Data localization and regulation of non-personal data
Jump to
Data localization and regulation of non-personal data Start Comparison
Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?

Last review date: 3 January 2025

No generally speaking, except for a few specific sectoral regulations.

☒       other

While there are no general data residency/localization obligations, there may be such data residency/localization requirements if classified State information (not limited to personal data), or data related to the Federal Public Administration is processed.

Also, there might be restrictions on the storage/transfer to foreign jurisdictions for certain types of information. For instance, according to CMN's Resolution no. 4,893/2021, which provides for requirements for the agreements between cloud providers and financial institutions, financial data does not necessarily need to be stored in Brazil, but the financial institution must ensure the access of the Brazilian Central Bank to the financial data. The access may be supported by the presence of a cooperation agreement between the Brazilian Central Bank and the supervisory authority from the jurisdiction where the data is stored. In case the data is stored in a jurisdiction where there is no such cooperation agreement, the agreement between the financial institution and the cloud provider must be submitted for the Brazilian Central Bank's approval.

Does law or regulation impose mandatory requirements to share or make accessible non-personal data?

Last review date: 3 January 2025

☒         Obligation for public sector organizations to share or make accessible non-personal data

Law No. 12,527/2011 (Brazilian Information Access Law) regulates access to public information held by government bodies. It aims to ensure transparency and accountability in public administration by providing citizens with the right to access information.

         Obligation for private organizations to share or make accessible non-personal financial data

BACEN and CVM Joint Resolution No. 6/2023 establishes the requirements that must be observed by financial institutions, payment institutions, and other entities authorized to operate by BACEN in the sharing of data and information on indications of fraud. The resolution mandates these institutions to share, through an electronic system, any data and information that support their fraud prevention procedures and controls. Institutions must obtain the prior and general consent of the customer to allow the registration and sharing of this data.

         Obligation for private organizations to share or make accessible other non-personal data

If so, please provide brief details of the relevant law or regulation.

Internet Legal Framework - Law No. 12,965/14 contains provisions regarding internet users' rights to the protection of logs, personal data and private communications. It includes, among others, obligations for internet application and connection providers to disclose internet access and connection logs upon receipt of a court order.

ANATEL’s Resolution No. 740/2020, amended by Resolution No. 767/2024, establishes guidelines and procedures to promote security in telecommunications networks and services, including the protection of critical infrastructures. The resolution requires telecommunications companies to retain and, in some cases, share certain types of data for regulatory and security purposes. This can include non-personal data related to network operations and usage.

What specific obligations do these data-sharing rules impose on private organizations?

Last review date: January 2025

Obligation to share data on request