LGPD vs. GDPR – A Few Key Similarities and Differences

Brazil got itself into the data privacy regulation game in September 2020 with the implementation of its Lei Geral de Proteção de Dados (“LGPD”), in spite of calls from businesses and advocates to postpone the regulation due to issues related to COVID-19. Companies operating in Brazil now face, in some cases for the first time, comprehensive privacy obligations which require them to focus their attention on how the collect, store and process data. We’re often asked if LGPD and GDPR are the same (all the acronyms can be confusing!), so we’ve made a list of similarities, and key differences, between the regulations.

1. Are individuals’ rights under LGPD the same as under GDPR?

Individuals’ rights under LGPD are largely similar to those available under GDPR (i.e., access, correction, deletion, blocking, and portability), but there are a few significant differences between the regulations. First, LGPD provides for an explicit right to anonymization, meaning that individuals can request that organizations anonymize data about them if that data are unnecessary or excessive, whereas. GDPR does not have this specific right.

Second, LGPD outlines the way in which companies must respond to data subject access requests, either in a “regular” or “simplified” fashion. To respond in a regular manner, a company should provide the individual with the requested data, including the origin of the personal information, the non-existence of records, the criteria used for, and the purpose of the processing activities; all in no more than 15 days. To respond in a simplified manner, a company can provide less detail and information for a request, however the new law does not yet outline the specific timing for such a response (we’ll update when it comes out). If, for whatever reason a complete response in either a regular or simplified manner cannot be completed within 15 days, the company needs to inform the individual about why it is prevented from responding timely.

Third, LGPD places no restrictions on how often an individual can lodge an access request, which is not the case with GDPR. In addition, organizations are required to respond to requests free of charge, potentially even repetitive requests.

2. Do LGPD and GDPR Share the Same Legal Bases for Processing?

LGPD includes those legal bases for processing personal information as GDPR, as well as a few that GDPR does not have. In addition to legal bases that are comparable to those available under GDPR, the LGPD also permits the use of personal information for:

Research;
Exercise of rights in legal, administrative, and arbitration proceedings;
Health protection; and
Credit protection.

Also, the concept of legitimate interests as a legal basis appears to be broader under the LGPD, which specifically states that legitimate interests cover processing of personal information for the “support” and “promotion” of the controller’s activities.