DPIA Template for Gemini Enterprise: LGPD-Compliant Guide

Brazil's LGPD (Law 13,709/2018) provides for the DPIA in Art. 38. The ANPD, through Resolutions CD/ANPD No. 4/2023 and No. 18/2024, made it clear: AI projects that process personal data at large scale, involve automated decisions with legal effects, or use sensitive data need a documented DPIA available for inspection.

This post brings the template that Autenticare applies in Gemini Enterprise projects — validated with healthcare, education and financial services clients.

When is the DPIA mandatory

• Processing at large scale (thousands of data subjects or significant volume of data).
• Use of sensitive data (health, biometrics, orientation, racial origin, union membership).
• Data of children and adolescents.
• Automated decisions with relevant effects (credit, hiring, fraud).
• Systematic monitoring of data subjects.
• Any project where legitimate interest is the legal basis.

In practice, 90% of corporate agent projects fit at least one of these criteria. Have the DPIA ready.

DPIA structure (Autenticare template)

1. Controller and data protection officer identification

Name, tax ID, DPO contact. If there is a processor (Google Cloud), register it as well with reference to the contract and DPA.

2. Processing description

What the agent does, which data sources it consumes, what outputs it produces. Data flow diagram recommended. In Gemini Enterprise: explicitly indicate that data stays in sa-east1 (São Paulo) and that the training opt-out is active.

3. Purpose and legal basis

For each data category: specific purpose (not just "improve service") and corresponding legal basis (consent, contract execution, legal obligation, legitimate interest, etc.). If using legitimate interest, include the balancing test.

4. Necessity and proportionality

Demonstrate that:

• The data is minimal for the purpose (data minimization principle).
• There is no less invasive alternative (e.g., aggregation, pseudonymization).
• The benefit outweighs the risk to the data subject.

5. Data categories and subjects

Table with:

• Categories: identification, contact, financial, sensitive, behavioral.
• Subjects: employees, customers, third parties, minors.
• Estimated volume and frequency.

6. Sharing and international transfers

Critical point in cloud AI. For Gemini Enterprise:

• Data at rest: sa-east1 (Brazil).
• Models running in sa-east1 (confirm per agent — some still run in us-central1).
• Google administrative logs: may cross borders — justify with standard contractual clauses from the Google Cloud DPA.
• Zero sharing for training — attach opt-out confirmation.

7. Technical and administrative security measures

In Gemini Enterprise, list:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• CMEK if sensitivity requires.
• VPC Service Controls to prevent exfiltration.
• IAM with least privilege and mandatory MFA.
• DLP at ingest (masking CPF, email, phone, sensitive data).
• ACL at retrieval via Workspace groups.
• Complete audit log (Cloud Audit Logs + application logs).
• Defined retention with automatic deletion.

8. Risk analysis

Table with risk × probability × impact × mitigation. Common examples in AI:

• Hallucination with personal data: mitigate with mandatory citations and evaluation gold set.
• Bias in automated decisions: mitigate with quarterly fairness auditing.
• Prompt injection: mitigate with input sanitization and tool isolation.
• Improper access to documents: mitigate with Drive-inherited ACL.
• Re-identification in logs: mitigate with identifier hashing in logs.

9. Data subject rights

How the project addresses:

• Access and copy (LGPD Art. 18).
• Correction and deletion.
• Review of automated decisions (Art. 20).
• Portability when applicable.
• Contact channel (DPO email, form).

10. Conclusion and review plan

DPO opinion on the acceptability of the processing. Date of next review (recommended: annual or at each material change).

Frequently Asked Questions