According to Tiago Neves Furtado, partner at Opice Blum Advogados, the impact of the LGPD begins even before any contract is signed and continues well after the property is delivered:

“In practice, it starts during the commercial phase, when brokers collect data from interested parties through advertisements, forms, and WhatsApp. During negotiations, this information circulates among multiple parties, usually via digital folders. After the property is delivered, data continues to be shared with service providers.”

The responses below were prepared jointly by Juliana Abrusio, Maria Flavia Seabra, and Branca Cicci Zuardi, from Machado Meyer Advogados.

According to them, two stages concentrate the highest risks: due diligence and post-closing.

During due diligence, it is essential to structure data rooms with access controls, data minimization, and records of data sharing. In the post-closing phase, critical issues include database migration, defining retention and disposal timelines, and formalizing the roles and responsibilities of controllers and processors.

For Furtado, the most recurring mistake in the real estate market is the lack of clarity:

“Many companies are unable to explain how data was collected, who collected it, with whom it is shared, and for what exact purpose it is used.”

This is especially common in lead generation processes, when data comes from digital campaigns or partner brokers and the origin of the information is poorly documented. Another frequent issue is reusing contacts for purposes different from those originally disclosed.

From Machado Meyer’s perspective, additional failures include excessive data collection, improper reliance on consent as a legal basis, the absence of data inventories, and the lack of clear retention and disposal policies. Another common weakness is poor third-party management, with contracts that fail to clearly define the roles of controllers and processors.

Furtado also highlights the fragility of data rooms commonly used in the market:

“From an LGPD perspective, it is common to find a lack of access controls, no segmentation based on need-to-know, no access or sharing logs, and indiscriminate disclosure of information.”

A typical example is granting all investors access to full contracts containing personal data when summarized versions would be sufficient.

On a more positive note, Furtado observes a shift in mindset:

“ESG and non-financial risk assessments already include questions about privacy and data protection. Serious failures in this area are seen as relevant risks and, in some cases, may be a deal breaker.”

According to Machado Meyer’s sources, data protection maturity is already being factored into company valuations. It influences financing conditions, closing timelines, and the allocation of contractual risks.

For Furtado, the next level of maturity lies in integrating partners into more controlled platforms, with role-based access, activity logs, and clear data-sharing rules.

According to Machado Meyer’s specialists, this evolution involves consolidating privacy by design within assets and integrating LGPD, technology, and ESG practices, using impact reports, automated retention timelines, and more curated data rooms from the outset.