bodies and large-scale processing | Required for all data controllers (Encarregado) |
| Breach Notification | 72 hours to supervisory authority | "Reasonable time" to ANPD (no fixed deadline) |
| Data Portability | Yes (machine-readable format) | Yes (but format not specified) |
| Cross-Border Transfers | Restricted (SCCs, BCRs, adequacy) | Restricted (similar mechanisms, fewer adequacy decisions) |
| Children's Data | Parental consent under 16 (member states may lower to 13) | Specific consent from parent/guardian required |
| Enforcement Body | National DPAs + EDPB | ANPD (Autoridade Nacional de Proteção de Dados) |
Why This Comparison Matters
Brazil's LGPD is often called "Brazil's GDPR" — and for good reason. The law was heavily inspired by the European regulation and shares many core principles: purpose limitation, data minimization, transparency, and individual rights. However, there are critical differences that can trip up companies already GDPR-compliant.
The 15-Day DSAR Deadline
The most impactful difference for mid-market companies is the DSAR response deadline. LGPD requires a simplified response within 15 days — half the time GDPR allows. There is no formal extension mechanism. This means your DSAR workflow must be significantly faster for Brazilian data subjects. Companies that barely meet GDPR's 30-day deadline will struggle with LGPD.
Legal Bases: LGPD Has More Options
LGPD provides 10 legal bases for processing, compared to GDPR's 6. The additional bases include credit protection, health protection in emergency procedures, and regular exercise of rights in judicial or administrative proceedings. This gives companies more flexibility in justifying data processing under LGPD.
Penalties Are Capped Differently
While GDPR fines are theoretically unlimited (4% of global turnover), LGPD caps fines at 2% of revenue in Brazil, with a maximum of R$50 million (~€9 million) per infraction. For multinational companies, GDPR penalties pose a greater financial risk. However, LGPD also allows daily fines until violations are remedied.
DPO Requirements Are Broader
LGPD requires every data controller to appoint a Data Protection Officer (called "Encarregado" in Portuguese), regardless of company size. GDPR only requires a DPO in specific circumstances. ANPD has indicated it may ease this requirement for small businesses, but the current law applies universally.
Building Dual Compliance
If you are already GDPR-compliant, you have a strong foundation for LGPD compliance. Focus on: (1) accelerating your DSAR response process to meet the 15-day deadline, (2) appointing an Encarregado, (3) reviewing your legal bases against LGPD's expanded list, and (4) establishing a relationship with ANPD if you process Brazilian data at scale.
Which Law Applies to You?
GDPR applies if: You process personal data of EU/EEA residents, regardless of where your company is located.
LGPD applies if: You process personal data of individuals in Brazil, collect data in Brazil, or offer goods/services to people in Brazil.
Both apply if: You serve both EU and Brazilian markets. Start with GDPR compliance, then tighten your DSAR deadlines to 15 days and appoint an Encarregado for LGPD.
Related Resources
GDPR Compliance Guide
Full compliance guide for General Data Protection Regulation
LGPD Compliance Guide
Full compliance guide for Lei Geral de Proteção de Dados
DSAR Deadline Calculator
Calculate exact response deadlines for 69 jurisdictions
Enforcement Actions
Real fines and enforcement cases from privacy authorities
Privacy Blog
Practical guides and analysis for mid-market companies
Frequently Asked Questions
What is the DSAR deadline under LGPD vs GDPR?
Does Brazil's LGPD require a DPO?
How do GDPR and LGPD fines compare?
Is LGPD based on GDPR?
Do I need to comply with both GDPR and LGPD?
Get the full GDPR vs LGPD comparison checklist
A printable checklist covering every compliance requirement from both laws, organized by priority for mid-market companies.
See how these laws are enforced in practice
Browse real enforcement actions and fines from privacy authorities worldwide. Learn what violations cost companies like yours.
Browse Enforcement ActionsDisclaimer: This comparison is maintained independently by PrivacyCache for informational purposes. We strive for accuracy but laws evolve and specific requirements may change. This is not legal advice. Consult qualified legal counsel for compliance decisions. Last updated: 4/2/2026.