The Contract as a Tool for Accountability and Responsibility
A contract is, by definition, the legal instrument intended to create, modify, or extinguish rights and duties of a patrimonial nature. As Tartuce (2021, p. 553) aptly defines it, it is a bilateral or multilateral legal transaction, founded on the will of the parties. Its main function goes beyond the formalization of a relationship: it is a true mechanism for assigning responsibilities and, secondarily, for rendering accounts.
The Brazilian Civil Code, when dealing with contract formation, reinforces principles such as good faith, social function, and the protection of the vulnerable party (BRASIL, 2002). As Roppo (1988, p. 318) points out, "in the relationship between the strong and the weak, freedom enslaves and the law liberates," which demonstrates the importance of clauses that guarantee balance and protection, especially in asymmetrical relationships.
In the context of data protection, contract construction is a governance tool that allows not only the documentation of the relationship, but also enables the future demonstration of good practices and, if necessary, the determination of any liabilities and rights of recourse between the parties involved in the event of security incidents or failures to comply with the obligations established by the LGPD (Brazilian General Data Protection Law).
Before drafting: Understand the operation and define the processing agents.
Before beginning to draft or analyze a data protection clause, the first strategic step is to deeply understand the operation involved. It's not enough to analyze the contract in isolation. It's necessary to analyze and understand the actual data flow. Questions such as... "Where does the data come from?", "How is this data collected?", "Why is it collected (purpose)?", "Who shares it with whom?", "For what purpose?", "Who has a direct relationship with the data subject?" These guidelines should guide this investigation.
The second step is to correctly identify the treatment agents: controller, co-controller, operator, and sub-operator. Questions such as "Do you alone determine the purposes and essential elements of the treatment?", "Do you jointly determine the purposes and essential elements of the treatment?", "Are some purposes and essential elements determined jointly and others separately?", "Do you separately determine the purposes and essential elements of the treatment?" These criteria should guide this identification. This definition is fundamental, after all, it defines the degree of responsibility of each party, their obligation to be accountable, and the extent of their participation in the data lifecycle. A superficial analysis can result in clauses that do not reflect the reality of the operation, creating legal risks.
It is worth highlighting: the objective of well-drafted clauses. It is not about demanding responsibility from the parties indiscriminately.However, it is crucial to ensure that contractual responsibilities can be clearly identified, facilitating the exercise of the right of recourse and guaranteeing the protection of the entire chain involved. The contract must demonstrate good faith in the relationship and be an instrument that embodies the instructions and limits previously agreed upon by the parties.
Scaling Complexity: The Contractual Risk Scale
A common pitfall in companies is the attempt to use a single data protection clause template for all contractsThis approach, besides being technically inadequate, can generate regulatory and legal risks. The level of complexity of the clauses needs to be tailored to the reality of the operation.
A good practice is to evaluate the following equation: Operation Complexity + Data Volume + Data Nature = Clause Complexity Level.
Simpler clauses These measures may be sufficient when data processing is ancillary to the contractual purpose, the volume of data is low, and no sensitive data is involved. However, Robust and complex clauses are indispensable. when the very subject of the contract involves data processing, when the volume of data processed is significant, and/or when sensitive data is processed.
Nevertheless, define a risk scale that should guide the entire negotiation. The risk scale can be divided into four levels (no risk, low, medium, and high), according to the regulatory impact. For example, clauses that provide general definitions or merely conceptual clauses, such as definitions of terms and expressions provided for by law, do not have a direct impact on legal-regulatory risk. Other clauses have a high impact and are non-negotiable, such as the duty of confidentiality, since failure to comply with this obligation may cause security incidents, and both parties may be held liable (Article 44, LGPD).
There are no miracles, only risk analysis and personalization.
In the world of data protection, it's common to find "ready-made templates" that promise to resolve all contractual situations. This approach, besides being technically inadequate, can generate serious regulatory and legal risks.
Ultimately, a good contract is one that reflects the reality of the operation and prepares the organization for the best... and the worst. A well-drafted contract is a cornerstone of governance, accountability, and risk mitigation., and not a mere formal document.
Want to read more articles by this author? Learn more about how data protection impacts agribusiness by clicking [here]. here.
References
BRAZIL. Law No. 10.406, of January 10, 2002Establishes the Civil Code. Brasília, DF: 2002. Available at: Accessed on: June 10, 2025.
___. Lei nº 13.709, of August 14, 2018. General Law on the Protection of Personal Data (LGPD). Brasília, DF: 2018. Available at: Accessed on: June 10, 2025.
ROPPO, Enzo. The contract. Coimbra: Almedina, 1988. TARTUCE, Flávio. Civil law manual: single volume. 11th ed. Rio de Janeiro, Forense; Método, 2021
