GDPR for Brazilian companies: when the European regulation reaches your business and what to do beyond the LGPD

Direct answer

The GDPR (EU Regulation 2016/679) applies to a Brazilian company even without an establishment in Europe when, under Article 3(2), it offers goods or services to people who are in the European Union or monitors their behavior within the bloc. In those cases, in addition to the LGPD, you must appoint a representative in the EU (Article 27), set your own legal bases, and ensure valid transfers, under fines of up to 20 million euros or 4% of global turnover.

Key takeaways

  • The criterion for the GDPR applying to Brazilian companies is not the data subject's nationality or where the company is located, but conduct: offering goods/services to people in the EU or monitoring their behavior within the bloc's territory (Article 3(2)).
  • Complying with the LGPD does not mean complying with the GDPR. There is conceptual overlap (legal bases, data subject rights, breach notification), but GDPR-specific obligations — such as the EU representative — do not exist in Brazilian law.
  • BR companies under the GDPR generally need to appoint, in writing, a representative established in the EU (Article 27), except for the exceptions of occasional and low-risk processing.
  • Transferring data from the EU to Brazil requires a valid transfer basis from Chapter V of the GDPR. Brazil does not have an adequacy decision from the European Commission, so the usual instrument is the Standard Contractual Clauses (SCCs) accompanied by a transfer impact assessment.
  • The GDPR's administrative fines reach 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5)) — a level far above the LGPD's cap of R$ 50 million per infringement.
  • Appointing a DPO under the GDPR (Article 37) has its own triggers — large-scale processing of sensitive data or large-scale systematic monitoring — distinct from the data protection officer figure in the LGPD.

When the GDPR applies to a company established in Brazil

The territorial scope of the GDPR is set out in Article 3 of EU Regulation 2016/679. Article 3(1) covers processing carried out by organizations with an establishment in the European Union. The point that matters to a Brazilian company is Article 3(2): the regulation applies to controllers or processors without an establishment in the EU when the processing relates to the offering of goods or services to data subjects who are in the Union — even free of charge — or to the monitoring of those data subjects' behavior insofar as it takes place within the bloc.

Note that the decisive factor is not nationality or the data subject's formal residence, but rather the person's location at the time of processing, combined with the company's intention to direct activity to that market. A Brazilian SaaS company that accepts clients in Germany, an e-commerce that sells and delivers in Spain, or a fintech that onboards users in Portugal fall, as a rule, within the scope of the GDPR.

The offering of goods or services requires a demonstrable intention to target the EU. Recital 23 of the GDPR and the EDPB's Guidelines 3/2018 point to concrete indicators: a website or checkout in a European language not spoken in Brazil, prices in euros, a Member State domain (.de, .fr, .pt), mention of European clients, or the possibility of delivery or payment in an EU currency. The mere fact that the website is accessible from Europe is not enough.

Behavior monitoring (Article 3(2)(b)) covers the tracking of people on the internet with profiling, analytics that follow browsing, behavioral advertising cookies, retargeting, and fingerprinting applied to those who are physically in the EU. For many Brazilian digital companies, it is through this door — and not through direct sales — that the GDPR comes into play.

What changes relative to the LGPD: overlap and gaps

The LGPD (Law 13,709/2018) was inspired by the GDPR, and this creates a useful overlap: both adopt the logic of legal bases for processing, guarantee rights to the data subject (access, correction, deletion, portability), require impact reports in risk situations, impose a duty of security, and provide for breach notification. A company mature in LGPD starts from a solid — but incomplete — base for the GDPR.

The differences, however, are material and cannot be ignored. The GDPR has a figure that does not exist in the LGPD: the EU representative (Article 27). It treats legal bases with its own nuances — European consent requires granularity and ease of withdrawal equivalent to the act of consenting, and legitimate interest demands a documented balancing test (LIA). The deadlines and content of the breach notification to the supervisor (Article 33, 72 hours) and to data subjects (Article 34) follow the bloc's specific rules.

There is also the international transfer regime of Chapter V, far more formalized than Article 33 of the LGPD, and the calculation of fines, which under the GDPR can reach a percentage of global turnover — something distinct from the per-infringement cap of the Brazilian law. The practical consequence is direct: the privacy program must be built to meet the more demanding of the two regimes at each point, and not treated as a single layer.

In short, the right question for legal and the DPO is not 'do we already comply with the LGPD?', but 'which obligations does the GDPR add on top of what we already do, and where do the two regimes diverge in the detail?'. It is in that delta that the regulatory risk lies for those processing the data of people in Europe from Brazil.

Article 6 of the GDPR lists six legal bases for ordinary data: consent, performance of a contract, legal obligation, vital interests, public interest task, and legitimate interest. The choice of basis must be made and documented before processing, and cannot be swapped opportunistically afterward — a point frequently scrutinized by European authorities.

GDPR consent (Article 7) is stricter than the common perception: it must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Pre-ticked boxes and bundled consents are not valid. For many SaaS and e-commerce operations, the most appropriate basis is performance of a contract (Article 6(1)(b)) or legitimate interest (Article 6(1)(f)), reserving consent for marketing and non-essential cookies.

When the company uses legitimate interest, the GDPR requires a balancing test (Legitimate Interests Assessment) that weighs the business's interest against the rights and reasonable expectations of the data subject, with a written record. Sensitive data — health, biometrics, racial origin, political opinion, children's data — has a reinforced regime in Articles 9 and 8, with additional lawfulness requirements.

For the Brazilian company, the added care is to map the bases under the LGPD and under the GDPR separately for the same data flow, since the lists and requirements do not coincide point by point. The record of processing activities (Article 30 of the GDPR) makes this mapping auditable and is, in practice, the document the authority asks for first.

International data transfer from the EU to Brazil

Taking personal data from the European Union to Brazil is an international transfer governed by Chapter V of the GDPR (Articles 44 to 50). The general rule is that the transfer is only lawful if there is an adequate mechanism ensuring that the data, outside the EU, receives a level of protection essentially equivalent to the European one.

The simplest mechanism would be an adequacy decision from the European Commission (Article 45), which dispenses with additional safeguards. Brazil does not have such an adequacy decision. Therefore, Brazilian companies rely on the safeguards of Article 46 — the most common being the Standard Contractual Clauses (SCCs) adopted by the Commission's Implementing Decision (EU) 2021/914, and, within corporate groups, the Binding Corporate Rules (BCRs).

After the Schrems II ruling (CJEU, case C-311/18, 2020), the SCCs alone are not enough. The European exporter must carry out a Transfer Impact Assessment, examining whether the legislation and practice of the destination country — including government access to data — undermine the contractual guarantees and, if so, adopt supplementary measures (encryption, pseudonymization, access controls) in accordance with the EDPB's Recommendations 01/2020.

For the BR company, this translates into signing the correct SCCs under the appropriate module (controller-to-controller, controller-to-processor, etc.), supporting the documentation of the European partner's impact assessment, and demonstrating concrete technical protection measures. It is joint work of legal and information security, and not just a generic contractual clause.

Representative in the EU (Article 27) and DPO (Article 37)

Article 27 of the GDPR requires controllers and processors without an establishment in the EU, but subject to the regulation under Article 3(2), to appoint in writing a representative established in one of the Member States where the data subjects whose data is processed are located. This representative is the point of contact for the supervisory authorities and for data subjects, and can be held liable in enforcement proceedings — it is not a decorative formality.

The obligation has exceptions (Article 27(2)): the representative is not required when the processing is occasional, does not include large-scale processing of sensitive or criminal-related data, and is unlikely to result in a risk to the rights of data subjects. In practice, e-commerces, SaaS companies, and fintechs with recurring European clients rarely fall within the exception and need to appoint the representative.

The DPO (data protection officer, Articles 37 to 39) is mandatory when the processing is carried out by a public authority, when the core activity requires regular and systematic monitoring of data subjects on a large scale, or when the core activity consists of large-scale processing of sensitive data. The GDPR's triggers are more objective than those of the LGPD, and the European DPO must have autonomy, specialized knowledge, and a direct channel to top management.

Beware of a common confusion: the EU representative and the DPO are distinct roles and, as a rule, should not be performed by the same person, because there is a potential conflict of functions. A Brazilian company may need both at the same time — a representative in European territory and a DPO responsible for the compliance program.

Fines and enforcement: the GDPR's real numbers

The GDPR establishes two tiers of administrative fine in Article 83. The first (Article 83(4)) reaches up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements such as failures in the record of processing, in the appointment of a representative, or in processor obligations.

The second tier (Article 83(5)) reaches up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This cap applies to the most serious infringements: violation of basic principles, of the conditions for consent, of data subjects' rights, and of the international transfer rules of Chapter V. For large groups, the percentage-of-turnover criterion can far exceed the fixed amount in euros.

Compared with the LGPD, whose cap is 2% of turnover in Brazil limited to R$ 50 million per infringement (Article 52), the GDPR operates on another scale and uses global turnover as the base, not turnover in the country. European authorities have imposed substantial fines, and Article 83(2) details the criteria for calibrating them — severity, intent, mitigating measures, cooperation — that reward those who document compliance.

In addition to the fine, supervisory authorities can order the suspension of processing, prohibition of transfers, and other corrective measures (Article 58). For the Brazilian company, the reputational and contractual impact is usually as relevant as the amount of the fine, especially when the European client demands compliance guarantees as a commercial condition.

How to comply

  1. 1

    Determine whether the GDPR applies

    Map whether the company offers goods/services to people in the EU or monitors the behavior of those in the bloc (Article 3(2)). Assess targeting indicators: language, currency, domain, delivery, and analytics. Document the conclusion.

  2. 2

    Inventory the European data flows

    Build the record of processing activities (Article 30), identifying which data of EU data subjects is collected, for what purpose, for how long, and where it is transferred, separating the flows subject to the GDPR.

  3. 3

    Define and document the GDPR legal bases

    For each purpose, choose the basis from Article 6 (and from Article 9 if there is sensitive data). For legitimate interest, record the balancing test (LIA). Adjust the consent wording to the standard of Article 7.

  4. 4

    Structure the international transfers

    Since Brazil has no adequacy decision, adopt the Standard Contractual Clauses (SCCs) under the correct module and support the Transfer Impact Assessment required after Schrems II, implementing supplementary security measures.

  5. 5

    Appoint the representative in the EU

    Unless the exception of Article 27(2) applies, appoint in writing a representative established in a Member State where there are data subjects, with a clear mandate to act before authorities and data subjects and disclosure of the contact in the privacy policy.

  6. 6

    Assess whether a DPO is mandatory

    Check the triggers of Article 37 (large-scale systematic monitoring or large-scale processing of sensitive data). If mandatory, appoint a DPO with autonomy, expertise, and access to top management, distinct from the EU representative.

  7. 7

    Implement incident response to the European standard

    Establish a process to notify the supervisory authority within 72 hours (Article 33) and data subjects when there is high risk (Article 34), with templates, a decision chain, and a record of all incidents, even non-notifiable ones.

Frequently asked questions

My company has no office in Europe. Does the GDPR still apply?

It may apply. Article 3(2) of the GDPR reaches companies without an establishment in the EU when they offer goods or services to people who are in the bloc or monitor those people's behavior within European territory. The absence of an office does not rule out the regulation.

Does selling to an occasional European client already put me under the GDPR?

The accessibility of the website alone is not enough, nor is an isolated accidental sale. There must be an intention to direct activity to the EU, evidenced by indicators such as language, prices in euros, a Member State domain, or delivery within the bloc. Recurring, targeted sales, yes, tend to attract the GDPR.

If I already comply with the LGPD, do I need to do anything more?

Yes. There is overlap between the LGPD and the GDPR, but the GDPR adds obligations such as the EU representative (Article 27), its own international transfer rules, specific consent requirements, and fines calculated on global turnover. The program must meet the more demanding of the two at each point.

Can I freely transfer data from the EU to Brazil?

No. Brazil does not have an adequacy decision from the European Commission, so the transfer depends on the safeguards of Article 46, normally the Standard Contractual Clauses, accompanied by a transfer impact assessment and supplementary technical measures, as required after the Schrems II ruling.

Who can be the EU representative required by Article 27?

A natural or legal person established in a Member State where the data subjects whose data the company processes are located, appointed in writing and with a mandate to be contacted by authorities and data subjects. As a rule, it should not double as the DPO, due to a conflict of roles.

What is the maximum amount of GDPR fines?

The most serious infringements can generate a fine of up to 20 million euros or 4% of the total worldwide annual turnover of the preceding year, whichever is higher (Article 83(5)). Infringements of another nature reach 10 million euros or 2% of global turnover (Article 83(4)).

Am I required to have a DPO under the GDPR?

It depends. Article 37 makes the DPO mandatory when the core activity involves regular and systematic monitoring of data subjects on a large scale or large-scale processing of sensitive data, in addition to the case of public authorities. Outside these situations, the appointment is advisable but not compulsory.

How can Decripte help my company comply with the GDPR?

Decripte works in Regulatory Security: we structure the privacy program to meet the LGPD and the GDPR in an integrated way, with DPO as a Service, data mapping, definition of legal bases, international transfer instruments, support for appointing the EU representative, and technical information security measures that sustain compliance.

Sources

Decripte implements compliance — without you building an in-house team.

Adherence assessment, auditable technical controls, pentest and documentation for the regulator/auditor. Or start free by seeing what is already exposed.