Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Brazil: Comparing privacy laws - GDPR v. LGPD

In this report, OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (LGPD). 

The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the  GDPR. 

You can access the latest version of the report here.

What is the LGPD?

The LGPD entered into force in Brazil on September 18, 2020, and represented the first comprehensive data protection framework in the country. It aims to increase the protection of personal data and regulate the way businesses collect, use, and process personal data. 

Key highlights

The LGPD and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:

  • apply to the processing of natural persons' data as carried out by controllers and processors;
  • provide special protection for the processing of sensitive personal data as well as for the processing of children's data;
  • the rights individuals are entitled to, as well as the obligations controllers and processors are subject to; and
  • apply to organizations that have a presence in the EU and Brazil respectively as well as to organisations that are not physically located, but which offer goods and services in the jurisdictions, or process personal data in these regions.

However, despite their similarities, the LGPD and the GDPR also differ sometimes in their approach, such as:

  • the applicable legal basis when sensitive data is processed;
  • the time period in which a data subject access request must be responded to, the information which must be included in the response, and limitations to the right; and
  • the grounds and scope of the right to data portability.