BRAZIL Law and Practice Contributed by: Rodrigo Casarotti, Alexandre David, Ricardo Melaré and Gabriela Claro, /asbz
Trade unions are, however, very active and may be involved if the transaction leads to collective dismiss- als, changes in working conditions or broader restruc- turings after closing, depending on local practice and the terms of applicable CBAs. From a corporate governance perspective, Brazil- ian corporate law permits a corporation’s by-laws to reserve a board seat for an employee representative, but this is optional. Where such a seat exists, the employee-elected director has a single vote like any other board member and does not have a superior or binding vote. Any consultation with unions or employ- ee representatives in the context of a transaction is generally advisory rather than binding on the board, and there is no specific securities-law obligation to disclose a “works council opinion” as such. 7.7 Currency Control/Central Bank Approval There is no general currency control regime requiring Central Bank approval for standard-technology M&A. Cross-border payments must pass through authorised institutions and be recorded under foreign-exchange and foreign-investment rules (including FDI registra- tion), which are procedural rather than discretionary. Specific Central Bank approvals may be required where the target is a regulated financial-sector entity (eg, banks and certain payment institutions), particu- larly on changes of control or qualifying holdings. 8. Recent Legal Developments 8.1 Significant Court Decisions or Legal Developments Two areas have been most relevant to technology M&A: data protection/privacy and capital markets. On privacy, the General Data Protection Law ( Lei Geral de Proteção de Dados Pessoais – LGPD, Law No 13,709/2018) has consolidated as a fully opera- tional regime. The National Data Protection Authority ( Autoridade Nacional de Proteção de Dados – ANPD) issued its Regulation on Dosimetry and Sanctions (CD/ANPD Resolution No 4/2023), making sanction risk concrete and raising compliance expectations. For data-intensive businesses (digital platforms, fin- techs, healthtechs, SaaS), LGPD compliance has
become a core diligence and valuation workstream, with detailed mapping of databases, data flows and incidents, and increasingly granular contractual pro- tections. In parallel, the European Data Protection Board’s Opinion 28/2025 on the European Commis- sion’s draft adequacy decision for Brazil confirms the close alignment between the Brazilian data protection framework and EU data protection law and, once the adequacy decision itself is formally adopted by the Commission, will allow personal data to flow more freely from the EU to Brazil – a significant factor for cross-border technology M&A. On capital markets, the CVM approved in July 2025 the “FÁCIL” regime ( Facilitação do Acesso a Capital e de Incentivos a Listagens ) through CVM Resolutions 231 and 232, creating a simplified listing/offering framework for companhias de menor porte (corpora- tions with consolidated gross revenue below BRL500 million). FÁCIL introduces proportional rules for reg- istration, offerings and ongoing disclosure (including a unified “ Formulário FÁCIL ” and the option for semi- annual financials) and provides simplified offering routes subject to an aggregate cap of BRL300 million per issuer over any 12-month period, with entry into force in early 2026. Due diligence has broadened beyond corporate, tax, litigation and labour to include technology/IP assets (chain of title to software and other IP, with focus on employee/contractor assignments), registration sta- tus of industrial property and third-party/open-source use. Technical diligence (eg, code scans and SBOMs) is increasingly used to identify open source compo- nents and assess licensing/compliance. Since the LGPD’s publication, data privacy and cyber- security have become central strands of diligence: data flows, legal bases, security governance, incident history and ANPD engagement, as well as interna- tional transfer mechanisms and sector-specific rules. Regulated verticals (eg, fintech) also require focused licensing and conduct-of-business reviews. 9. Due Diligence/Data Privacy 9.1 Due Diligence Process
49 CHAMBERS.COM
Powered by FlippingBook