Decree 12,455/2025 – Important update on the sharing of personal data for management of social benefits
By Adriano Chaves, Marcia Issler Mandelbaum e Marcelo Rosa Filho
On May 15, Decree No. 12,455/2025 was published, amending Decree No. 12,428/2025, which governs the sharing of data by federal public agencies and public service providers to manage social benefits.
With the relevant changes, the definition of public service providers under this regulation has become more restrictive, including only concessionaires, permit holders, and authorized providers of public services related to electricity distribution and collective-interest telecommunications.
The main new obligation introduced is that public service providers must share with the Ministry of Management and Innovation in Public Services the physical addresses of citizens registered in their databases, along with the corresponding Individual Taxpayer Registry (CPF) numbers in a pseudonymized format. The purpose of such sharing is to improve the verification process for granting, maintaining, and expanding social security benefits. This information will be used to enhance address data in the social security benefit databases and, when necessary, confirm household composition.
Additionally, under the Decree, Regulatory Agencies will be responsible for monitoring compliance with the obligations provided therein. Public service providers will be required to designate the individuals responsible for sharing the data on their behalf with such Regulatory Agencies.
The Digital Government Secretariat of the Ministry of Management and Innovation in Public Services will issue a specific regulation setting out the procedures and deadlines for data sharing and updates by public service providers. This will include: the applicable legal basis, the data sharing period, the responsibilities of each data processing agent, security parameters and technical/administrative measures for protecting personal data, procedures for responding to data subject requests, and transparency guidelines.
Also, the Decree establishes that data sharing and personal data processing activities thereunder must comply with the principles and standards of the Brazilian General Data Protection Law (LGPD). The activities must be proportionate and carried out in a manner that ensures the full exercise of data subject rights. The Decree also establishes the need for a prior data protection impact assessment (DPIA), which must include at least a description of data processing activities that may result in risks to fundamental rights and freedoms, as well as the measures, safeguards, and mechanisms to mitigate such risks.
Failure to comply with the Decree will subject public service providers to the penalties provided by law.
To learn more about the rules introduced by the Decree, you can read the full text here or contact our Privacy and Data Protection team leaders, Adriano Chaves and Marcia Issler Mandelbaum.
This bulletin is for information purposes only and should not be relied upon to obtain legal advice on any of the topics dealt with here. CGM Advogados. All rights reserved.