The General Data Protection Regulation (GDPR) is European law — but its reach is explicitly extraterritorial. If your Brazilian company offers goods or services to people in the European Union, or monitors their behavior, the GDPR applies to you. Where your company is headquartered is irrelevant.

The Extraterritorial Scope Rule

Article 3(2) of the GDPR states that it applies to the processing of personal data of EU data subjects by a controller or processor not established in the EU, where the processing activities relate to:

(a) Offering goods or services to data subjects in the EU — whether or not payment is required; or

(b) Monitoring the behavior of data subjects, insofar as their behavior takes place within the EU.

How to Know If You Are "Offering" to the EU

The GDPR's recital 23 gives guidance. Factors indicating that a company is targeting EU individuals include: pricing in euros, website versions in European languages (beyond English), references to EU customers, shipping to EU addresses, or advertising specifically directed at EU markets.

Simply having an English-language website accessible from Europe, without any deliberate targeting of EU users, is generally not enough to trigger GDPR applicability. But running Meta or Google ads targeting EU demographics likely is.

LGPD and GDPR: Simultaneous Application

If you process data of people in Brazil, the LGPD applies. If you process data of EU residents, the GDPR may apply simultaneously. The two frameworks are broadly compatible — both require a lawful basis for processing, data subject rights, security measures, and breach notification — but they differ in details.

Where the two conflict, the stricter requirement for the given context generally governs in practice. An EU data subject can exercise GDPR rights even against a Brazilian company subject to the regulation.

Data Transfers from EU to Brazil

Brazil does not hold a European Commission adequacy decision, meaning the EU does not formally recognize Brazil's data protection framework as equivalent. This matters for data transfers from inside the EU to Brazilian companies.

The most common mechanism: Standard Contractual Clauses (SCCs) — contractual clauses approved by the European Commission that create binding data protection obligations between the exporter (EU company) and the importer (Brazilian company). If you receive personal data from EU partners or clients, your contracts likely need to include SCCs.

Fines and Enforcement

The GDPR provides two tiers of fines for violations:

  • Up to €10 million or 2% of global annual turnover (whichever is higher) for procedural violations — record-keeping, security measures, processor obligations.
  • Up to €20 million or 4% of global annual turnover (whichever is higher) for violations of core principles, lawful basis, data subject rights, and unlawful international transfers.

EU data protection authorities (DPAs) can investigate companies outside the EU if their residents are affected. Enforcement against non-EU companies has increased as GDPR matures.

Practical Steps for Brazilian Companies with EU Exposure

  1. Map your EU data flows: Which personal data of EU residents do you collect, process, or store?
  2. Establish lawful basis: For each processing activity involving EU data, identify a GDPR lawful basis (consent, legitimate interest, contract performance, etc.).
  3. Review your contracts: Ensure SCCs or other transfer mechanisms are in place for data received from the EU.
  4. Consider an EU representative: Article 27 of the GDPR may require appointing a representative established in the EU to handle inquiries from data subjects and supervisory authorities.
  5. Align your privacy policy: Your privacy policy should address GDPR rights for EU users — including the right to access, erasure, portability, and objection.

FAQ

Does GDPR apply to a Brazilian company with no office in Europe?

It can. Article 3(2) of the GDPR provides that it applies to any organization outside the EU that offers goods or services to EU data subjects, or monitors the behavior of EU data subjects — regardless of having a physical establishment in Europe.

How do I know if my company is 'offering services in the EU'?

Indicators include: accepting payment in euros, having a website version in a European language (beyond English), displaying European currency pricing, explicitly mentioning European users, or running ads targeted at people in the EU. An online store shipping only to Brazil is likely outside the scope.

Can LGPD and GDPR apply simultaneously?

Yes. If you process data of people in Brazil, the LGPD applies. If you process data of EU residents, the GDPR may apply simultaneously. Where the two conflict, the stricter requirement for the given context generally governs.

What is the maximum GDPR fine?

For the most serious violations (such as breach of core principles or unlawful international transfers), the GDPR provides fines of up to €20 million or 4% of global annual turnover, whichever is higher. For less serious violations, the limit is €10 million or 2% of turnover.

Do I need to appoint a DPO to comply with GDPR?

It depends on the volume and type of data processed. The GDPR requires a DPO in specific cases — such as large-scale processing of sensitive data or systematic monitoring of individuals. For most Brazilian SMBs with a handful of European clients, it may not be mandatory — check with a specialist.

What are SCCs and why do they matter for Brazilian companies?

SCCs (Standard Contractual Clauses) are contractual clauses standardized by the European Commission that allow personal data transfers from the EU to countries without an adequacy decision — such as Brazil. If you receive data from European customers, you will likely need SCCs in your contracts.

// PRACTICE AREA
Data Protection & PrivacyLGPD compliance, legal bases, and ANPD liaison for foreign businesses.
Monika Hosaki
Author
Monika Hosaki

Managing Partner and founder of Hosaki Advogados. Practice in intellectual property, digital law, and creator economy.