backNewsletter (#002/2026) on Privacy and Data Protection by Campos Thomaz Advogados
Alerts, materials, and updates on Privacy, Data Protection, and Cybersecurity.
To subscribe, click here.
Find out more about our DPO as a Service
We have prepared specific material to explain how the external DPO as a Service works. Contact our partners
Brazil and the European Union Recognize Mutual Data Protection Adequacy and Simplify International Data Transfers
On January 27, 2026, Brazil and the European Union formalized the reciprocal recognition of the adequacy of their respective personal data protection regimes, pursuant to the Brazilian General Data Protection Law LGPD and the General Data Protection Regulation GDPR. With this decision, both jurisdictions acknowledge that their legal frameworks provide equivalent levels of protection for personal data, establishing a legal environment that enables the free and streamlined international transfer of personal data between the regions, thereby eliminating the need, in such cases, to adopt standard contractual clauses. Learn more.
MGI approves incident management plan and privacy by design guidelines
The Ministry of Management and Innovation in Public Services (MGI) has approved two strategic documents aimed at strengthening institutional governance on personal data protection. The approvals were formalized through CPDP/MGI Resolutions No. 3 and No. 5, both dated December 19, 2025, and deliberated by the Personal Data Protection Committee. The measures are intended to enhance the Ministry’s compliance with the Brazilian General Data Protection Law (LGPD). One of the approved documents is the Personal Data Incident Management Plan, which sets out procedures, internal workflows, and responsibilities for handling security incidents, including the possible notification to the Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados). Learn more.
French data protection authority fines telecom companies €42 million for security failures and GDPR breaches
The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a combined €42 million fine on telecom operators Free and Free Mobile, both part of the Iliad Group, for serious violations of the General Data Protection Regulation (GDPR). The sanctions stem from a 2024 security incident that led to the compromise of personal data of more than 24 million individuals, including financial information such as IBANs. Learn more.
Multiplan confirms security incident involving its app and access to users’ registration data
Multiplan, a company that manages several shopping centers in Brazil, confirmed a security incident involving its “Multi” mobile application, resulting from a cyberattack that occurred on January 10, 2026. According to an official statement, certain users’ registration data may have been accessed, including information such as credit card expiration dates and the last four digits of card numbers. The company stated that more sensitive data, such as full credit card numbers, were not accessed. Learn more.
Federal Police operation investigates data protection violations and criminal offenses involving SUS health data
On February 4, 2026, the Brazilian Federal Police launched an operation to investigate a business structure allegedly involved in the illegal access and sale of sensitive personal health data belonging to patients of the Unified Health System (SUS). The case raises potential violations of criminal law and personal data protection regulations, particularly with respect to the unlawful processing of health data, which are classified as sensitive personal data under the Brazilian General Data Protection Law (LGPD). Learn more.
Spain announces ban on social media for under-16s and strengthens digital regulation
The Spanish government has announced plans to prohibit access to social media platforms for individuals under the age of 16, reflecting a growing international regulatory trend aimed at protecting children and adolescents in the digital environment. The proposal requires platforms to implement effective age-verification mechanisms, replacing self-declaratory checks with systems designed to effectively prevent registration and use by minors. The measure is expected to be incorporated into a bill currently under discussion and submitted to the Council of Ministers. Learn more.
LGPD Infographic
Access the LGPD infographic prepared by our firm. Access here
Explore our series of content on privacy, data protection, and cybersecurity.
Discover our series of content on privacy, data protection, and cybersecurity. Access the full series here.
Produced by Alan Campos Thomaz and João Marcelo de Oliveira
share
