Cloud Computing 2025 Comparisons

Applicable Data Privacy Regulations for Cloud Computing

In Brazil, the primary regulation governing data privacy in cloud computing is the Brazilian Data Protection Law (Law No 13,709/2018 – LGPD). This comprehensive law applies to the processing of personal data, including activities carried out through cloud-based services. The LGPD establishes principles, rights and obligations for all entities involved in the processing of personal data.

Definitions of Personal and Sensitive Data

Under the LGPD, personal data is defined as any information related to an identified or identifiable natural person (Article 5, I). This includes data that can directly or indirectly identify an individual, such as names, identification numbers, location data or online identifiers.

Sensitive personal data refers to a specific category of personal information that requires enhanced protection (Article 5, II). This includes data concerning:

• racial or ethnic origin;
• religious beliefs;
• political opinions;
• membership in unions or organisations of a religious, philosophical or political nature;
• health or sexual life; and
• genetic or biometric data.

General Requirements for Processing Personal Data in the Cloud

Processing personal data in cloud environments must comply with the general principles set forth by the LGPD, including purpose limitation, data minimisation, transparency and security (Article 6). Any processing of personal data or sensitive personal data must also rely on an applicable legal basis, as provided for by LGPD (Articles 7 and 11).

Where personal data is transferred to cloud servers located outside of Brazil, the requirements for international data transfers under the LGPD must also be met. These include ensuring that the destination country provides an adequate level of data protection or that appropriate safeguards have been implemented (Article 33).

Obligations of Data Controllers and Processors in the Cloud Environment

The LGPD establishes two primary roles in personal data processing:

• the data controller is the individual or legal entity responsible for making decisions regarding the processing of personal data (Article 5, VI); and
• the data processor is the party that processes personal data on behalf of the controller, following the controller’s instructions (Article 5, VII).

Both controllers and processors are required to maintain records of their data processing activities (Article 37). In the context of cloud computing, cloud service providers typically act as data processors when delivering core services, carrying out processing activities under the instructions and responsibility of the contracting data controller.

Shared Liability and Contractual Safeguards

The LGPD establishes joint liability for damages caused to data subjects when multiple parties are involved in the same data processing activity. To mitigate risks and clarify responsibilities, the Brazilian Data Protection Agency (ANPD) recommends formalising the relationship between data controllers and cloud service providers through a Data Processing Agreement (DPA).

A well-structured DPA should include:

• the subject matter, duration, nature and purpose of the data processing;
• the types of personal data involved;
• the rights and obligations of each party; and
• the allocation of responsibilities in compliance with the LGPD.

The DPA should also require the cloud provider to implement appropriate technical and organisational security measures to prevent unauthorised access and the accidental or unlawful destruction, loss, alteration or disclosure of personal data.

Transparency and Data Subject Rights

Data controllers must ensure transparency when sharing data with cloud providers (Article 9). This includes providing clear, accessible and comprehensive information to data subjects, typically through a Privacy Policy, which should cover:

• the sharing of personal data with third parties;
• the purposes of such sharing; and
• any international data transfers involved.

Data controllers must also enable data subjects to exercise their right to obtain information about the entities with which their data has been shared (Article 18, VII).

Sector-Specific Regulations

In addition to the LGPD, cloud service providers operating in Brazil must also comply with sector-specific regulations issued by various regulatory authorities. These rules impose additional obligations tailored to the unique risks and operational needs of each industry. The following sectors are the most impacted:

• the public sector;
• telecommunications;
• finance;
• private insurance;
• betting;
• healthcare; and
• electricity.

The main topics addressed by the specific rules on cloud computing services published by the competent Brazilian authorities are:

• cybersecurity policies;
• information security measures and standards;
• data breach reporting obligations;
• pre-hiring/post-hiring rules;
• mandatory contractual provisions;
• specific prohibitions applicable to the engagement of cloud computing services;
• monitoring and auditing rights;
• data portability and data deletion;
• data localisation;
• disclosure of territories where the cloud services will be provided;
• full access to and disclosure of documents and agreements to the competent Brazilian authority; and
• access to information for the competent Brazilian authority.

Cross-Border Data Transfers in Cloud Computing

The LGPD establishes a comprehensive framework for international data transfers, which is particularly relevant in the context of cloud computing, where data is often stored or processed in servers located abroad. These transfers are permitted under specific circumstances designed to ensure that personal data remains protected regardless of its geographic location (Article 33), as detailed in 6.1 Cross-Border Transfer Regulation.

If data controllers or processors fail to comply with the LGPD, they may be subject to one or more of the following administrative penalties:

• an official warning notice;
• public disclosure of the violation;
• the blocking or erasure of data until remedies have been implemented;
• partial or total suspension or prohibition of data processing activities; and/or
• a fine of up to 2% of the Brazilian turnover of the infringing entity’s economic group, limited to BRL50 million per violation.

These penalties may be imposed on any processing agent involved in the processing of personal data, including those relying on cloud infrastructure, and are enforced by ANPD.

In addition, Resolution CD/ANPD No 4/2023 governs the calculation and application of administrative sanctions, and sets out the criteria and parameters that ANPD must apply to both monetary and non-monetary penalties, including the methodology for determining pecuniary fines.

The LGPD requires data processing agents, including cloud service providers, to implement technical and administrative security measures to protect personal data against unauthorised access and accidental or unlawful destruction, loss, alteration, communication or dissemination (Article 46). These measures must be appropriate to the nature of the data, the purpose of processing and the risks involved.

Security measures must uphold the core principles of:

• confidentiality – restricting access to authorised personnel only;
• integrity – ensuring data remains accurate and unaltered;
• availability – maintaining reliable access to data when needed; and
• authenticity – ensuring that information was produced, issued, modified or destroyed by a specific natural person, device, system, body or entity.

The LGPD emphasises accountability, requiring organisations to adopt effective controls and demonstrate compliance through periodic assessments and reviews.

While the LGPD does not prescribe specific encryption protocols, cloud service providers are expected to observe recognised industry standards. Recommended practices include obtaining the relevant certifications, such as ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (protection of personal data in cloud environments).

Access controls must comply with the principle of necessity and security under the LGPD:

• access should be limited to the minimum necessary for the intended purpose; and
• only authorised personnel should access personal data, and only to the extent required by their role.

To prevent breaches, the LGPD requires the adoption of good practices and compatible security measures. ANPD’s non-binding guide for small processing agents outlines the basic expectations, including:

• maintaining back-up copies;
• the use of complex passwords;
• employee training and non-disclosure agreements;
• access control policies;
• regular software updates;
• anti-virus tools; and
• multi-factor authentication.

There are specific rules governing the notification of security breaches under the LGPD, as outlined in 5.3 Notifying Data Breaches.

Sector-Specific Regulations

Certain sector-specific rules on the use and outsourcing of cloud services apply to regulated industries and may indirectly affect cloud service providers. Although these obligations fall primarily on the regulated entities, they are often flowed down to cloud providers through contractual arrangements.

Key cybersecurity regulations include the following.

• Telecommunications: Resolution No 740/2020 and Act No 77/2021 from the Brazilian Telecommunications Agency (ANATEL) require telecoms providers in Brazil to engage cloud service providers with cybersecurity policies aligned to key principles like confidentiality, integrity and availability.
• Banking and finance: the Brazilian National Monetary Council’s Resolution No 4,893/2021 and the Brazilian Central Bank’s Resolution No 85/2021 require financial institutions in Brazil to assess and document cloud providers’ ability to ensure data security and the segregation of data by implementing physical or logical controls.
• Insurance: Circular No 638/2021 from the Private Insurance Authority (SUSEP) requires cloud providers serving Brazil’s insurance sector to support service monitoring, adopt comparable cybersecurity controls, ensure data segregation and notify the regulated entity when subcontracting relevant services.
• Betting: Ordinance No 722/2024 from the Betting and Prizes Secretariat (SPA) requires ISO 27001-certified data centres.
• Healthcare: Brazilian regulations establish protocols for managing confidential health data and cybersecurity standards for private healthcare providers regulated by the National Private Health Insurance and Plans Agency (ANS), and also protocols for medical device manufacturers overseen by the Brazilian National Health Surveillance Agency (ANVISA).
• Electricity: Resolution No 964/2021 from the Brazilian Electricity Regulatory Agency (ANEEL) establishes that electricity sector agents in Brazil must:
1. adopt cybersecurity policies suited to their size;
2. report and share cyber incidents with ANEEL;
3. apply maturity models like C2M2 or CMMI;
4. segment IT and internet networks;
5. implement rapid response procedures; and
6. manage cybersecurity risks.

In cloud computing arrangements to which the LGPD applies, data ownership and control are structured around two distinct roles:

• the data controller, who is responsible for making decisions regarding the purposes and means of processing personal data – typically the organisation engaging the cloud service; and
• the data processor, who processes personal data on behalf of the controller and in accordance with the controller’s instructions – usually the cloud service provider.

Both parties are required to ensure compliance with the LGPD within the scope of their respective responsibilities. The controller remains primarily responsible for fulfilling data subject requests and for ensuring that the processing complies with the LGPD, even when such processing is outsourced to a cloud provider.

Data Subject Rights in the Cloud

The LGPD grants data subjects a comprehensive set of rights over their personal data, regardless of whether the data is stored or processed in the cloud (Article 18). These rights include:

• confirmation of processing – the right to know whether their data is being processed;
• access to data – the right to access their personal data;
• correction – the right to correct incomplete, inaccurate or outdated data;
• anonymisation, blocking or deletion – the right to request these actions for data that is unnecessary, excessive or processed unlawfully;
• data portability – the right to transfer their data to another service provider upon request, subject to commercial and industrial secrecy;
• deletion of consent-based data – the right to request deletion of data processed based on consent, except where retention is legally justified;
• information on data sharing – the right to know with whom their data has been shared;
• consent management – the right to be informed about the consequences of denying consent and to revoke consent at any time;
• right to petition – the right to file complaints with ANPD against the controller; and
• review of automated decisions – the right to request a review of decisions made solely through automated processing that affect their interests, including profiling related to personal, professional, consumer or credit characteristics.

Exercising Data Subject Rights in the Cloud

Data subjects may exercise their rights by submitting an express request to the data controller or its legally authorised representative. The controller must respond promptly and without cost, following the procedures below.

If immediate compliance is not possible, the controller must either inform the data subject that it is not the data processing agent and, if possible, identify the correct party, or provide factual or legal reasons preventing immediate action (Article 18, paragraph 4).

Requests for confirmation or access must be fulfilled immediately, in a simplified format, or within 15 days, through a complete declaration detailing the data’s origin, processing criteria and purpose (Article 19).

Data must be stored in a format that facilitates access and may be provided either electronically, through a secure and appropriate channel, or in printed form, at the data subject’s discretion (Article 19, paragraphs 1 and 2).

When processing is based on consent or contract, the data subject may request a full electronic copy of their personal data in a structured, interoperable format for reuse in other processing operations (Article 19, paragraph 3), subject to ANPD regulations and without prejudice to trade and industrial secrets.

Measures to Ensure Data Portability

Under the LGPD, data subjects have the right to request the portability of their personal data to another provider, upon express request to the data controller and subject to ANPD regulation (Article 18, item V).

Portability is conditioned on the data subject’s express request, and respect for trade and industrial secrets.

Anonymised data is excluded from portability rights (Article 18, paragraph 7).

While the LGPD establishes the right to portability, practical implementation (including formats, procedures and security safeguards) depends on further guidance from ANPD.

Under the LGPD, personal data must be eliminated once processing terminates (Article 15). This covers scenarios where:

• the purpose has been achieved;
• the data is no longer necessary or relevant;
• the processing period has ended; or
• the data subject requests deletion (Article 18, VI), including through revocation of consent, unless another legal basis justifies continued processing.

Elimination is also required when determined by ANPD due to a legal violation (Article 15).

Despite these requirements, the LGPD permits retention after processing ends for the following specific purposes (Article 16):

• compliance with a legal or regulatory obligation by the controller;
• study by a research body, with anonymisation ensured whenever possible;
• transfer to a third party, provided all LGPD requirements for processing are respected; or
• exclusive use by the controller, with access by third parties prohibited and provided the data is anonymised.

In cloud environments, retention and deletion usually operate under a shared responsibility model and are governed by contracts/DPAs between controllers and providers (typically processors). These should define data classes and regions, retention schedules, deletion triggers and service level agreements (SLAs) for removal from active systems and back-ups/replicas, including treatment of logs, indexes and geo-replicated copies, plus evidence of deletion (eg, audit logs and certificates of destruction).

Policies should align with LGPD principles of necessity, purpose limitation, transparency and security, and any Article 16 retention exceptions should be documented and periodically reviewed.

Requirements Under the LGPD

Although the LGPD does not impose provider-specific selection rules, organisations must ensure that any cloud provider can demonstrably comply with LGPD principles and security obligations. In practice, this means verifying role alignment (controller/processor), executing a DPA with clear instructions and audit rights, and confirming appropriate technical and administrative safeguards

Sector-Specific Requirements

Financial sector

Financial institutions must conduct thorough due diligence before engaging cloud services. In general, this should include:

• verification and evidence that the provider can ensure the confidentiality, integrity, availability and recoverability of data;
• effective data segregation controls in multi-tenant environments, whether physical or logical, and robust identity and access management;
• requiring internal audit reports on cybersecurity controls, prepared by specialised entities;
• compliance with the institution’s cybersecurity and outsourcing policies, including requirements for incident notification timelines, logging/monitoring integration and key management; and
• contractual protections covering SLAs and service credits, audit and inspection rights.

Although the LGPD does not prescribe a specific format for cloud agreements, it requires data controllers to demonstrate accountability and to adopt appropriate safeguards when outsourcing data processing activities. This can be achieved through a DPA that formalises the relationship between the data controller and the cloud service provider, which usually acts as a data processor.

In regulated sectors such as finance and private insurance, additional contractual provisions may be required by the applicable regulations.

Requirements Under the LGPD

Under the LGPD, the DPA may define how personal data will be handled throughout the life cycle of the service. It should clearly outline the scope, duration and purpose of the data processing, as well as the types of personal data involved. More importantly, it must establish the roles and responsibilities of each party, ensuring that the cloud provider acts strictly under the controller’s instructions and in accordance with the LGPD.

Beyond these structural elements, the DPA must also address the implementation of technical and organisational security measures, including measures to prevent unauthorised access and accidental or unlawful destruction, loss, alteration or disclosure of personal data. Encryption, access controls, incident response procedures and data back-up mechanisms are established to ensure the integrity and confidentiality of the data.

Sector-Specific Requirements

Financial sector

Financial institutions must include specific contractual provisions in their cloud agreements, including:

• a list of countries or regions where services will be rendered and data may be stored or processed;
• cybersecurity measures for data transmission, storage, segregation and access control;
• access to internal audit reports prepared by specialised entities regarding cybersecurity procedures;
• obligations upon termination of the agreement, including data transfer to a new provider or the institution, followed by secure deletion after confirming the integrity and availability of the transferred data; and
• the Brazilian Central Bank’s right to access executed service agreements, documentation and information related to data processing, back-up and access credentials.

Private insurance sector

For insurance companies regulated by the Private Insurance Authority (SUSEP), cloud agreements must provide for governance and security standards. Except in adhesion contracts, agreements must explicitly include:

• the obligation for the cloud provider to adopt cybersecurity processes and controls comparable to those of the supervised company;
• data segregation through physical and/or logical means;
• obligations upon termination of the agreement, including data transfer to a new provider or the company, followed by secure deletion after confirming the integrity and availability of the transferred data;
• SUSEP’s access to processed data, service-related information, and copies of executed agreements and amendments; and
• a certification by the supervised company that the laws of the countries where services are rendered do not restrict SUSEP’s access to such data and documentation.

Cloud service agreements usually combine several termination and exit mechanisms designed to manage both legal risk and operational continuity. As a rule, customers have termination rights for cause – for example, in the event of material breach, repeated SLA failures, serious security incidents or the provider’s insolvency. Many contracts also allow termination for convenience, subject to prior notice and, often, early termination fees. In regulated sectors, it is also common to see specific regulatory or change-of-control triggers, allowing the customer to exit if a change in law or in the provider’s ownership structure creates compliance or concentration risk.

From a commercial perspective, the agreement typically deals with the financial impact of early termination (such as minimum commitment adjustments) and clarifies that service credits are not the customer’s exclusive remedy, preserving the right to claim damages or terminate if issues are persistent. Customers also tend to resist automatic renewals unless there is an explicit opt-in, to avoid unintentionally being locked into another long term.

On the “exit” side, cloud contracts include termination assistance for a defined period (often ranging between three and 12 months) at pre-agreed rates, with service levels maintained during that window and, in some cases, an option to extend on a month-to-month basis. The provider is expected to support data return and deletion, including the export of data in open, machine-readable formats, continued console or API access for a limited time after termination, and then certified secure deletion of residual data and back-ups, subject to any legal retention requirements. Throughout the exit, security and compliance obligations should remain in force.

Migration of Data and Services From One Cloud Provider to Another

Moving from one cloud provider to another is usually handled as a planned transition rather than a one-off technical action. In practice, the customer first decides which systems will actually move, in what order, and how (for example, simply moving them as they are or taking the opportunity to modernise them). At the same time, the new cloud environment is prepared so that it can receive the data and applications, and connect securely to existing systems.

For a period, both environments may run in parallel so the customer can test whether everything is working properly before fully switching over.

Once the migration is complete, the old environment is shut down in a controlled way: access is removed, remaining data is securely deleted, and the customer will often ask the former provider to confirm in writing that the data has been erased. Ideally, the cloud contract already sets out how the provider must support this transition, how long it will assist, how data must be returned or deleted, and how related costs (such as data-transfer charges) are handled.

Under the LGPD, data controllers must notify both ANPD and the affected data subjects of any data breach that may result in risk or significant harm to individuals (Article 48). Resolution CD/ANPD No 15/2024 provides guidance on data breach reporting obligations.

A data breach is considered to pose relevant risk or harm when it may significantly affect the data subject’s fundamental rights or interests and involves at least one of the following:

• sensitive personal data;
• data of children, adolescents or elderly individuals;
• financial data;
• authentication credentials;
• legally protected or confidential data; or
• large-scale data sets.

Depending on sector-specific regulations, notification obligations to other competent Brazilian authorities may also be required.

Penalties for Failing to Report a Data Breach

Failure to comply with breach reporting obligations constitutes a violation of the LGPD, which may result in administrative sanctions being imposed by ANPD, following due process. These may include warnings, fines, suspension of data processing activities, or public disclosure of the violation. Data subjects may seek compensation, individually or collectively, for damages resulting from the breach.

Under the LGPD, data breaches in cloud environments may be investigated and remedied through a structured incident response plan. This plan is designed to contain, assess and mitigate the impact of the breach in a timely and effective manner. Key elements include the following.

Technical Investigation

The breach is analysed to determine its origin, scope, affected systems and compromised data. This may involve forensic analysis, log reviews and vulnerability assessments conducted by internal teams or external experts. Internal records of all evidence related to the breach must be maintained.

Mitigation and Remediation

Measures are taken to stop the breach, restore system integrity and prevent recurrence. These may include patching vulnerabilities, revoking compromised credentials and strengthening access controls.

External Support

Organisations often engage specialised consultants or cybersecurity firms to assist with containment and remediation, especially in complex or large-scale incidents.

Post-Incident Review

The organisation conducts a review to evaluate the effectiveness of the response and identify areas for improvement. This may lead to updates in security policies, training programmes and technical safeguards.

Minimum Content of the Notification

The breach notification must include at least:

• a description of the nature of the personal data affected;
• information about data subjects involved;
• technical and security measures used to protect the data (subject to trade secrecy);
• risks related to the incident;
• reasons for any delay in notification; and
• measures taken or planned to mitigate or reverse the damage.

Reporting Deadlines

Reporting deadlines vary, as follows:

• to ANPD – within three business days of becoming aware of the incident;
• to data subjects – also within three business days of awareness; and
• supplementary notification – additional details may be submitted to ANPD within 20 business days of the initial report.

Recordkeeping

Data controllers must maintain records of all data breaches for at least five years, including incidents that were not reported to ANPD or data subjects.

Breach Notifications Co-Ordinated With Cloud Service Providers

Considering that cloud service providers usually act as data processors or subprocessors, co-ordination is ensured through clearly defined contractual responsibilities and mandatory internal notification obligations toward both data controllers and other processors. These obligations include the duty to promptly notify the relevant processing agent of any security incident and to maintain internal records of all supporting evidence related to the event.

International Data Transfers in Cloud Computing

Cloud computing often involves the storage and processing of personal data across borders. In Brazil, international data transfers are regulated by the LGPD, which establishes specific mechanisms to ensure that personal data remains protected when transferred outside the national jurisdiction, including the following (Article 33).

• Transfers to countries or international organisations that provide a level of personal data protection deemed adequate by ANPD. No country has yet been officially recognised as adequate.
• When the data controller demonstrates compliance with LGPD principles and data subject rights through mechanisms such as specific contractual clauses for the transfer, standard contractual clauses (SCCs) approved by ANPD, global corporate rules (BCRs), regularly issued seal certificates, or codes of conduct approved by ANPD.
• Transfers required for international legal co-operation between public intelligence, investigation or prosecution authorities, in accordance with international legal instruments.
• Transfers necessary to protect the life or physical integrity of the data subject or a third party.
• Transfers that are expressly authorised by ANPD in specific cases.
• Transfers made under commitments established in international co-operation agreements.
• Transfers required for the execution of public policy or the legal duties of public services.
• When the data subject provides specific, highlighted and informed consent for the international transfer, separate from other purposes.
• Transfers necessary to fulfil the legal bases outlined in items II (compliance with legal obligation), V (contractual necessity) and VI (exercise of rights) of Article 7 of the LGPD.

ANPD Regulatory Guidance

Resolution CD/ANPD No 19/2024 approved the Regulation on International Data Transfers and the content of Brazilian SCCs. It establishes rules for transfers to countries with adequate protection (as recognised by ANPD) or when companies use contractual clauses or global corporate rules to comply with the LGPD.

No countries have yet been granted adequacy status, although an adequacy decision involving the EU is expected to happen in the future. In the meantime, companies must rely on alternative mechanisms under the LGPD, such as:

• ANPD-approved SCCs – these clauses must be adopted in full, without changes, and incorporated into contracts;
• equivalent SCCs – ANPD may recognise SCCs from other countries as being equivalent;
• specific contractual clauses – companies can request ANPD to approve tailored clauses for transfers when standard ones are not feasible; and
• global corporate rules – these are binding mechanisms for international data transfers between entities within the same group or corporate conglomerate.

Data Protection in International Transfer Agreements

ANPD-approved SCCs, in particular, serve as a contractual foundation for safeguarding personal data during international data transfers. These clauses include:

• security measures – obligations to implement appropriate technical and organisational safeguards;
• obligations of the parties – a definition of responsibilities for both the data exporter and data importer;
• purpose limitation – restrictions on the use of data strictly for the purposes defined in the agreement;
• data subject rights – provisions to uphold rights such as access, correction, deletion and portability;
• transparency – requirements to inform data subjects about the transfer;
• onward transfers – restrictions and conditions for any subsequent transfers to third parties;
• access requests from authorities – procedures for handling requests from foreign public authorities;
• liability and accountability – allocation of responsibility for damages and breaches; and
• jurisdiction and enforcement – clauses ensuring the enforceability of rights and remedies across borders.

Brazil does not currently impose a general data localisation requirement mandating that personal data be stored or processed exclusively within national territory.

Sector-Specific Localisation Rules

Public sector

While there is no general localisation mandate, specific regulations apply to cloud computing services involving the federal government. These rules govern the processing and storage of governmental workloads, including data, metadata, information and knowledge produced or held by federal entities and transferred to cloud service providers.

The key regulations are:

• Normative Ruling No 5/2021 (Institutional Security Office – GSI), which establishes cybersecurity and data protection requirements for federal government workloads; and
• Ordinance No 5,950/2023 (Ministry of Management and Innovation), which defines the mandatory contracting model for cloud services used by federal entities.

These regulations apply exclusively to federal public administration bodies and do not extend to state or municipal governments.

Under these rules, data and systems are categorised with corresponding hosting obligations:

• unrestricted information may be processed and stored in any cloud environment;
• restricted information, personal data and preparatory documents must be processed in government cloud environments;
• structuring systems supporting core administrative functions (HR, budgeting, accounting) may be hosted in government clouds, private clouds or community clouds (restricted to government infrastructure); and
• classified information (reserved, secret, top-secret) cannot be processed in any cloud environment under any circumstances.

For categories of data that can be processed in the cloud, federal regulations impose the following conditions:

• data must be stored in data centres located within Brazilian territory;
• processing abroad is allowed only if an up-to-date back-up of the data is maintained in Brazil; and
• cloud service providers must operate at least two data centres in Brazil, offering standardised and automated services.

Financial sector

Financial institutions must define where cloud services and data processing will occur and verify if the Central Bank (BCB) has an information-sharing agreement with the relevant authority of the other country; otherwise, prior BCB authorisation is required before engaging with the cloud service provider.

Private insurance sector

Insurance companies must notify SUSEP within 30 days of executing a cloud computing contract, providing details of the services and specifying the countries or regions where they will be delivered and where data may be stored or processed.

Betting sector

For betting operators, systems and data may be hosted abroad only if strict conditions are met, including international legal co-operation agreements with Brazil, prior consent from data subjects, SPA access to systems, data replication in Brazil, and a business continuity plan.

In the context of international data transfers regulated by Brazil’s LGPD, conflicts of law are generally addressed through ANPD-approved SCCs. Key provisions are as follows.

• Precedence of core clauses – ANPD-approved SCCs take precedence over additional clauses or linked contracts in case of interpretative conflict.
• Interpretation favouring data subjects – clauses must be interpreted in a manner that favours the data subject and aligns with Brazilian legislation. In case of ambiguity, the interpretation most consistent with national law prevails.
• Jurisdiction and applicable law – transfers governed by ANPD-approved SCCs are subject to Brazilian law and oversight by ANPD. This includes the authority to impose preventative measures or administrative sanctions, and even to suspend or prohibit transfers.
• Non-exclusion of liability – no provision may be interpreted to limit or exclude the liability of either party regarding obligations under Brazilian law.
• Dispute resolution – legal disputes must be resolved in Brazilian courts, including courts located in the data subject’s place of residence. Arbitration is permitted if agreed upon but must be conducted in Brazil under the national Arbitration Law.

When global corporate rules are used, a Brazilian-based entity must be designated as responsible for compliance and liable for violations, even if the breach originates from a foreign affiliate.

Compliance Audits in Cloud Environments in Brazil

In Brazil, compliance audits in cloud environments are governed by a combination of legal, regulatory and contractual requirements. The nature of these obligations depends on the sector, such as finance, private insurance and telecommunications.

In the non-regulated private sector, audits requirements are mainly contractual, although they are still anchored in general legal duties under the LGPD. The LGPD establishes the principle of accountability, requiring organisations to adopt appropriate security measures and to demonstrate compliance, often through periodic internal or third-party audits assessing data protection.

Audit Focus Areas, Trails and Logs

Compliance audits in cloud environments generally focus on information and cybersecurity management, data governance, access control, business continuity and third-party compliance.

Audit trails and logs play a central role in accountability, usually maintaining event and incident logs to ensure traceability. In addition, the LGPD requires data processing agents to document processing activities and any data breaches.

Integrity and Independence

To guarantee the integrity and accuracy of audit reports, Brazilian practices emphasise the segregation of duties, restricted access to audit data, and mechanisms that preserve log integrity. Independent auditors – either internal or external – are responsible for verifying compliance and generating trustworthy reports.

Audit Findings

Audit findings in Brazil are treated as part of an organisation’s broader governance and compliance process. They are used to record non-conformities, assign accountability and implement corrective actions within defined timelines.

Enforcement

Penalties for non-compliance may vary depending on the regulatory framework of each sector.

In the non-regulated private sector, audit obligations are primarily contractual, meaning that consequences such as contract termination are enforced through the terms of the agreement rather than by statute.