Data Privacy for Developers
Checklist and best practices for handling personal data in systems and pipelines across Patria’s operating regions: Brazil, Europe, the United States, and Latin America.
Applicable Regulations by Region
Patria operates across multiple jurisdictions, each with its own privacy framework. Understanding which regulations apply is the first step before designing any system that processes personal data.
| Region | Regulation | Enforcement Body | Patria Operations |
|---|---|---|---|
| Brazil | LGPD (Lei 13.709/2018) | ANPD | Fund administration, investor data |
| European Union / EEA | GDPR (Regulation 2016/679) | Local DPA (e.g. CNIL, BaFin, ICO) | European investors, fund distribution |
| United Kingdom | UK GDPR + Data Protection Act 2018 | ICO | UK investors |
| United States (California) | CCPA / CPRA | California AG / CPPA | CA-resident investors |
| United States (other states) | VCDPA, CPA, CTDPA, and others | State AGs | Investors in VA, CO, CT, etc. |
| Argentina | Ley 25.326 (PDPA) | AAIP | Local operations, investor data |
| Colombia | Ley 1581/2012 + Decree 1377/2013 | SIC | Local operations |
| Mexico | LFPDPPP (2010) | INAI | Local operations |
| Chile | Ley 21.719 (2024, GDPR-inspired) | CPDT | Local operations |
| Peru | Ley 29733 | ANPD Peru | Local operations |
| Uruguay | Ley 18.331 | URCDP | Local operations |
Tip
When in doubt: If data about individuals in any of these countries is collected, stored, or processed — even if the system runs in Brazil — the corresponding regulation likely applies. Consult the DPO before proceeding.
Common Principles Across All Regulations
Despite their differences, all major privacy laws share the same foundational principles. These apply globally:
| Principle | What it means in practice |
|---|---|
| Lawfulness / Legal basis | You must have a valid reason to process personal data (consent, contract, legal obligation, legitimate interest, etc.) |
| Purpose limitation | Data collected for one purpose cannot be reused for another without a new legal basis |
| Data minimization | Collect only what is strictly necessary — if a field isn’t used, don’t collect it |
| Accuracy | Keep data up to date; implement correction mechanisms |
| Storage limitation | Define retention periods; delete or anonymize data when the purpose ends |
| Security | Apply technical and organizational measures proportional to the risk |
| Accountability | Be able to demonstrate compliance (documentation, logs, policies) |
Regulation Quick Reference
LGPD (Brazil)
- 10 legal bases for processing, including consent, legitimate interest, contract, and legal obligation.
- Sensitive data (health, biometrics, racial origin, political opinions, religion, sexual orientation) requires specific legal basis and DPO approval.
- Data subject rights: access, correction, anonymization/deletion, portability, revocation of consent, information about sharing.
- Breach notification: ANPD and affected data subjects must be notified within a reasonable timeframe (generally interpreted as 72 hours for high-risk breaches).
- International transfers: allowed to countries with adequate protection, or via contractual clauses / BCRs.
GDPR (EU / EEA / UK)
- 6 legal bases: consent, contract, legal obligation, vital interests, public task, legitimate interests.
- Data subject rights: access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, rights related to automated decision-making.
- DPIA (Data Protection Impact Assessment): mandatory before implementing high-risk processing (profiling, large-scale sensitive data, systematic monitoring).
- Records of Processing Activities (RoPA): must document all processing activities — purpose, legal basis, data categories, retention, and transfers.
- Breach notification: 72 hours to the relevant DPA; data subjects notified when risk is high.
- International transfers: require adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). Brazil has adequacy recognition from the EU.
CCPA / CPRA (California, USA)
- Opt-out model: no legal basis required to collect data, but consumers have the right to opt out of the sale/sharing of their personal information.
- Consumer rights: know what is collected, delete, opt out of sale/sharing, correct, limit use of sensitive PI, non-discrimination.
- Sensitive personal information (SSN, financial account details, precise geolocation, health, sexual orientation, etc.) has stricter requirements.
- Privacy notice: must disclose what data is collected, for what purpose, and how to exercise rights.
- No “sale” of data: if Patria shares data with third parties for cross-context advertising, opt-out mechanisms are required.
Other US State Laws (VCDPA, CPA, CTDPA, etc.)
- Generally similar to CCPA/CPRA with minor variations in thresholds and rights.
- Universal opt-out mechanisms (e.g. Global Privacy Control) must be honored in some states.
- Financial data may also be subject to SEC regulations and Gramm-Leach-Bliley Act (GLBA) — consult Legal/Compliance for investment-related systems.
Latin America
| Country | Key Requirement | Notable difference from LGPD |
|---|---|---|
| Argentina | Prior registration with AAIP for databases with personal data | Stricter consent requirements; cross-border transfer restrictions |
| Colombia | ”Authorization” (consent) required for most processing; database registration with SIC | ARCO+ rights (Access, Rectify, Cancel, Oppose) |
| Mexico | Privacy notice (Aviso de Privacidad) mandatory before collection | ARCO rights; 17-day response window for data subject requests |
| Chile | New Ley 21.719 (2024) is GDPR-inspired; DPIA required for high-risk | Introduces data protection officer requirement for some controllers |
| Peru | Registration of databases with ANPD Peru | Consent is the primary legal basis |
| Uruguay | Adequacy recognized by EU; very similar to GDPR | Relatively mature framework |
Before Starting a New System or Pipeline
Run through this checklist regardless of which regulation applies — these questions are universal:
- Does the system/pipeline process personal data? (name, tax ID, email, address, financial data, behavioral data)
- Which countries’ residents’ data will be processed? → determines which regulations apply
- What is the purpose of the processing, and what is the legal basis in each jurisdiction?
- Is the data necessary? (data minimization — if not used, don’t collect it)
- What is the retention period? Is data automatically deleted or anonymized after that period?
- Who needs access? (principle of least privilege)
- Are there third-party data transfers? (vendors, cloud providers, partners) — do they have DPA/DPA agreements in place?
- Does this processing require a DPIA (high-risk: profiling, large-scale sensitive data, biometrics)?
- Is the processing documented in the Records of Processing Activities (RoPA)?
Personal Data Reference Table
| Data | Classification | Regulations with special treatment | Care |
|---|---|---|---|
| Tax ID (CPF/CNPJ, SSN, RFC, CUIL) | Restricted | All | Mask in logs and non-prod environments |
| Full name | Confidential | All | Do not expose in logs |
| Email address (personal) | Internal | All | Normal use; purpose limitation applies |
| Phone number | Confidential | All | Do not expose in logs |
| Home address / geolocation | Restricted | All | Minimize collection; CCPA/CPRA: geolocation is sensitive PI |
| Individual financial data | Restricted | All | Restricted access, access log mandatory |
| Health / biometric data | Sensitive | LGPD Art. 11, GDPR Art. 9, CCPA sensitive PI | DPO approval mandatory; explicit consent or legal obligation required |
| Racial / ethnic origin | Sensitive | LGPD Art. 11, GDPR Art. 9 | DPO approval mandatory |
| Sexual orientation | Sensitive | LGPD Art. 11, GDPR Art. 9, CCPA sensitive PI | DPO approval mandatory |
| Behavioral / profiling data | Confidential | GDPR (automated decisions), CCPA | Opt-out rights may apply; document profiling logic |
| Children’s data | Sensitive | LGPD Art. 14, GDPR Art. 8, COPPA (US) | Parental consent required; avoid collecting when possible |
Development Best Practices
Masking sensitive data in logs
# ✅ Mask tax ID / document numbers in logs
tax_id = "123.456.789-00"
masked = f"***.***.{tax_id[-6:]}" # ***.***. 789-00
logger.info(f"Processing document: {masked}")
# ❌ NEVER log raw personal data
logger.info(f"Processing document: {tax_id}")# ✅ Mask email addresses
email = "investor@example.com"
local, domain = email.split("@")
masked_email = f"{local[:2]}***@{domain}" # in***@example.com
logger.info(f"Sending notification to: {masked_email}")Non-production environments
- Never use real personal data in dev, staging, or QA — use synthetic or anonymized datasets.
- Tools for generating synthetic data: Faker (Python), factory_boy, or a data anonymization pipeline.
- If a production data extract is needed for debugging, it must be anonymized before copying — get DPO approval first.
Encryption and storage
- Encrypt personal data at rest: BigQuery encryption at rest is automatic on GCP; document if using additional CMEK.
- Encrypt personal data in transit: enforce TLS 1.2+ on all endpoints that handle personal data.
- Avoid storing personal data in: plaintext config files, environment variables committed to git, unencrypted S3/GCS buckets, or chat/email.
Retention and deletion
# ✅ Implement automated data expiry
from datetime import datetime, timedelta
RETENTION_DAYS = 365 * 5 # 5-year retention per policy
def is_past_retention(record_date: datetime) -> bool:
return datetime.now() - record_date > timedelta(days=RETENTION_DAYS)
# Run as a scheduled job — flag or delete records past retention- Define retention at design time, not after deployment.
- For GDPR/LGPD: anonymization is acceptable as an alternative to deletion where deletion is technically infeasible.
Data subject rights (access, correction, deletion, portability)
- When building systems that hold personal data, plan from the start how a data subject request will be fulfilled:
- Can you identify all records for a given individual across all tables/systems?
- Can you export data in a structured, machine-readable format (portability)?
- Can you delete or anonymize a record without breaking referential integrity?
- Document the process in the RoPA entry for the system.
International data transfers
- If personal data of EU/EEA residents is transferred outside the EEA, ensure Standard Contractual Clauses (SCCs) or an adequacy decision covers the transfer.
- Brazil (LGPD) currently recognizes transfers to adequate countries or via contractual clauses — confirm with Legal for each target country.
- Colombia and Argentina have specific cross-border transfer rules — consult DPO before any new integration with foreign vendors.
DPIA Triggers — When You Must Escalate to the DPO
Consult the DPO and initiate a Data Protection Impact Assessment before proceeding if any of the following apply:
- Large-scale processing of sensitive data (health, biometrics, financial)
- Systematic monitoring or tracking of individuals (behavioral analytics, geolocation tracking)
- Profiling or automated decision-making with legal or significant effects on individuals
- Processing data of children or vulnerable populations
- New vendor or cloud service that will process personal data
- Combining datasets in ways that could re-identify previously anonymized data
- Cross-border transfer to a country without an adequacy decision
Quick Reference: Data Subject Rights Response Windows
| Right | LGPD | GDPR / UK GDPR | CCPA/CPRA | LFPDPPP (Mexico) |
|---|---|---|---|---|
| Access | 15 days | 1 month | 45 days | 20 days |
| Correction | 15 days | 1 month | 45 days | 17 days |
| Deletion | 15 days | 1 month | 45 days | 20 days |
| Portability | 15 days | 1 month | 45 days | N/A |
| Opt-out (sale/sharing) | N/A | N/A | 15 days | N/A |
All windows above are calendar days from receipt of the request. Systems must be designed to support fulfilling these requests within these deadlines.
Warning
Questions about privacy compliance?: Consult the company’s DPO before implementing any new personal data processing, especially when:
- Data from EU, US, or LatAm residents is involved
- You are unsure which regulation applies
- The processing involves sensitive data categories
Also see: [Data Governance in the Data Lake](../../data/governance/lgpd.md)