Financial institutions, fintechs, fund managers must pay special attention to compliance with the Brazilian General Data Protection Law (knowns as LGPD).
As, in general, they have access to and process sensitive information of individual borrowers, guarantors and investors, these organizations are subject to obligations, including (i) communication about what data is collected, how it is treated and for what purposes, (ii) equivalent communication in the case of cross-border transactions involving transfer/sharing of data to affiliates abroad, and (iii) consent of the holder, which must be highlighted and demonstrate the party’s express consent.
We list below some relevant documents by type of organization:
1. Financial Institutions and Fintechs: credit agreements, debt confessions, collateral instruments and other transaction documents must contain specific LGPD compliance provisions, particularly regarding (i) the communication of what data will be collected and processed, (ii ) possibility of, in international transactions, sharing data with affiliates abroad and (iii) express consent of the holder.
Syndicated transactions or transactions involving the sale of participation must be especially careful with the LGPD, as the sharing of sensitive data of individual borrowers and guarantors is carried out with more than one lender, often located abroad, and the scope of the LGPD provisions need to cover such a possibility.
2. Investment Fund Administrators and Managers: the fund chatter document (Regulamento), Offering Memorandums, the investment commitment instrument, the subscription bulletin, among others, must contain specific clauses on LGPD compliance, including (i) notice of collection and treatment, (ii) possibility of, in cross-border transactions, sharing data with affiliates abroad and (iii) the investor’s express consent.
3. Securitization and Credit Assignment: as securitization of loan portfolios and credit assignment are common in transactions with financial institutions and fintechs, as well as for funds such as FIDCs, attention to the above LGPD rules must also cover and benefit the investor/assignee in order to avoid exposure to legal fines and indemnifications.
It is essential that financial institutions, fintechs, and fund managers pay attention to the LGPD, whose sanctions can range from a simple warning to a fine of up to R$50 million, plus the reputational exposure before clients and the market.