Imagine accessing your banking app and discovering that your account has been emptied. Or realizing that there are loans, purchases, or transfers made in your name without your authorization. This situation, which seems like a scene from a movie, is increasingly common—and real. And the starting point is usually the same: the misuse of personal data, which circulates rapidly in the digital world, not always with the care it deserves.

Today, we live in the information age. Your data—such as your name, social security number, address, location, email, photos, and even behavioral patterns—is highly valuable. It forms the basis of any interaction with the financial system. Banks and fintech companies use this data to open accounts, offer credit, calculate risks, and protect against fraud. However, this same information, when it falls into the wrong hands, becomes a tool for sophisticated scams capable of causing serious losses.

Given this scenario, it is crucial to understand how Brazilian legislation protects you as a data subject. The General Data Protection Law (LGPD), established by Law No. 13.709/2018, sets forth rules and principles that obligate any company or institution, including banks and fintechs, to handle your data responsibly, ethically, and transparently. According to Article 6 of the LGPD, data processing must observe, among others, the principles of purpose (item I), which requires that data be used only for legitimate purposes and informed to the data subject; necessity (item III), which limits collection to the minimum necessary; transparency (item VI), which guarantees clear and easy access to information about the processing; prevention (item VIII), which requires measures to avoid harm; and security (item VII), which mandates the adoption of technical and administrative safeguards to protect personal data from unauthorized access or risky situations.

These principles are especially relevant in the financial sector, where the use of automated technologies for credit analysis, credit limit allocation, account blocking, or risk-based profiling decisions is increasingly common. In these cases, the LGPD (Brazilian General Data Protection Law) — especially in its Article 20 — guarantees the data subject the right to request a review of decisions made solely based on automated data processing that affect their interests. This includes, for example, the unjustified refusal of credit or the blocking of an account based on opaque algorithmic analyses, reinforcing the importance of transparency and explainability in the decision-making process.

Additionally, Article 46 of the LGPD (Brazilian General Data Protection Law) imposes a clear duty on institutions: to adopt technical and administrative security measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination. This obligation requires data controllers to establish robust governance policies in privacy and information security, with continuous risk monitoring, incident response protocols, and regular audits.

More than just a rule about privacy, the LGPD (Brazilian General Data Protection Law) is a legal instrument that guarantees the right to control your data and imposes concrete obligations on the institutions that process it. In the financial sector, its application is essential to ensure that innovation and financial inclusion advance without compromising the fundamental rights of data subjects. It is a milestone that balances technology, trust, and responsibility.

Regarding the financial sector, there are regulatory issues that must be observed. Central Bank Resolution No. 4.753/2019 requires financial institutions to establish a robust cybersecurity policy, with systems capable of identifying, monitoring, recording, and responding to incidents that may compromise the integrity, confidentiality, and authenticity of customer information and transactions.

In other words, banks have a legal duty to protect your information and prevent operational risks related to digital fraud. Omission or failure to fulfill this duty may constitute strict liability—that is, regardless of fault, as provided for in Precedent 479 of the Superior Court of Justice (STJ):

Financial institutions are objectively liable for damages caused by internal fortuitous events related to fraud and crimes committed by third parties within the scope of banking operations.

This summary clearly states that scams perpetrated using customer data within the banking environment generate objective liability for the institution. This includes, for example, unauthorized transfers via internet banking, loans contracted without authorization, and purchases made with cloned cards. In these cases, the consumer is entitled to full compensation, including for moral damages.

However, the jurisprudence of the Superior Court of Justice (STJ) has also evolved to recognize situations in which the bank's liability can be excluded, provided that the institution proves that it adopted all the measures required by the Central Bank regulations, carried out adequate monitoring of the transaction, and that there was no data breach or systemic failure attributable to its conduct. In other words, if the bank demonstrates that it followed all security protocols, complied with its governance policy, and that the fraud resulted from an external event—such as the misuse of data by third parties due to exposure caused by the data subject himself—liability may be excluded.

This balance between consumer protection and assessing the due diligence of institutions is essential to maintaining trust in the digital financial system. Ultimately, what is required is good faith, prevention, and an efficient response to suspicious situations. The bank must act as a guardian of the client's data and money, but cannot be penalized for frauds completely outside its sphere of control.

The most common scams today involve the use of social engineering, such as fake messages and calls that mislead the victim; phishing, through malicious links; and the use of leaked data to create fake accounts, contracts, or bank transactions. In all cases, the misuse of personal data is at the heart of the scam—and care with this information must be continuous.

Consumers also play an active role in this process. Some simple actions increase security: don't click on suspicious links, activate two-factor authentication, keep apps updated, avoid sharing data on social media, and, whenever possible, question how your information is used. And when something seems wrong, report it. You have the right to file complaints with consumer protection agencies, notify the financial institution, and even take legal action.

Digital life has brought many conveniences. But with them have come new responsibilities — and risks. Data protection is now a fundamental part of your personal and financial security. And when there are breaches, you are not helpless. The LGPD (Brazilian General Data Protection Law), Resolution No. 4.753/2019 of the Central Bank of Brazil, and the jurisprudence of the Superior Court of Justice (STJ) offer tools so that you can react, demand explanations, be compensated, and have your rights respected.

The future of banking is digital. But it will only be trustworthy if it is also ethical, transparent, and secure.