LGPD and GDPR — legal bases, data subject rights, DPO, and penalties
LGPD (Brazilian Law 13.709/2018) and GDPR (EU Regulation 2016/679) govern how personal data must be handled in Brazil and Europe respectively. Despite different jurisdictions, they share core principles: purpose limitation, adequacy, necessity, transparency, and security. Organizations operating in both markets must comply with both frameworks simultaneously.
Legal Bases for Processing
Every personal data operation requires an explicit legal basis. Using the wrong basis is a violation even if the data is technically protected.
| Legal Basis | LGPD (art. 7) | GDPR (art. 6) |
|---|---|---|
| Consent | ✔ | ✔ |
| Contract | ✔ | ✔ |
| Legal obligation | ✔ | ✔ |
| Legitimate interest | ✔ | ✔ |
| Credit protection | ✔ | — |
Example: e-commerce platform
- Registration and delivery: basis = CONTRACT
- Marketing newsletter: basis = CONSENT (explicit opt-in)
- Fraud analysis: basis = LEGITIMATE INTEREST (document assessment)
- Invoice issuance: basis = LEGAL OBLIGATIONData Subject Rights
Data subjects may exercise their rights at any time. Response deadlines are 15 days (LGPD) or 30 days (GDPR).
- Access: receive a copy of stored data
- Rectification: correct inaccurate or outdated data
- Erasure: delete data processed under consent
- Portability: receive data in an interoperable format
- Withdrawal of consent: without prejudice to prior processing
- Objection: contest processing based on legitimate interest
Implement a dedicated channel (e.g., privacy@example.com or a web portal) and log each request with a timestamp to audit deadlines.
DPO — Data Protection Officer
The DPO role is mandatory under LGPD for controllers and processors. Under GDPR, it is required depending on the volume and sensitivity of data processed.
Main responsibilities:
- Advise employees on data protection practices
- Serve as contact point for data subjects and supervisory authorities (ANPD / national DPA)
- Monitor internal compliance
- Conduct or oversee DPIAs (Data Protection Impact Assessments)
The DPO can be internal or outsourced but must have independence to report directly to senior management.
Penalties
LGPD (ANPD):
- Warning with remediation deadline
- Simple fine: up to 2% of revenue, capped at BRL 50 million per violation
- Daily fine
- Public disclosure of the infraction
- Data blocking or deletion order
GDPR (national supervisory authorities):
- Tier 1: up to €10 million or 2% of global annual turnover
- Tier 2: up to €20 million or 4% of global annual turnoverMinimum Compliance Checklist
- Data mapping (data inventory / RoPA)
- Legal basis documented for each data flow
- Privacy notice published and up to date
- Operational data subject request channel
- DPO appointed and publicly identified
- Incident response process with 72-hour breach notification (GDPR) / reasonable timeline (LGPD)
- Contracts with processors/subprocessors reviewed
- DPIA conducted for high-risk processing activities