STJ (Brazil's Superior Court of Justice) ruled by majority that companies managing credit protection databases cannot make consumers' registration and payment compliance information available to third-party inquirers without the data subject's prior authorization. The decision was issued by the Third Panel in the judgment of Special Appeal No. 2,201,694/SP, with the opinion authored by Justice Nancy Andrighi.
The case involved a consumer who challenged the practice of Boa Vista Serviços S.A., the company that operates the SCPC credit database, of making his personal data (such as estimated income, address, and phone number) available through its "ACERTA Cadastral," "ACERTA Básico," "ACERTA Intermediário," and "ACERTA Completo" services without his express consent. Lower courts had dismissed the claim, ruling that the data was not considered sensitive and that consent was not required for credit protection purposes.
Justice Nancy Andrighi clarified that, under Law No. 12,414/2011 (the Positive Credit Registry Law), database operators may only provide third-party inquirers with the credit score (without requiring consent) and credit history (with the registrant's specific authorization). Registration and payment compliance information, however, may only be shared between duly authorized databases, not with third-party inquirers in general.
The court ordered Boa Vista to pay R$ 11,000.00 in moral damages, deemed presumed (in re ipsa) due to the improper disclosure of personal data, which creates a strong sense of insecurity for the consumer. The company was also ordered to refrain from disclosing registration and payment compliance data without the data subject's prior authorization, except to other databases. The ruling reinforces that the liability of database operators is strict when data protection rules are violated.
This post was summarized from the original court decision using AI, with human review.
REsp No. 2,201,694/SP