1. Governing Texts

1.1. Legislation

Since the enactment of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') there has been more attention drawn to the issues of privacy and data protection. However, such issues are rooted on other laws and regulations which have been subject to intersectoral debate long before the enactment of the LGPD.

To analyse the impact of data protection in the financial sector it is worth looking back to the Constitution of the Federative Republic of Brazil ('the Constitution'), which establishes privacy and data protection as constitutional rights (Article 5(X)(LXXIX) of the Constitution).

In addition, the Brazilian Civil Code, Law No. 10.406 of 10 January 2002 (only available in Portuguese here) ('the Civil Code') is a federal law which states that privacy is an inviolable right of natural persons (Article 21 of the Civil Code), while the Complementary Law No. 105 of 10 January 2001 (only available in Portuguese here) ('the Banking Secrecy Law') states that financial institutions must maintain secrecy in their active and passive operations and services provided.

On the other hand, there is no broad set of laws and regulations, nor any so fundamental as the Civil Code or the Constitution, addressing data protection in the financial sector. Rather, there is a diverse set of scattered laws and administrative rules that regulate specific issues, like certain administrative rules of the National Monetary Council ('CMN'), the Central Bank of Brazil ('BCB'), and others mentioned in section on legislation below, that regard the systems of open finance and credit scoring in Brazil.

The LGPD, which was heavily influenced by the European General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), was enacted in 2018, and entered into force on 18 September 2020, however the sanctions provided therein entered into force on 1 August 2021, and are still pending specific regulation of penalty dosimetry by the Brazilian data protection authority ('ANPD'). Since the LGPD applies to both the public and private sectors and creates a uniform set of rules on privacy and data protection, it will have a significant impact on the financial sector.

The Brazilian financial sector is subject to several sectoral regulations that affect how data must be processed, including those with a direct impact on data protection, such as the LGPD and the Banking Secrecy Law. The following regulations are relevant, and will be discussed throughout this note²:

• the Banking Secrecy Law;
• the Constitution;
• the LGPD;
• Federal Decree-Law No. 2.848 of 7 December 1940 (only available in Portuguese here) ('the Criminal Code'). Federal Law No. 12.737 of 30 November 2012 (only available in Portuguese here) amended the Criminal Code to include the crime of invasion of computer systems through breach of security measures, as will be analysed further on;
• Federal Law No. 6.404 of 15 December 1976 (only available in Portuguese here) ('the Brazilian Corporate Law');
• Federal Law No. 6.385 of 7 December 1976) (only available in Portuguese here) ('the Securities Market Law');
• Federal Law No. 7.492 of 16 June 1986 (only available in Portuguese here) ('the Crimes Against the National Financial System Law');
• Federal Law No. 8.078 of 11 September 1990 (only available in Portuguese here) ('the Consumer Code');
• Federal Law No. 9.613 of 3 March 1998 (only available in Portuguese here) ('the Money Laundering Law');
• Federal Law No. 12.414 of 9 June 2011 (only available in Portuguese here) ('the Credit Score Law'), that underwent significant changes by the Supplementary Law No. 166 of 8 April 2019 (only available in Portuguese here) ('the Supplementary Law');
• CMN Resolution No. 4.737 of 29 July 2019 (only available in Portuguese here) ('the CMN Credit Score Regulation');
• Federal Law no. 12.965 of 23 April 2014 ('the Internet Bill of Rights') and its Regulatory Decree (Federal Regulatory Decree No. 8.771 of 11 May 2016) (only available in Portuguese here) ('the Regulatory Decree');
• BCB Resolution No. 85 of 8 April 2021 (only available in Portuguese here) ('the BCB Resolution'), and CMN Resolution No. 4.893 of 26 February 2021 (only available in Portuguese here) ('the CMN Resolution'), ('the Cybersecurity and Cloud Regulation'); and
• BCB and CMN Rule No. 1 of 4 May 2020 ('the Open Finance Regulation').

1.2. Supervisory authorities

Regulators and supervisory authorities responsible for enforcing the regulations mentioned above can mainly be divided into three kinds: the authorities regarding the financial sector, the consumer protection authorities, and the data protection authority.

The first group of authorities includes government regulators as well as self-regulatory sectoral institutions. The two most important government authorities for the financial sector and capital markets are the BCB and the Securities and Exchange Commission of Brazil ('CVM'), whose actions are subject to the rules issued by the CMN. Both not only have powers to enact sectoral norms applicable to institutions under their supervision but are also responsible for enforcing their own and other federal norms. Another authority relevant specifically for the insurance sector is the Superintendence for Private Insurances ('SUSEP').

The CVM is a federal agency, linked to the Ministry of Economy, and was created by Law No. 6385 of 7 December 1976 (only available in Portuguese here) ('the Securities Market Law'), which regulates and supervises the activities of the capital market players, such as public companies, stock exchanges, brokers and other participants of this market, and keeps the market functioning, guaranteeing that adequate information is presented to investors so they can make investment decisions in a transparent way, seeking to restrain abuses, fraud and unfair practices. This promotes a suitable flow of information to investors, as well as ensure the efficient and regular operation of the stock and over-the-counter markets.

The BCB is also a federal agency, linked to the Ministry of Finance, and was created by Federal Law No. 4.595 of 31 December 1964, which establishes its powers and attributions. It is responsible for many matters, including the regulation and supervision of the National Financial System and the Brazilian Payments System, authorising the operation of financial and payment institutions, establishing the conditions for the exercise of any management positions in financial and payment institutions, monitoring the interference of other companies in the financial market and controlling the flow of foreign capital in the country, among other issues.

SUSEP is the body that controls and oversees the insurance, open private pension, capitalisation and reinsurance markets. It is linked to the Ministry of Finance and was created by Decree-Law No. 73 of 21 November 1966 (only available in Portuguese here).

The Brazilian financial sector and capital markets also has a few self-regulatory sectoral institutions such as the Brazilian Association of Financial and Capital Market Entities ('ANBIMA'), the Brazilian Federation of Banks and the Brazilian Market Supervisory. They are important for this ecosystem, although they have power only over those who voluntarily join and assess their enforcement actions, since they are private and self-regulating, making their norms and decisions only binding for their associated institutions.

The second group, focused on consumer protection, is composed of, but not restricted to, the National Consumer Protection System ('SNDC') which is coordinated by the National Consumer Secretariat ('Senacon'), the Public Prosecutor's Office, the Public Defender's Office, the Consumer Protection and Defence Program ('Procons'), Special Civil Courts, and Civil Defence Organisations.

Regarding the data protection authorities, the ANPD is a federal agency responsible for overseeing, implementing and guaranteeing compliance with the LGPD. Its internal organisation is composed mainly of a board of five directors, the National Data Protection Council (with 23 representatives from various sectors) with advisory powers, and internal offices/divisions as the Prosecutor's office and the Enforcement Division.

2. Personal and Financial Data Management

As Brazil's legal system is based on civil law, there are numerous specific sectoral rules that dictate what can and cannot be done regarding data protection. The financial sector, specifically, is heavily regulated, meaning that there are several norms that must be followed by the players of this sector, in addition to non-sectoral laws. Some have important implications on data protection and cybersecurity, and so will be outlined very briefly below. This list does not include the LGPD since this will be explained in other sections. Most of the norms that will be presented here are not specifically about data protection but determine measures that must be taken into consideration by financial and other institutions that are eventually obliged to follow these privacy and data protection norms, due to their presence in the financial sector.

Brazil's Internet Bill of Rights and its Regulatory Decree

The Internet Bill of Rights establishes principles, rights and obligations that must be followed by service providers, including infrastructure and platforms. While Brazil's Internet Bill of Rights contains certain rules associated with the usage of personal data online, the LGPD regulates how personal data must be treated both online and offline.

Brazil's Internet Bill of Rights provides for broad internet users' rights like the protection of their privacy and private communications, the protection of personal data, the right to obtain information on the collection, storage and processing of their data, the right to erase data, among others. It adopts the principle of net neutrality and provides that internet service providers must not be held liable for user-generated content unless upon noncompliance with a court order.

One of the obligations that affects any company offering online services (e.g., applications and websites of banks, investment funds, credit score companies etc.) is to store specific data related to the moment when a user accesses the service (IP address and date and time of access). It also regulates when the aforementioned data must be shared with law enforcement agencies for criminal prosecution, for example.

The Regulatory Decree for the Internet Bill of Rights also provides for the obligation to safeguard personal data by means of adequate information security measures, including the adoption of strict control of the employees who access personal data (access control). In addition, it establishes rules on purpose limitation and adequate use of personal data when processed via the Internet, noting that data must be eliminated when it reaches the purposes of its processing.

It is important to highlight that the only legal basis provided by the Internet Bill of Rights allowing for the processing of personal data is the express consent of the data subject. However, the LGPD establishes ten legal basis for any processing of personal data, online of or offline, and there is no hierarchy among them. Since the LGPD is a broader law than the Internet Bill of Rights, it may be interpreted by courts as invalidating the requirement of consent as the only legal basis for data processing on the online environment.

Credit Score Law and CMN Credit Score Regulation

The Credit Score Law exists since 2011 but underwent significant changes in 2019 with the enactment of the Supplementary Law. It regulates the collection and use of data regarding natural persons' and companies' history of payments ('credit operations' and 'payment obligations'), and data that can be processed, with other data, for credit scoring purposes. It also establishes what type of data may be processed to credit analysis and credit scoring purposes, prohibiting, for example, the use of sensitive and excessive data; and from which sources the data can be obtained.

According to Decree 9.936 of 24 July 2019 (only available in Portuguese here), which regulates the Credit Score Law, the credit history is composed of financial and payment data related to credit operations, payment obligations, whether fulfilled or in progress, necessary to assess the financial risk of the subject.

Before 2019, a natural person had to give their previous and express consent ('opt-in') to allow for the collection of their credit history and payment history data. The Supplementary Law altered this requirement by establishing that such data can be added to a database without their previous consent but granted the right to 'opt-out', if they wish to.

The Credit Score Law also provides for specific rights for the data subjects like the right to be informed when a company creates a record of their payment history in order to create a credit score, the right to access information related to them, the right to correct any incorrect data, the right to review solely automated processing of personal data and also obtain information regarding the underlying logic of such processing, among other things.

The CMN Credit Score Regulation determines the rules for processing history of payments data for credit scoring purposes provided by financial institutions and other licensed institutions. Such institutions may only provide history of payments data for those companies that have been certified by the BCB.

Consumer Code

The Consumer Code is an extensive statute which aims to protect consumers, who are legally considered vulnerable in relation to service and product providers. It confers to consumers a broad range of rights like the right to adequate information, the protection against misleading and abusive advertising, the protection against unconscionable and abusive clauses; and shifting the burden of proof to service and product providers, among other things.

The Brazilian Supreme Court ('STF') and the Superior Court of Justice ('STJ') have already ruled that banking, financial, credit and insurance activities, and private retirement plans are all subject to Consumer Code. In some cases, even individual investors of investment funds can be considered consumers (therefore, applying to them the Consumer Code principles and the Consumer Code, which are very consumer protective).

Additionally, the Consumer Code provides specific rules on databases of consumers and negative credit history. In these cases, a consumer has the right to access any information stored about them and to correct any inaccurate information. Negative information about consumers (registries) cannot be maintained for more than five years.

Consumers' rights can be exercised both individually and collectively. Considering the latter, civil society organisations and Public Prosecution Offices can represent consumers collectively. For example, there were data breach cases in which a company was fined because the Public Prosecutor's Office represented the affected consumers, even before the LGPD came into force.

Criminal Code

As previously mentioned, the LGPD does not apply to the processing of data related to law enforcement, the investigation or prosecution of criminal offenses, neither creates any criminal offence. In 2012, the Criminal Code was modified to include the crime of invasion of computer systems through breach of security measures for the purpose of obtaining, tampering or destroying data without the explicit or tacit authorisation of the device owner, or to install vulnerabilities to gain an illicit advantage.

Other than that, the Criminal Code does not determine specific measures regarding data protection, focusing more on secrecy and confidentiality. The two crimes of the Criminal Code (which deal with secrecy and confidentiality) are:

• illegal disclosure of secrecy (Article 153 of the Criminal Code); and
• breach of professional secrecy (Article 154 of the Criminal Code).

Securities Market Law

The Securities Market Law regulates the Brazilian securities market. It also created the CVM, which is the main authority regarding the securities market.

The Securities Market Law stipulates several practices that are considered crimes. One of these crimes, commonly known as insider trading (Article 27-D of the Securities Market Law), is specifically relevant regarding improper use of information (which may or may not be personal data). It entails use of relevant information (that has not yet been disclosed to the market) to provide an unfair advantage (to himself/herself or others) by negotiating securities. The same applies to those who pass on confidential information related to a material fact that they have had access to because of their occupation in an issuer of securities or because of a commercial, professional or trust relationship with the issuer.

To reinforce the importance of this subject, the CVM issued Instruction No. 358 of 3 January 2002 underlining the need to inform the market about relevant information that can affect investors of a public company. Therefore, it provides for the disclosure and use of information about material act or fact related to public companies. In that same sense, if the company decides to maintain information in secrecy, such decision must be submitted to the CVM and all managers and shareholders must respect it. Even though the LGPD establishes a mandatory data breach notification regime (as will be explained further on), security incidents may be deemed as relevant information that may need to be disclosed to the CVM.

Moreover, regarding disclosure, the CVM's Instruction No. 480 of 7 December 2009 requires the disclosure of wage amounts of board members for some stock corporations. In 2015 this obligation was brought to court by some board members, claiming that this would violate their rights to privacy and personal safety. Such discussion reached the STF and through the vote of Judge Carmen Lucia, it was decided that the disclosure must be maintained and that the right to privacy cannot be evoked due to public interest regarding the transparency of the corporation's finances (STF Extraordinary Appeal No. 902.752 of 21 October 2015).

Crimes Against the National Financial System Law

The Crimes Against the National Financial System Law covers the crimes against the national financial system. In this regulation, violation of secrecy of an operation or service offered by a financial institution (when one knows such information due to their occupation) can result in a detention penalty of one to four years and the payment of a fine. There is an exception for when such confidential information is required by authorities, such as the Public Prosecution's Office. In such cases, the disclosure of information is not considered an offense.

Brazilian Corporate Law

The Brazilian Corporate Law, requires corporations to disclose balance sheets, financial statements, review of the independent auditors and information of the Fiscal Council, etc. This set of information is widely disseminated to the public due to public interest. This means that, in some cases, personal data may be required to be divulged because it may be part of the documents required by law to be published.

The Cybersecurity and Cloud Regulation

The CMN Resolution contains the cyber security policy and the requirements for contracting cloud computing services, including data processing and data storage services, that must be complied with by financial and other institutions.

Financial institutions and other institutions licensed by the BCB must implement and maintain a cyber security policy formulated according to principles and guidelines that seek to ensure the confidentiality, integrity, and availability of data and information systems used, disclosing it to institution's employees and to third-party providers, in clear and accessible language (Articles 2 to 5 of the CMN Resolution). They must also establish a plan of action and response to security incidents, aiming at the implementation of the cyber security policy (Articles 6 to 18 of the CMN Resolution). Also, financial sector institutions need to appoint a Cyber Security Director (Article 7 of the CMN Resolution) and can only contract service providers that are established in countries that have an agreement with the BCB. In addition, the countries where financial data is processed must be informed to the BCB.

Following the CMN Resolution, the BCB Resolution further regulates it, providing for specificities on cyber security policy and the requirements for contracting cloud computing, including data processing and data storage services, but in this case, regarding payment institutions authorised to operate by the BCB.

Open Finance

The Open Finances model being implemented in Brazil intends to promote the openness and integration of platforms and information system infrastructures, in a safe, agile, and convenient manner, within the financial sector. It is important to note that the rules are intended to empower customers by requiring specific consent prior to facilitating data sharing mechanisms between financial institutions and other licensed institutions.

2.1. Legal basis for processing

The LGPD is the first enacted law to demand in a comprehensive way that any processing of personal data must be supported by a legal basis. For purposes associated to the financial sector, the legal basis that will most likely be used should be:

• consent;
• performing a contract with the data subject;
• compliance with legal or regulatory obligation;
• to exercise rights in judicial, administrative, or arbitration proceedings;
• to pursue the data controller's or a third-party’s legitimate interest, except where the data subject's interests, or fundamental rights and freedoms override the data controller's interest; and
• credit protection, including the provisions in relevant legislation (e.g., Brazilian Credit Score Law).

The specific legal basis that allows for the processing of personal data necessary for credit protection is a particularity of the LGPD. Some may consider this legal basis as a broad one that would allow for the processing of any type of personal data if the purpose is related to credit, but other relevant legislation needs to be taken into consideration, such as the Credit Score Law, as well as the LGPD principles, such as data minimisation and adequacy. Nonetheless, this legal basis will probably be frequently used by financial sector entities.

2.2. Privacy notices and policies

Regarding privacy notices, mandated disclosures are required by the LGPD, and its Article 9 states the content of disclosures including, for example, the purposes for which the personal data have been collected, the purposes of the intended further processing and the situations where controller may share the data processed.

Regarding internal policies, the CMN has published the CMN Resolution relating to the financial sector regarding information security procedures and standards for policies. The Resolution deals with several standards in cybersecurity and establishes criteria for a cybersecurity policy. The CMN Resolution determines the obligation to implement and maintain a cybersecurity framework based on principles and guidelines that seek to ensure the confidentiality, integrity, and availability of data and information systems used.

Furthermore, Article 50 the LGPD provides that controllers and processors, within the scope of their powers, individually or through associations, may formulate rules of good practice and governance that establish the conditions of organisation, operating regime, procedures, including holder complaints and petitions, safety standards, technical standards, specific obligations for the various parties involved in processing, educational actions, internal supervisory and risk mitigation mechanisms and other aspects related to data processing of subjects.

Accordingly, privacy governance frameworks must:

• present the purposes why the personal data was collected and processed;
• present the controller's commitment to adopt internal processes and policies that ensure comprehensive compliance with standards and best practices regarding the protection of the data subject;
• establish appropriate policies and safeguards based on a systematic impact assessment and privacy risk assessment process;
• aim to establish a trusting relationship with the data subject through transparent action that ensures the data subject's participation mechanisms;
• demonstrate the effectiveness of the privacy governance program; and
• demonstrate commitment to delete data from the database of processing agents when there is no longer a need for its storage (controller and processor).

2.3. Data security and risk management

Regarding data security and risk management in the Brazilian financial sector, since the second half of 2016 some associations and regulatory agencies have started specific initiatives. In August 2016, ANBIMA published a cyber security guideline (only available in Portuguese here) which shows the need for proper data protection procedures in the financial sector, since, according to ANBIMA, financial interests are the subject of the majority (80%) of cyber security incidents in Brazil. After the research, they published a cybersecurity guide for financial institutions, with the objective of contributing to the improvement of cybersecurity practices in the Brazilian financial and capital markets. The guide provides examples and recommendations in order to steer institutions in improving cybersecurity by implementing cybersecurity practices (only available in Portuguese here). In July 2017, the CVM, published a study about the 'perception of cyber risks in the activities of fiduciary administrators and intermediaries' (only available in Portuguese here).

As already discussed in section on personal and financial data management above, the Cybersecurity and Cloud Regulation applies to the entire financial sector information security procedures and standards. Relevant topics such as cloud services, readiness and transparency in cases of cybersecurity incidents, information sharing, board involvement, control of sensitive information, data classification and liability for sensitive information leakage, are dealt within the resolution.

According to the Cybersecurity and Cloud Regulation, institutions might be required to readily provide to the BCB their cybersecurity, data protection, and incident response policies. Further, they must define a director responsible for compliance. Institutions that do not constitute their own cybersecurity policy must formalise the option for such faculty at a meeting of the board of directors or, in their absence, of the board of the institution as per Article 2(3) of both resolutions. The Cybersecurity and Cloud Regulation applies to institutions authorised to operate by the BCB, including financial technology companies ('fintechs'), payment institutions and others.

The LGPD also demands that controllers and processors must adopt adequate information security measures, technical or organisational. It does not detail what those measures are but determines that the ANPD may demand minimum standards. In case of a data breach that poses significant risks or damages to the data subject, the controller must inform the ANPD and the data subjects affected of the incident.

2.4. Data retention/record keeping

The LGPD does not specify data retention periods, but it states that a data processing activity may be done as long as it is necessary to comply with the specific purposes of processing (purpose limitation and minimisation principles), which implies that data cannot be kept indefinitely without reason. But there are specific laws establishing data retention periods for some topics.

The Internet Bill of Rights demands that providers of internet service providers must keep the application access logs (the set of information regarding the date and time of use of a particular internet application from a particular IP address) confidential, in a controlled and safe environment for six months. Law enforcement and prosecutors can request this data with the previous authorisation of a court order.

The Consumer Code briefly regulates databases about consumers. The Consumer Code provides that it is not allowed to keep negative information for more than five years, such as debt information. The BCB has enacted regulations demanding that some documents related to information security must be kept for a certain period in order for the BCB to exercise its surveillance powers. There is also a practice in Brazil to keep data for their respective prescription and pre-emption periods, as caution for possible future litigation. This is especially common regarding tax information.

3. Financial Reporting and Money Laundering

Money Laundering Law

The Money Laundering Law has articles that indirectly impact how data should be processed and sent in the financial sector, especially regarding inspections by the Brazilian Board of Control for Financial Activities ('COAF'). Below, is short list of important provisions of this law regarding the use of data by members of the financial sector:

• identification of their clients, considering practices related to 'Know Your Client', and maintenance of updated registers about them;
• record of all financial transactions that go beyond the permitted limits determined by the law;
• answer properly all requests made by COAF or another regulator, knowing that the recipient of such information will be responsible to keep secrecy of the answers sent;
• render special attention to any transaction that shows serious evidence of constituting a crime, communicating the fact, in secrecy, to COAF within 24 hours; and
• institutions or people that do not cooperate with the requirements above may be subject to the following sanctions: warnings; fines; temporary inability to exercise management positions of financial institutions; and disempowerment of the activity, operation, or function.

Although this law has other specific provisions it is important for the members of the financial sector to understand that when personal data is being dealt with, these norms must be interpreted taking LGPD and other data protection rules into consideration. The most important laws of the financial sector were all enacted before the LGPD, so their implementation now have to be revisited, combining the application of the LGPD.

4. Banking Secrecy and Confidentiality

Banking Secrecy Law

The Banking Secrecy Law demands confidentiality from financial and payment institutions and other institutions that deal with financial data. This means that some fintechs, for instance, may be legally bound to the Banking Secrecy Law even if they are not considered financial institutions according to Brazilian Law. It is important to note that some fintechs may be understood as financial institutions (because they follow the legal requirements), nonetheless, not all fintechs are financial institutions because they can operate, with some limits, without prior authorisation by the BCB. Their compliance to this norm, therefore, is due to the nature of the information they have access to in order to offer their services or products. Their responsibility towards the secrecy of that data is what makes them bound to the Banking Secrecy Law.

The regulatory framework is complemented by several other norms provided by regulators such as the CMN, BCB and the CVM. According to the Banking Secrecy Law, only the following situations do not violate confidentiality obligations:

• information exchange between financial institutions for database purposes;
• information of credit defaulters required by credit protection entities;
• communication of illicit activity to the appropriate regulators (e.g. CVM, COAF);
• information disclosure with express consent of all the organisations involved and data subjects; and
• the breach of confidentiality can also be required as part of a legal investigation, especially if for the following crimes: terrorism, drug or arms trafficking, extortion by kidnapping, crimes against the national financial system, crimes against the public administration, crimes against tax law and social security, money laundering, and crimes practiced by criminal organisations.

It is possible to see similarities between the Money Laundering Law and the Banking Secrecy Law regarding data protection. The bank secrecy and data protection compliance allow the exchange of private data if requested by specific public bodies associated with the financial sector or to support a legal investigation.

Under section on personal and financial data management above we analysed a few norms that determine rules regarding confidentiality such as the Criminal Code, the Crimes Against the National Financial System Law, Corporate Law and others.

This topic appears in different ways depending on the law. Data protection, confidentiality and secrecy should not be mistaken for each other, even though they usually are used to protect the right to privacy. This is especially important taking into consideration the broad definition of personal data determined in the LGPD (that was based on the GDPR), which enlarges its scope of application.

The relevance and sensitive nature of the data obtained by financial institutions and others of the same market do not only require adequate levels of cybersecurity but also makes it necessary for these companies to rethink internal procedures so that data processing is performed according to the LGPD and other complementary norms that also provide for secrecy and confidentiality.

Credit Score Law

In accordance with the Credit Score Law, there is an exception to bank secrecy, where all companies conducting self-financing operations or conducting forward sales or other transactions that involve a financial risk must provide the credit history of those in good standing to the managers upon request. As previously mentioned, according to Decree No. 9.936, 24 of July 2019 (only available in Portuguese here), which regulates the Credit Score Law, the credit history is composed of financial and payment data related to credit operations, payment obligations, whether fulfilled or in progress, necessary to assess the financial risk of the subject.

5. Insurance

It is important to note that the data protection rules of the Consumer Code apply to insurance companies, in respect to situations where consumer relations are identified. On top of that, insurance companies are treated in the same way by financial institutions under the Crimes Against the National Financial System Law. In this regulation, a violation of the obligation to maintain the secrecy of an operation or service offered by a financial institution can result in a penalty of one to four years imprisonment and the payment of a fine (Article 18 of the Crimes Against the National Financial System Law), except in cases where the information was required by the authorities.

SUSEP issued Resolution No. 297 of 25 October 2013 (only available in Portuguese here), which regulates the operations of insurance companies. This Resolution states that insurance companies are responsible for the integrity, security and secrecy of their operations. Moreover, they must provide customers with clear, accurate and suitable information about their rights and obligations related to the insurance products offered. Furthermore, SUSEP has also issued Rule No. 605 of 28 May 2020 (only available in Portuguese here) which stipulates the deadlines for document retention and storage by insurance companies and other related institutions.

If the insurance company is dealing with medical records, other rules may be applicable due to the sensitive nature of such data. It is important to mention that electronic medical records are regulated by Resolution No. 1.821 23 of November 2007 (only available in Portuguese here) ('the Medical Records Resolution') issued by the Federal Council of Medicine ('CFM'). However, the Medical Records Resolution focuses on the digitalisation of physical medical records and does not provide appropriate safeguards for sensitive personal data such as health data.

The medical records of an individual cannot be transferred to third parties without an adequate legal basis. For most cases, medical records are considered part of a doctor/patient confidentiality agreement. This requirement is regulated by the Criminal Code, the rules of professional confidentiality and by regulations related to the medical profession.

Other than that, compliance to the LGPD is very important in general. Due to their activity, many insurance companies and other related institutions will be considered as data controllers, which implies several obligations.

6. Payment Services

The Cybersecurity and Cloud Regulation provides for the cybersecurity policy and the requirements for contracting services of data processing, data storage and cloud computing to be observed by financial and payment institutions, and other institutions licensed by the BCB.

Payment schemes and payment institutions are part of the Brazilian Payment System ('SBP'), according to Law No. 12,865 of 9 October 2013. However, some payment schemes are not subject to the supervision conducted by the BCB, such as private label card — a credit card only accepted by the issuer establishment, such as large shop chains — payments of public utilities, transportation, and meal prepaid cards.

Circular No. 3,682 of 4 November 2013 (only available in Portuguese here) ('Circular No. 3,682') provides that the following payment schemes operate outside of the SBP, thus they are exempted from licensing by the BCB:

• provision of payment services with a 'limited scope';
• private label card – prepaid/post-paid instruments only accepted by the issuer establishment (such as a shop chain);
• payment of public utilities with prepaid or post-paid instruments;
• provision of payment services related to benefits associated to labour relations/services provision - such as meal prepaid cards - or federal government social programs;
• transaction volume that does not exceed, within a period of 12 months:
  • BRL $20,000,000,000 (approx. €3,000,000,000); or
  • 100 million transactions.

If any of the limits listed on the above item II is trespassed, the provider must submit an application for licensing within a period of 90 days from the date of overrun, under the terms of Circular No. 3,682.

In the same way, BCB Resolution No. 80 25 of March 2021  (only available in Portuguese here) establishes that some payment institutions (Postpaid Payment Instrument Issuers and Acquirers) must submit an application for licensing within a period of 90 days after presenting financial values exceeding BRL $500,000,000 in payment transactions. On the other hand, the Electronic Currency Issuers and the Payment Transaction Initiators must submit an application for licensing previously to their operation.

In any case, payment institutions must comply with the rules related to the SPB, issued by CMN and the BCB.

7. Data Transfers and Outsourcing

In the context of financial sectors, institutions also need to rely on the Cybersecurity and Cloud Regulation that establishes that they can only contract with cloud services providers that are established in countries that have an agreement with the BCB. In addition, the countries where financial data is processed must be notified to the BCB.

The LGPD also imposes certain restrictions on international data transfers, which may only occur under the following circumstances:

• transfer to countries/international organisations that ensure adequate level of protection;
• proof by the controller that certain guarantees have been met (contractual clauses, global corporate standards, seals, certificates, etc.);
• transfers in cases of international cooperation between public intelligence, investigation or prosecution agencies;
• when necessary for the protection of the subject's life;
• when authorised by the ANPD;
• under an international legal agreement between public authorities;
• when necessary for the execution of public policy;
• when the data subject has given his specific consent; or
• when necessary, to comply with the controller's compliance with a legal or regulatory obligation, for the performance of the contract or preliminary contract-related procedures to which the data subject is a party, or for the regular exercise of rights in judicial, administrative or legal proceedings.

It will also be necessary to define the content of the standard clauses and specific contractual clauses for data transfer, stamps, code of conduct, and other standards related to international data transfers. Therefore, the theme of the international transfers of personal data will still have new forms after the creation of the ANPD.

8. Breach Notification

The LGPD provides that controllers must notify data breaches to the affected data subjects and the ANPD when they may cause significant risk or damage to data subjects. The notification should contain a description of the personal data affected; who the data subjects are; a description of the security measures adopted before the incident; the risks related to the incident; and the measures that have been or will be taken to reverse or mitigate the effects of the breach. Depending on the severity of the incident, the ANPD may demand further measures, such as publication of the incident in the news.

Also, the ANPD will further create administrative rules on the timeframes for notification since there is not a predefined period for that.

9. Fintech

Credit fintechs - that is, fintechs that provide loans or financing - are subject to the rules issued by CMN and BCB, and comprise three forms of action:

• banking correspondent: regulated by Resolution CMN No. 3954 of 24 February 2011, it refers to companies that provide some services (including loans) on behalf of a licensed financial institution. A banking correspondent doesn't need to be licensed by the BCB, but it must enter into a contract with a financial institution licensed by the BCB;
• direct credit company ('Sociedade de Crédito Direto' ('SCD')): regulated by Resolution CMN No. 4656 of 26 April 2018 ('Resolution 4656/2018') it refers to financial institutions whose object is to carry out loan, financing, and acquisition of credit rights operations exclusively through electronic platform, using their own resources. Such companies must be previously licensed by the BCB; and
• peer-to-peer loan company ('Sociedade de Empréstimo entre Pessoas' ('SEP')): also regulated by Resolution 4656/2018, it refers to financial institutions whose object is to carry out loan and financing operations between people exclusively through an electronic platform. Such companies must be previously licensed by the BCB.

10. Enforcement

Data protection matters are supervised by the ANPD and the SNDC, such as the Public Prosecutor Offices and Consumer Defense Organisations. The following administrative sanctions may be applicable by the ANPD (Article 52 of the LGPD):

• a warning, indicating a deadline for the adoption of corrective measures;
• 'simple fine', up to 2% of the revenue of the legal person, conglomerate, or economic group in Brazil, limited to BRL $50,000,000 (approx. €8,020,000);
• a 'daily fine', limited to BRL $50,000,000 (approx. € 8,020,000);
• publication of the infraction after confirmation of its occurrence;
• elimination of the personal data related to the infraction;
• partial suspension of the database related to the infraction, until the regularisation of the processing activity; and
• partial or total prohibition of that specific processing activity of personal data.

Although these are the penalties determined by the LGPD which will be applied by the ANPD, other sanctions may be applicable depending on the kind of infraction. As we have explained earlier, there are a few norms that criminalise determined actions in relation to the invasion of electronic devices, disrespect to secrecy obligations (in some cases), insider trading, crimes against the national financial system, among others. In these cases, one will probably face criminal charges and possibly face penal sanctions that vary from fines to time in jail.

If such actions cause identifiable damage, one could also face proceedings in a civil court in order to have such damages economically repaired. This is especially common in cases where there is a consumer relation. Therefore, sanctions can be applied in an administrative, civil and penal level depending on the case.

The relationship between financial sector professionals and data security is regulated by the Criminal Code and by the specific rules in sectoral legislation.

The Criminal Code, in the section dedicated to crimes for violating the obligation to maintain secrecy, states that the violation of professional secrecy can result in a penalty of three months to one-year imprisonment or the payment of a fine (Article 154 of the Criminal Code).

Similarly, the Corporation Law imposes the duty of loyalty on managers of limited liability companies. Managers cannot use for their own benefit, even without prejudice to the company, commercial opportunities discovered as a result of their role. They cannot omit from the company good business opportunities either, if these could benefit them or someone else.

It is also necessary to maintain the secrecy of information that has not yet been promoted outside the company, especially if it can influence the stock exchange. Managers must also make an effort so that the employees under their responsibility or people within their trust do not act against this rule.

If any person is harmed as a result of a violation of this duty, they have the right to be indemnified by the wrongdoer.

The Securities Market Law considers the use of relevant information not yet provided to the market as a crime against the securities market. The penalty, in this case, is higher than that provided for in the Criminal Code, combining one to five years imprisonment with fines of up to three times the amount of the benefit obtained.

To reinforce the importance of this subject, the CVM issued Instruction No. 358 concerning the disclosure and use of information about relevant acts or facts regarding publicly held companies. This instruction underlines the need to inform the market about relevant information that can affect all the investors of a company with shares in the stock market. If the company opts to maintain the secrecy of certain information, such a decision must be submitted to the CVM and all managers and shareholders must respect such secrecy.

11. Additional Areas of Interest

Not applicable.

Pedro Henrique Ramos Partner
[email protected]
Fernando Bousso Partner
[email protected]
Baptista Luz Advogados, São Paulo