A Practice Note providing a high-level overview of key records retention requirements relating to personal data in Brazil. It addresses governing laws, authority guidance, and sectorspecific requirements. This Practice Note does not address every records retention obligation under Brazilian laws.
Organizations operating globally must understand that some countries may have laws requiring them to retain records containing personal data for a certain amount of time. In many cases, a records retention law will either:
- Specify the minimum length of time organizations must keep records containing personal data.
- Require organizations to dispose of records containing personal data within a certain timeframe.
Exact retention requirements may vary depending on the sector being regulated. When a single document or dataset is required by different regulatory authorities with varying retention periods, the longest period provided by law should be observed to ensure full compliance with all legal and regulatory obligations. This Note discusses key records retention laws in Brazil, including:
- Brazil’s comprehensive data protection law, the General Data Protection Law (in Portuguese) (LGPD).
- Any sector-specific laws that regulate an organization’s retention of records containing personal data.
For more information on global records retention laws, see Global Records Retention Laws Toolkit.
Data Protection Law and Authority Guidance
Data Protection Law on Retention of Records Containing Personal Data
The LGPD establishes guiding principles for controllers processing personal data, including conditions for deletion after the end of processing. Although it does not define specific retention periods, personal data must be retained solely for a duration that is appropriate, necessary, and limited to the specified purposes (Article 6(I) to (III), LGPD).
Under the LGPD, controllers and processors must delete personal data within the technical limits of the processing activities once processing has ended, except when retention is necessary:
- To comply with a legal or regulatory obligation of the controller.
- For studies by research bodies, whenever possible ensuring the anonymization of personal data.
- For transfer to a third party, if the data processing requirements established by law are observed.
- For the exclusive use of the controller, if access by third parties is prohibited and the data is anonymized.
When processing the personal data of children and adolescents, it is essential to observe specific and more stringent rules (Article 14, LGPD). Controllers and processors must delete this data once the purpose is achieved, especially when processing based on consent, unless there is an express legal basis that allows for longer retention (Article 15(I), LGPD).
Mandatory Disclosure of Records Retention Periods to Data Subjects
The LGPD does not require controllers to provide data subjects with a privacy notice. Data subjects have the right to access information about the processing of their personal data, which controllers must provide in a clear, appropriate, and prominent manner (Article 9(II), LGPD).
After receiving a request, a data controller must inform the data subject of how long personal data will be retained, or at least, the criteria used to determine that period (Article 9(II), LGPD). When it is not possible to specify an exact duration, the controller should explain the criteria justifying the retention. The principle of transparency guarantees data subjects clear, precise, and easily accessible information regarding the processing activities and the data processing agents (Article 6(VI), LGPD).
Retention of Personal Data in Employee Records
The following categories of employee personal data are subject to retention under specific laws:
- Registration data, including full name, identification, tax ID (CPF), date of birth, marital status, address, phone, email, parents’ names, work card, professional history, diplomas, certificates, and various clearances, must be retained for five years and are generally processed based on the execution of an employment contract. In some cases, the retention period may change because the employer has a legitimate interest, such as for internal communication or marketing purposes. (Article 7(XXIX), Federal Constitution Code; Article 11, Brazilian Labor Code (Decree-Law no. 5,452/1943) (in Portuguese).)
- Payroll and income tax data (pay stubs, salary and benefit payments, vacation, and 13th salary (a type of bonus paid in Brazil)) must be retained for five years (Article 150 §4, National Tax Code (Law no. 5,172/1966) (in Portuguese)).
- Social Security Employment Profiles (PPP) must include information on working conditions and social security eligibility and must be retained for 20 years (Article 178 §11, INSS Normative Instruction no. 11/2006 (in Portuguese)).
- Generally, Severance Indemnity Fund for Employees (FGTS) records must be retained for five years (Article 23-A § 3, Law no. 8,036/1990 (in Portuguese); Precedent (Súmula) no. 362 of the Superior Labor Court). However, records for which the retention period began before 13 November 2014 may be subject to a different retention period.
- Employee social contribution programs (PIS-PASEP) must be retained for ten years for compliance and audit purposes (Articles 3 and 10, Decree-Law no. 2,052/1983 (in Portuguese)).
- Occupational health and medical records, including medical reports, discharge notes, and occupational health certificates (ASO) regarding admission, dismissal, periodic, return to work, or job change, as part of the Occupational Health Medical Control Program (PCMSO) must be retained for 20 years to ensure compliance with labor and occupational safety regulations (PCMSO, Regulatory Norm 07 (in Portuguese) (NR-07)).
Retention of Personal Data in Customer Records
The following categories of customer records are subject to retention under specific laws:
- Contracts executed with clients and suppliers must be retained for ten years. This obligation applies to all civil contracts, calculated from contract termination or rescission. (Article 205, Brazilian Civil Code (in Portuguese).)
- Registration data (name, national ID, tax ID (CPF), date of birth, marital status, address, phone number, and email) must be retained for five years if the client qualifies as a consumer under Brazilian law (Article 27, Consumer Protection Code (in Portuguese)).
- Payment-related data (payment method, billing address, and payment receipts) must be retained for five years due to the possibility of consumer claims and tax audits (Article 27, Consumer Protection Code; Article 150 §4, National Tax Code).
- Legal representatives of suppliers and service providers, individual contractors and outsourced workers must retain data of legal representatives (name, national ID, CPF, date of birth, marital status, address, phone, and email) for five years (Article 206 §5(I), Brazilian Civil Code).
Retention of Personal Data Under Corporate Laws
The following categories of personal data are subject to records retention requirements under corporate law:
- Shareholder and partner records (name, tax ID (CPF), address, and ownership participation) must be retained indefinitely for corporate governance, historical tracking of ownership, and rights verification (Article 177, Corporations Law (in Portuguese)).
- Corporate books (shareholder register, meeting attendance books, and shareholder and board meeting minutes) must be retained indefinitely to ensure legal compliance and accessibility to shareholders and authorities (Article 177, Corporations Law).
- Non-disclosure agreements (NDAs) signed with employees or third parties (natural persons) must be retained for ten years, which is the general statute of limitations for civil obligations. Similarly, contracts with clients and suppliers (general civil obligations) must be retained for ten years from the end of the contract’s term or its termination date. Powers of attorney granted to company representatives must also be retained for ten years for future legal claims or liability assessments. (Article 205, Brazilian Civil Code.)
- Registration documents submitted to regulatory bodies such as the Brazilian Securities and Exchange Commission (CVM), commercial boards, and the Brazilian Federal Tax Service (RFB) must be retained for five years when kept for tax purposes or ten years when kept for civil purposes. Retention supports tax compliance and contractual or regulatory defense. (Article 150 §4, National Tax Code; Article 205, Brazilian Civil Code.)
Retention of Personal Data Under Finance Laws
The following categories of personal financial information are subject to retention requirements under specific laws:
- Client payment data (bank account, billing address, and proof of payment or bank transfer) must be retained for five years, or for three years if the client does not qualify as a consumer under Brazilian law (Article 27, Consumer Protection Code; Article 206, paragraph 3(V), Brazilian Civil Code).
- Supplier payment data (bank account, billing address, and proof of payment or bank transfer) must be retained for five years. This requirement applies to the personal data of legal representatives and service providers who sign contracts, as well as individual service providers and outsourced workers. (Article 206, paragraph 5(I), Brazilian Civil Code.)
- Employee financial data (bank account, billing address, and proof of payment or bank transfer) must be retained for five years, including records covering the last two years of employment (Article 7(XXIX), Federal Constitution; Article 11, Brazilian Labor Code).
- Records of accounts payable and receivable (account books; loan, expense, and collection records; taxrelated receipts and compliance records; tax payment records; bank statements and reconciliations; annual plans and budgets; external and internal audit reports; and discount authorizations) must be retained for five years (Articles 173 and 174, National Tax Code; Article 206, paragraph 5(1), Civil Code; Article 7(XXIX), Federal Constitution).
- Trial balances, bank reconciliations, and tax payment slips for federal and state authorities must be retained for five years (Articles 174 and 195, National Tax Code).
- Tax slips for federal social contributions (PIS/ COFINS), corporate income tax returns, service invoices, and management remuneration receipts must be retained for ten years (Article 46, Law no. 8,212/1991; Article 225, paragraph 5, Decree no. 3,048/1999 (both in Portuguese)).
Retention of Personal Data Under Healthcare Laws
The following categories of records containing personal health data must be retained for specific periods under Brazilian law:
- Employee medical and health data as part of the Occupational Health Medical Control Program (PCMSO) must be retained for 20 years (PCMSO Regulatory Norm 07 (in Portuguese)).
- Employee medical certificates must be retained for ten years (Article 46, Law no. 8,212/1991; Article 225, paragraph 5, Decree no. 3,048/1999).Patient health data (health information, medical test history, medical requests, usage reports, clinical history, and medical reports) must be retained for 20 years (Article 6, Law no. 13,787/2018 (in Portuguese)). According to the National Supplementary Health Agency, this includes health data processed in medical board procedures (Normative Resolution 424/2017 (in Portuguese)).
Retention of Personal Data Under Insurance Laws
The following categories of insurance records containing personal data are subject to retention requirements under specific laws:
- Registration data (full name, identity document, date of birth, address, parents’ names, phone, email, and place of birth) must be retained for five years (Article 27, Consumer Protection Code; Article 10, paragraph 2, Law no. 9,613/1998; Articles 2 and 3, Superintendence of Private Insurance (SUSEP) Circular 605/2020 (both in Portuguese)).Employee insurance policies must be retained for one year (Articles 206 and 1,194, Brazilian Civil Code).
- Insurance operation documents must be retained for at least five years from the latest of the following: the contract expiration date, the termination of related obligations, or the effective date of SUSEP Circular 605/2020 (1 July 2020) (Articles 2 and 3, SUSEP Circular 605/2020).
- Miscellaneous insurance-related information (marriage or death certificates, tax forms, income tax statements, insured property documents, proof of residence, police reports, payslips, phone call recordings, and payment history) must be retained for five years (Articles 2 and 3, SUSEP Circular 605/2020).
Other Applicable Laws
Other data retention laws may apply in Brazil depending on the particularities of the organization’s business model, the data processing flows, and the purposes associated with the personal data that justify processing.
The Civil Rights Framework for the Internet (in Portuguese) (Internet Civil Rights Framework) requires internet connection providers to retain connection logs for one year. Covered internet application providers must retain access logs to their applications for six months. (Articles 15 and 16, Internet Civil Rights Framework.)
Other sector-specific laws and regulations include:
- National Supplementary Health Agency regulations, which establish retention periods for documents related to health plans.
- Health Regulatory Agency (ANVISA) regulations, which govern the retention periods of medical records and sanitary documentation.
- Central Bank (BACEN) and National Monetary Council (CMN) regulations, which impose recordkeeping obligations for financial and banking records.
- Supplementary labor and social security legislation.
Companies should maintain an up-to-date document inventory and review it regularly to ensure compliance with the LGPD and other applicable legal and regulatory requirements, including any future amendments. This practice is particularly important for assessing exceptional situations, such as administrative proceedings, lawsuits, or labor claims, where retention periods may need to be extended until the relevant administrative or judicial authority issues a final decision.
Source:
Reproduced from Practical Law with the permission of the publishers. For further information, visit practicallaw.com.