By Patrick Hill


Published 30 June 2023


In Brazil, the topic of privacy and data protection continues to be the subject of much debate. The Brazilian General Data Protection Law (LGPD), similar to the GDPR, celebrates its own fifth anniversary this year, with approval being received in August 2018 and subsequent entry into force in September 2020.

One of the key issues around the interpretation of the LGPD relates to the term 'sensitive personal data'. This is defined within the LGPD as personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person[1].

Since the introduction of the LGPD, questions have been asked whether it was intended that the definition of 'sensitive personal data' be applied as an exhaustive list, or as a standard from which other types of personal data might be considered 'sensitive'.

A recent appeal decision handed down in March 2023 by the Second Chamber of the Superior Court of Justice (STJ) has provided some clarity on that debate.

The STJ unanimously overturned the judgment of the Court of Justice of São Paulo (TJSP), which had awarded R$5,000 following a claim for moral damages. The claimant had sought compensation for moral damages following the leak of personal data including her name, General Register of Natural Person (CPF), Identity Document (RG), gender, date of birth, age, landline and cell phone numbers, estimated light consumption, type of installation, and address. It was alleged that the access of this information by third parties had generated a risk of fraud and harassment to the claimant.

Overturning the decision of the TJSP, the STJ held that the data in question, whilst personal, was not intimate. The data was only capable of identifying the person, was information capable of being found on websites, and therefore, did not fall within the definition of 'sensitive personal data'. The claimant was not entitled to any compensation.

The recognition of the exhaustive nature of the definition of 'sensitive personal data' by the STJ provides legal certainty that the definition will not be subject to alternative interpretations by the lower courts.

This decision is relevant for the various data processing agents, including the insurance and reinsurance sector that process personal data for the purpose of obtaining metrics, using artificial intelligence as a resource. It is not uncommon that, in these cases, a discussion arises about the category of personal data processed and its respective legal basis, for the purposes of the LGPD.

The precedent is also relevant for cyber risk insurers and reinsurers, considering that compensation awards for the leak of sensitive data may be substantially higher, affecting third party coverage.



[1] Law 13709, article 5, item II.


Marcia Cicarelli

Partner in the areas of Insurance, Reinsurance, Private Pension and Supplementary Health at Demarest

Tatiana Campello

Partner in the areas of Intellectual Property, Innovation and Technology and Data Privacy and Cybersecurity at Demarest

Cecília Cunha 

Associate in the areas of Intellectual Property, Innovation and Technology and Data Privacy and Cybersecurity at Demarest