Newsletter (#004/2025) on Privacy and Data Protection by Campos Thomaz Advogados

Alerts, materials, and updates on Privacy, Data Protection, and Cybersecurity.

To subscribe, click here.

Find out more about our DPO as a Service 

We have prepared specific material to explain how the external DPO as a Service works. Contact our partners

International Data Transfers: What Changes with ANPD’s Resolution No. 19/2024?

International Data Transfers (IDT) are critical to global business and data flows. Brazil’s General Data Protection Law (LGPD) sets out specific rules to ensure that the personal data of individuals located in Brazil remains protected even when transferred abroad.

In August 2024, the Brazilian National Data Protection Authority (ANPD) issued Resolution No. 19/2024, which regulates certain legal mechanisms provided in Article 33 of the LGPD to authorize international data transfers. These include:

  • Recognition of an Adequate Level of Data Protection in foreign countries

  • Standard Contractual Clauses (SCCs) issued by the ANPD

  • Specific Contractual Clauses, subject to prior approval

  • Global Corporate Rules, also requiring ANPD’s approval

Companies intending to use the Brazilian SCCs must implement them by August 2025, the official compliance deadline set forth in the resolution. Learn more.

DPO as a Service: Advantages and Disadvantages after ANPD’s Regulation

The General Data Protection Law (LGPD) requires organizations to appoint a Data Protection Officer (DPO), a role regulated by the National Data Protection Authority (ANPD) through Resolution No. 18 of July 17, 2024, and the guidance guide published on December 18, 2024. The regulation and guide set specific requirements for the appointment, responsibilities, and disclosure of the DPO, including the possibility of contracting through the “DPO as a Service” (DPOaaS) model, which consists of outsourcing this function to specialized firms.

Check out the article that explores the advantages and disadvantages of the DPO as a Service model, considering ANPD regulation and market best practices. Learn more.

ANPD Selects Winner for Consultancy in AI Regulatory Sandbox

The Brazilian Data Protection Authority (ANPD) has chosen the University of São Paulo (USP) to assist in the development of its Artificial Intelligence (AI) regulatory sandbox. This initiative aims to create a collaborative experiment between regulators, regulated entities, and other stakeholders, such as tech companies, academics, and civil organizations, to test innovations within a secure regulatory framework. USP was selected after scoring 69 points in the selection process, which assessed institutional qualifications, technical expertise, and the proposed methodology. The partnership, involving the United Nations Development Programme (UNDP), will last for 20 months and aims to test AI regulations, increase algorithmic transparency, and promote responsible innovation. Saiba mais.

Extension of the UK Adequacy Review Deadline by the EU

The European Commission has proposed a six-month extension of the UK’s data adequacy decisions, currently set to expire on 27 June 2025. If approved, the new deadline would be 27 December 2025, allowing data flows between the EU and the UK to continue uninterrupted while the Commission reassesses the UK’s data protection framework. The extension appears to be a strategic move to await the adoption of the UK’s new Data (Use and Access) Bill, which is in its final legislative stages and expected to become law in the coming months. The new bill is anticipated to align with EU adequacy standards, paving the way for the decisions to be renewed and ensuring legal certainty for businesses and authorities relying on cross-border data transfers.

Court order Authorizes Access to Digital Platform Data for Locating Debtors

In a recent decision, the 17th Chamber of Private Law of the São Paulo Court of Justice (TJ/SP) authorized the issuance of orders to digital platforms such as iFood, Rappi, Uber, 99 Táxi, Mercado Livre, Amazon, and Netflix, to obtain registration data of a debtor who has defaulted on school tuition fees. This measure aims to facilitate the debtor’s location after unsuccessful attempts to find them at previously known addresses. This decision reflects a trend in the Judiciary to use new technologies and data from digital platforms to ensure the fulfillment of legal obligations, adapting to the behavior of modern consumers and the widespread use of online services. Learn more.

ANPD Launches New GOV.BR Platform for Data Subject Requests and Reports

The Brazilian Data Protection Authority (ANPD) and the Ministry of Management and Innovation in Public Services (MGI) launched a new platform for receiving personal data subject requests and reports of violations under the Brazilian General Data Protection Law (LGPD). Accessible via GOV.BR, the initiative marks a significant step toward modernizing public services and strengthening citizens’ access to their data protection rights. By integrating with the GOV.BR — a platform already used by over 150 million Brazilians — the new system simplifies access without requiring additional passwords and connects users to more than 4,200 digital services. Through the Electronic Information System (SEI), the previous method will remain operational during the transition to ensure service continuity and user adaptation. Learn more.

ANPD Updates Security Incident Communication Channel

On March 31, 2025, the Brazilian National Data Protection Authority (ANPD) enhanced its service channel for reporting security incidents, aiming to streamline and expedite the process for data controllers. Additionally, ANPD has made available an interactive Power BI dashboard displaying the number of reported incidents by state, promoting greater transparency and awareness regarding data security in the country.According to the latest data, the most reported incidents include credential theft and social engineering, followed by ransomware attacks without data transfer. These statistics highlight the importance of robust preventive measures and effective incident communication. Learn more.

LGPD Infographic

Access the LGPD infographic prepared by our firm. Access here

Explore our series of content on privacy, data protection, and cybersecurity. 

Discover our series of content on privacy, data protection, and cybersecurity. Access the full series here.

Produced by Alan Campos Thomaz and João Marcelo de Oliveira

*

share

LinkedInFacebookTwitterWhatsApp

newsletter

Subscribe our newsletter and receive first-hand our informative

    For more information on how we handle your personal data, see our Privacy Policy.
    contato@camposthomaz.com
    *

    R. Funchal, 551, conjunto 51
    Vila Olímpia, São Paulo – SP
    04551-060

    11 3044-4906

    © Campos Thomaz Advogados privacy policy