Brazil’s General Data Protection Law isn’t quite GDPR

A new law in Brazil which is similar to Europe’s GDPR has been sanctioned by Brazil’s President. However, he vetoed several sections.

The new legislation, the General Data Protection Law, was sanctioned by the Brazilian President, Michel Temer, last week. The legislation will become enforceable in 18 months.

The law is similar to GDPR, but not identical; GDPR spreads over 80 pages, GDPL, 30 pages.

Similarities with GDPR include:

  • Cross-border jurisdiction, meaning data related to Brazilian citizens is subject to the law wherever the data processor is based; related to the above, regulations on transfer of data internationally;
  • A risk approach, like GDPR the Brazilian legislation talks about lawfulness, fairness, accountability, non-discrimination, purpose limitation, data minimisation and transparency on the use of personal data;
  • The Brazilian legislation includes a right to be forgotten and the right to access data;
  • Requirement to notify data breaches;
  • Requirement to appoint data protection officers, under certain conditions.

It is slightly different in other respects:

  • The Brazilian legislation provides for 10 legal bases to process data, unlike GDPR’s six legal bases;
  • Slightly lower maximum fines;
  • Imposes even shorter deadlines to notify breaches

However, Mr Temer vetoed a requirement for a National Data Protection Authority (ANPD) and the establishment of the National Council for the Protection of Personal Data and Privacy.

The President said that the vetoes were required because under Brazilian law Congress cannot create agencies. He said that the executive will create agencies similar to those proposed.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.