A recent decision by the Civil Small Claims Court of the Court of Justice of Minas Gerais reinforces a central principle of Brazil’s General Data Protection Law (LGPD): joint and several liability between the Controller and the Processor.
In the case at hand, the claimant filed a lawsuit against XP Investimentos and the Rico brand seeking moral damages due to unauthorized access to his personal data. Although the defendants argued that the incident occurred within the environment of an external service provider, the court made it clear that this circumstance does not exempt the controller from liability.
The decision was grounded in Article 42, §1 of the LGPD, which establishes joint liability between controller and processor for the processing of personal data. According to the court’s reasoning, it is the controller’s duty to ensure the security of the entrusted data, even when processing activities are carried out by third parties.
Additionally, the ruling emphasized non-compliance with the deadline set forth in ANPD Resolution CD No. 15 for notifying the data subject of a security incident, which establishes a three-business-day period. The incident became known on March 22 and was only communicated on April 24, which the court considered an unjustified delay.
The defendants were ordered to pay BRL 2,000 in moral damages. Although the decision may still be appealed, there are similar precedents that have already become final and binding.
What this decision signals to the market
Case law is moving toward requiring a proactive and preventive stance from controllers, particularly in managing their processors.
The argument that the breach occurred within an external vendor’s environment has not been sufficient to avoid liability.
The decision also reinforces the importance of strict compliance with notification deadlines to both data subjects and the ANPD, even while investigations are ongoing.
The absence of a structured incident response plan increases the risk of litigation and amplifies reputational and financial exposure.
Risks and implications for companies
Companies lacking a structured vendor management process may assume significant legal risks.
The absence of prior due diligence when hiring processors may weaken the defense in potential litigation.
Failure to comply with regulatory deadlines may be interpreted as a deficiency in service provision.
Lack of clear and timely communication with the data subject may aggravate the moral damages recognized by the courts.
Joint liability imposes on the controller a continuous duty of oversight.
Strategic recommendations
Controllers should implement a formal maturity assessment process for processors prior to engagement.
Approved vendors must be periodically reassessed from an information security and data governance perspective.
It is essential to maintain a structured incident response plan, including:
- Clear communication workflows
- Defined roles and responsibilities
- Strict deadline control mechanisms
Notification to the data subject must occur within the regulatory deadline, even if investigations are still underway, with the possibility of later supplementation.
Incident notices should include clear information, contact channels, and details of mitigation measures adopted.
Structured prevention reduces legal exposure and strengthens the organization’s defensive position.
Institutional perspective
This decision reinforces a consolidated trend: the LGPD does not differentiate liability when damage arises from a third-party environment. The duty of security remains with the controller.
Processor management is no longer merely contractual — it is a core element of governance.
PDK Advogados closely monitors judicial developments in data protection and digital civil liability, analyzing their impacts on compliance, corporate contracts, and privacy program structuring. Through our website and institutional channels, we regularly publish technical analyses of relevant decisions and regulatory trends affecting businesses.
