Law Name

Law 13709 for the treatment of personal data (August 14, 2018)

Link to the Law

Data Transfer

It can be done with the consent of the data subject.

Data Sharing

Must receive consent to use data and process it. Under the current law, there are provisions regarding “sensitive personal data”. “Sensitive data” applies to health and genetic and biometric data. In the new law, separate consent will be required as well as explicit information provided to the data subjects involved in processing sensitive data.

Data Retention

Data subjects have the right to deletion of personal data (on the internet) as long as the relationship between the parties is complete and as long as the mandatory log retention is not required.


Under the current law, agencies responsible for personal data must provide data subjects with information about obtaining, use, storage, processing and protection of personal data. Additionally, in order to process data, consent must be given. Logs must be kept confidential and the security measures must be made clear to the data subject. Under the new Bill, there will be a mandatory appointment of data protection responsible or a Chief Data Protection Officer.


There is currently a new governing or enforcement agency. Under the new Bill there will be a designated agency that will enforce the security protections of personal data and data transfers.

Breach Notification

As of now, the Brazilian law does not require that the data subject be informed if there is a breach in security of their personal data. In the new bill that is being reviewed, the data subject will have to be informed if their personal data is breached (especially if it can be harmful to them).


Privacy Law Portuguese

Electronic Health Records Law

Law for electronic health records Nº13.787 December 2018


The Electronic Health Records Regulations for Brazil passed in December 2018.