Recently, on December 9, the Brazilian Data Protection Authority (“Brazilian DPA” or “ANPD”) approved its Regulatory Agenda for the 2025-2026 biennium, establishing the priority topics to be addressed by the ANPD during this period.
In the new Regulatory Agenda, the Brazilian DPA maintained its operations divided into four phases. Phase 1 will continue the items initiated during the 2023-2024 Regulatory Agenda that have not yet been completed, such as regulations on data subjects’ rights, high-risk processing, security measures, and the Data Protection Impact Assessment (DPIA).
The items in Phase 2 must have their regulations initiated within one year, with notable topics including rules on best practices and governance, as well as sensitive health data.
In Phases 3 and 4, the topics whose regulatory development will start within 18 or 24 months, respectively, will be addressed. These phases include only one item each: the regulation on the use of the legal basis of consent in Phase 3 and the legal basis for credit protection in Phase 4.
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br