Perspectives of the European General Data Protection Regulation (GDPR) in Brazil

It is no longer a novelty that the personal data processing activities, especially those aimed at monitoring user behavior, will become soon part of the core of most business models. Personal data processing, however, whether by a large IT corporation or by the reception of a commercial building, raises several issues that require a certain degree of regulation.

Due to the major increase in the amount of data collected, and also the evolution of the automated mechanisms for the analysis of such data, the European Union has approved a new General Data Protection Regulation (GDPR), which imposes a considerable recast in the regulatory framework of personal data protection in Europe.

The GDPR, which replaces EU’s Personal Data Directive of 1995 and enters into force on May 25, 2018, has, on the other hand, broadened the territorial scope of the regulation, and now has a global reach: it applies both to data processing activities conducted by undertakings established in the European Union, and to companies located abroad that offer services or products to European citizens or who monitor individuals located in countries of the European Union, for example, for purposes programmatic advertising.

Brazilian companies that fall under such definition must heed and follow the standards of the GDPR, including, among others (i) have a Data Protection Officer and appoint a representative in the European Union; (ii) obtain the free, express, informed and specific consent of the data subject; (iii) notify the user within up to 72 hours in case of personal data breach; and (iv) allow the data subject to control his personal data.

In addition to these rules, it is important to emphasize that the GDPR will also impact Brazilian companies that are not subject to it, because, according to the new regulation, European companies can only transfer personal data from their users to countries that have a regulatory framework similar to that existing in the European Union, which is not the case in Brazil today.

Fact is that Brazilian companies should examine the scope of the GDPR and, if necessary, comply with the rules contained therein, under penalty of being subject to the sanctions contained in the regulation.Felsberg Advogados’ Technology and Innovation, Startups and Venture Capital practices are available to clarify any questions on the subject.

Kind regards,


Fernando Bousso –



This article is of a solely informative nature, and does not contain any opinion, recommendation or legal advice from Felsberg Advogados concerning the subject matter covered.