---
title: "EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd"
author: "Sorena AI"
description: "Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR"
  - "Brazil LGPD"
  - "lawful basis"
  - "DSAR"
  - "standard contractual clauses"
  - "records of processing activities"
  - "SCC"
  - "RoPA"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps

Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.

*Artifact Guide* *EU*

## EU GDPR EU GDPR vs Brazil LGPD

Use this GDPR-led comparison to separate EU obligations from Brazil LGPD assumptions when the available source pack does not ground the Brazil-side rule.

The GDPR side covers lawful basis, access rights, controller and processor accountability, breach notification, international transfers, enforcement exposure, and evidence records. Brazil-specific claims are limited to the transfer and adequacy material available in the cited sources.

This page is a source-limited EU GDPR versus Brazil LGPD comparison. The available grounding supports detailed GDPR obligations and Brazil-related transfer context, but it does not include a grounded LGPD statute or ANPD procedure source. Treat the Brazil column as a validation checkpoint unless a cited source on this page supports the comparator fact.

## EU GDPR vs Brazil LGPD: what is grounded here

This comparison gives concrete GDPR obligations and limits Brazil LGPD statements to the transfer and adequacy facts available in the cited source pack.

- **EU GDPR**: Use the GDPR column to scope processing, assign controller and processor duties, select a lawful basis, handle rights, manage breaches and transfers, and retain accountability evidence.
- **Brazil LGPD**: Use the LGPD column as a source-gap checklist unless the row cites Brazil-related transfer or adequacy material from the available sources.

| Dimension | EU GDPR | Brazil LGPD | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | GDPR applies to processing of personal data and allocates duties to controllers, processors, and joint controllers. Scope analysis should identify the processing purpose, data categories, data subjects, recipients, territories, and whether the activity is tied to EU establishment, offering goods or services, or monitoring behavior. | The available GDPR folder does not include a grounded LGPD scope source. Record Brazil scope as source pending unless the issue is limited to the Commission's Brazil transfer and adequacy context. | Do not treat a GDPR scope finding as an LGPD scope finding. Keep one GDPR record and one Brazil source-validation record. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping a distinct GDPR scope finding.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Only supports Brazil-related adequacy context in this source pack, not full LGPD scope rules. |
| Covered actors | GDPR controllers must implement and be able to demonstrate compliant processing. Controllers using processors must use processors with sufficient guarantees and put the processing in a binding contract or legal act with required Article 28 terms. | The folder does not ground LGPD controller, operator, DPO, or ANPD accountability procedures. Keep Brazil role mapping separate until a Brazil source is added. | Vendor records can share facts, but GDPR Article 28 terms, assistance duties, sub-processor controls, and audit evidence should remain labelled as GDPR evidence. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR accountability and processor-contract duties.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil adequacy context only, not LGPD role-procedure details.<br>[DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports maintaining GDPR accountability records that can be retrieved for supervisory review. |
| Trigger | GDPR processing needs an Article 6 legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The record should explain the selected basis and the obligation that follows from it. | No Brazil LGPD lawful-basis list is grounded in this folder. Do not copy the GDPR Article 6 basis list into the LGPD workstream without a separate LGPD source. | A shared product feature may use the same facts, but the lawful-basis memo should have separate EU and Brazil source citations. | [DPC - Legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports a separate source-linked lawful-basis decision for GDPR.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil adequacy context but does not enumerate LGPD lawful bases in this source pack. |
| Core obligations | GDPR rights work should cover access, information about processing, rectification, erasure, restriction, portability, objection, automated-decision safeguards where relevant, identity checks, response handling, and a rights-request log. | No grounded LGPD rights catalogue or response clock is available in this folder. Brazil-side rights handling should be marked source pending rather than inferred from GDPR. | Reuse intake tooling only after each request type, deadline, exception, and evidence field is mapped to its own jurisdictional source. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR rights handling distinct from unsupported comparator assumptions.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not provide a usable LGPD rights workflow for this comparison. |
| Evidence record | GDPR evidence should include RoPA entries, lawful-basis rationale, notices, rights logs, processor contracts, security measures, DPIAs or DPIA screening, breach records, transfer safeguards, retention rules, and approvals for material changes. | Brazil evidence should be a separate workstream with source citations added before claims are published. The available folder does not ground LGPD record fields. | A shared privacy inventory is useful only if every field shows whether it supports GDPR, Brazil LGPD, or both with separate source citations. | [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports using records to demonstrate GDPR accountability while keeping source labels clear.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil transfer context only; it does not define LGPD evidence fields. |
| Timing and deadlines | GDPR controllers notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after awareness unless the breach is unlikely to result in risk to rights and freedoms. They must document breach facts, effects, and remedial action. | No Brazil LGPD breach-notification deadline or ANPD procedure is grounded in this folder. Do not publish a Brazil breach clock from this comparison. | Incident response can use one technical investigation, but the legal clock, notification decision, delay reason, and regulator communication must be recorded by jurisdiction. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports documenting breach facts, effects, and remedial action.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not provide Brazil breach deadline or ANPD notification procedure. |
| Enforcement | GDPR supervisory authorities have corrective powers, and the GDPR sets administrative-fine tiers including up to EUR 20,000,000 or 4 percent of total worldwide annual turnover for listed infringements, whichever is higher. | No Brazil LGPD penalty variants, ANPD sanction procedure, or national enforcement detail is grounded in this folder. Leave Brazil enforcement as source pending. | Do not merge risk scoring. EU enforcement exposure can be quantified from GDPR; Brazil enforcement exposure needs a separate Brazil source before publication. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR fine calculations separate from unsupported comparator claims.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not ground LGPD penalty amounts or ANPD procedure. |
| Overlap and reuse | GDPR Chapter V requires a transfer basis: an adequacy decision where available, Article 46 safeguards such as SCCs where needed, or a limited derogation where the GDPR conditions are met. | Brazil is grounded here only through the Commission adequacy source, which states that the Commission and Brazil adopted mutual adequacy decisions and that their levels of data protection are comparable. | For EU-to-Brazil transfer planning, cite the current adequacy analysis or fallback SCC analysis. Do not use this page to state broader LGPD transfer mechanics. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR Chapter V transfer bases and safeguards.<br>[European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as pre-approved GDPR transfer clauses.<br>[European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Supports using adequacy context for Brazil-specific transfer planning. |
| Practical decision rule | If the processing is carried out in the context of an EU establishment, or targets people in the Union through goods, services, or monitoring, treat the GDPR analysis as the controlling rule-set. Use the Article 3 scope test first, then map lawful basis, rights, breach, transfers, and records under the GDPR. | If the processing is carried out in Brazil, targets individuals in Brazil, or is based on data collected in Brazil, treat LGPD as the likely Brazil-side rule-set. The cited LGPD text applies to processing on Brazilian territory, to offers or services aimed at people in Brazil, and to data collected in Brazil. | Pick the jurisdiction from the facts before comparing obligations. This row is a routing rule, not a duplicate scope summary. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports using territorial scope as the first routing step.<br>[LEI N 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Grounds the LGPD territorial scope and applicability rules. |

Sources for Scope boundary - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR text for personal-data scope and regulated roles.
  - Quote: "processing of personal data"

Sources for Scope boundary - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Only supports Brazil-related adequacy context in this source pack, not full LGPD scope rules.
  - Quote: "levels of data protection are comparable"

Sources for Scope boundary - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping a distinct GDPR scope finding.
  - Quote: "protection of natural persons"

Sources for Covered actors - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR accountability and processor-contract duties.
  - Quote: "sufficient guarantees"

Sources for Covered actors - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil adequacy context only, not LGPD role-procedure details.
  - Quote: "Brazil"

Sources for Covered actors - operational implication:

- [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports maintaining GDPR accountability records that can be retrieved for supervisory review.
  - Quote: "demonstrate accountability"

Sources for Trigger - EU GDPR:

- [DPC - Legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Lists the six GDPR Article 6 legal bases and explains why controllers must identify the justification for processing.
  - Quote: "consent; contract; legal obligation; vital interests; public task; or legitimate interests"

Sources for Trigger - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil adequacy context but does not enumerate LGPD lawful bases in this source pack.
  - Quote: "mutual adequacy decisions"

Sources for Trigger - operational implication:

- [DPC - Legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports a separate source-linked lawful-basis decision for GDPR.
  - Quote: "reason or justification"

Sources for Core obligations - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR rights including access and information about third-country transfer safeguards.
  - Quote: "right of access by the data subject"

Sources for Core obligations - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not provide a usable LGPD rights workflow for this comparison.
  - Quote: "comparable"

Sources for Core obligations - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR rights handling distinct from unsupported comparator assumptions.
  - Quote: "right to obtain"

Sources for Evidence record - EU GDPR:

- [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports the GDPR RoPA and accountability evidence list.
  - Quote: "purposes of processing"

Sources for Evidence record - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Provides Brazil transfer context only; it does not define LGPD evidence fields.
  - Quote: "data protection"

Sources for Evidence record - operational implication:

- [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports using records to demonstrate GDPR accountability while keeping source labels clear.
  - Quote: "accountability"

Sources for Timing and deadlines - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR breach notification timing and breach documentation.
  - Quote: "not later than 72 hours"

Sources for Timing and deadlines - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not provide Brazil breach deadline or ANPD notification procedure.
  - Quote: "adequacy"

Sources for Timing and deadlines - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports documenting breach facts, effects, and remedial action.
  - Quote: "remedial action taken"

Sources for Enforcement - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR administrative-fine exposure and supervisory authority powers.
  - Quote: "up to 20 000 000 EUR"

Sources for Enforcement - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Does not ground LGPD penalty amounts or ANPD procedure.
  - Quote: "adequacy decisions"

Sources for Enforcement - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR fine calculations separate from unsupported comparator claims.
  - Quote: "4 %"

Sources for Overlap and reuse - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR Chapter V transfer bases and safeguards.
  - Quote: "appropriate safeguards"
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as pre-approved GDPR transfer clauses.
  - Quote: "pre-approved"

Sources for Overlap and reuse - Brazil LGPD:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Supports the Brazil adequacy statement used in this row.
  - Quote: "mutual adequacy decisions"

Sources for Overlap and reuse - operational implication:

- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Supports using adequacy context for Brazil-specific transfer planning.
  - Quote: "Brazil"

Sources for Practical decision rule - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR text for territorial scope.
  - Quote: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union"

Sources for Practical decision rule - Brazil LGPD:

- [LEI N 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Grounds the LGPD territorial scope and applicability rules.
  - Quote: "Esta Lei aplica-se a qualquer operação de tratamento"

Sources for Practical decision rule - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports using territorial scope as the first routing step.
  - Quote: "territorial scope"

### How should teams decide between EU GDPR and Brazil LGPD for compliance planning?

- Make the GDPR decision first: scope, role, Article 6 basis, rights workflow, processor contract, breach route, transfer mechanism, and records.
- Use the Brazil column only where the cited source supports the claim; otherwise mark the row as LGPD source pending.
- For EU-to-Brazil transfers, cite the Commission adequacy or SCC source used for the actual transfer route.
- Block publication of Brazil-specific lawful-basis, rights, breach, penalty, or ANPD procedure claims until a grounded LGPD source is added.

Sources for the practical decision rule:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR-side decision checklist.
  - Quote: "in accordance with this Regulation"
- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Source for the Brazil transfer and adequacy context used in the comparison.
  - Quote: "Brazil"

## How to use this source-limited comparison

Start with the EU GDPR analysis: identify whether the processing involves personal data, who acts as controller or processor, which Article 6 lawful basis applies, which rights and transparency duties are triggered, whether a transfer mechanism is needed, and what evidence must be retained.

Then separate the Brazil LGPD workstream. The cited GDPR folder supports Brazil transfer context through the European Commission adequacy material, but it does not ground Brazil-specific lawful bases, rights deadlines, breach deadlines, ANPD procedure, or LGPD penalty variants.

- Use the GDPR column for concrete EU obligations and evidence records.
- Use the Brazil column only for facts supported by the cited sources, especially transfer and adequacy context.
- Do not copy GDPR deadlines, fines, DPIA triggers, or rights workflows into the LGPD workstream without a separate Brazil source.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR obligations used in the comparison, including lawful basis, rights, processor duties, breach notification, transfers, records, and fines.
- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Supports the Brazil-related transfer context used here; it does not provide a full LGPD obligations map.

## GDPR evidence to keep separate from LGPD assumptions

For GDPR, the evidence record should show the processing purpose, Article 6 lawful basis, categories of data subjects and personal data, recipients, transfer mechanism, retention logic, security measures, rights handling, processor terms, breach assessment, and any DPIA or prior-consultation decision.

For Brazil LGPD, this page should not be used as the source for equivalent fields unless the organization adds a grounded LGPD source. Keep Brazil-side records in a separate column marked source pending rather than treating GDPR evidence as proof of LGPD compliance.

- Link each GDPR record to its source article or guidance note.
- Record a separate Brazil source gap for lawful basis, rights, breach notification, regulator procedure, and penalties.
- When a transfer to Brazil is assessed, cite the Commission adequacy material or the applicable GDPR transfer mechanism instead of inventing an LGPD rule.

Sources for this answer:

- [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Explains RoPA fields and how records support GDPR accountability.
- [DPC - Legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports the GDPR Article 6 lawful-basis row and the need to identify the reason for processing.

## Transfer and breach checks

GDPR transfer work starts with Chapter V: check for an adequacy decision, otherwise identify an Article 46 safeguard such as standard contractual clauses, or a narrow Article 49 derogation where applicable. The cited Commission material also identifies Brazil in the adequacy context, so Brazil can be discussed on this page only for that transfer point.

For breaches, use the GDPR rule directly: controllers notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware unless the breach is unlikely to result in risk to individuals. This source pack does not ground a Brazil LGPD breach clock.

- Keep the GDPR breach awareness time, risk assessment, notification decision, delay reason, and remedial action in the breach file.
- For Brazil-related transfers, cite adequacy or SCC analysis rather than assuming local LGPD transfer mechanics.
- Do not state ANPD breach timing or notification procedure from this page because it is not grounded in the available folder.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR breach notification, transfer safeguards, adequacy decisions, derogations, and administrative-fine exposure.
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports the GDPR transfer fallback where SCCs are used for transfers from the EU or EEA to non-EU or non-EEA recipients.
- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Supports the Brazil-related transfer context and the statement that the Commission and Brazil adopted mutual adequacy decisions.

*Recommended next step*

*Placement: before sources*

## Build a cited GDPR-first comparison workflow

Sorena can help separate GDPR obligations from Brazil LGPD source gaps, assign owners, and maintain evidence records for lawful basis, rights, transfers, breach handling, and processor accountability.

- [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR lawful basis, rights, breach notification, transfers, roles, and evidence records using the cited sources on this page.
- [Talk through implementation](/contact.md): Review which GDPR controls can be reused and which Brazil LGPD facts need separate source validation before implementation.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR-side decision checklist.
  - Quote: "in accordance with this Regulation"
- [DPC - Legal bases for processing personal data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Supports a separate source-linked lawful-basis decision for GDPR.
  - Quote: "reason or justification"
- [DPC - Records of Processing Activities under Article 30 GDPR](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports using records to demonstrate GDPR accountability while keeping source labels clear.
  - Quote: "accountability"
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as pre-approved GDPR transfer clauses.
  - Quote: "pre-approved"
- [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Source for the Brazil transfer and adequacy context used in the comparison.
  - Quote: "Brazil"
- [LEI N 13.709, DE 14 DE AGOSTO DE 2018](https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm?ref=sorena.io) - Grounds the LGPD territorial scope and applicability rules.
  - Quote: "Esta Lei aplica-se a qualquer operação de tratamento"

## Related Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd