CHAPTER II
PROCESSING OF PERSONAL DATA
Section I
Requirements for the Processing of Personal Data
Art. 7:
Processing of personal data shall only be carried out under the following
circumstances:
I – with the consent of the data subject;
II – for compliance with a legal or regulatory obligation by the controller;
III – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to the provisions of Chapter IV of this Law;
IV – for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data;
V – when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
VI – for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
VII – for the protection of life or physical safety of the data subject or a third party;
VIII – to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; (New Wording Given by Law No. 13,853/2019)
IX – when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail; or
X – for the protection of credit, including as provided in specific legislation.
§1 (Revoked). (New Wording Given by Law No. 13,853/2019)
§2 (Revoked). (New Wording Given by Law No. 13,853/2019)
§3 The processing of publicly accessible personal data shall consider the purpose, the good faith and the public interest that justify it being made available.
§4 The consent requirement provided in the lead sentence of this article is waived for data manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided in this Law.
§5 The controller who has obtained the consent referred to in item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.
§6 Any eventual waiver of the consent requirement does not release processing agents from the other obligations provided in this Law, especially that of obeying the general principles and guarantees of the data subject’s rights.
§7 The subsequent processing of the personal data referred to in paragraphs 3 and 4 of this article may be carried out for new purposes, provided that legitimate and specific purposes to the new processing and the preservation of the rights of the data subject are observed, as well as the grounds and principles set forth in this Law.” (Included by Law No. 13,853/2019).
Art. 8
The consent provided in item I of Art. 7 of this Law shall be given in
writing or by other means able to demonstrate the manifestation of the will of
the data subject.
§1 If consent is given in writing, it should be included in a clause that stands out from the other contractual clauses.
§2 The burden of proof to demonstrate that the consent was dully obtained in compliance with the provisions of this Law is on the controller.
§3 It is prohibited to process personal data if the consent is defective.
§4 Consent shall refer to particular purposes, and generic authorizations for processing personal data shall be considered void.
§5 Consent may be revoked at any time, by express request of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to item VI of the lead sentence of Art. 18 of this Law.
§6 If there is a change in the information as referred to in items I, II, III or V of Art. 9 of this Law, the controller shall inform the data subject, with specific highlight of the content
of the changes, in which case the data subject, in those cases where her/his consent is required, may revoke it if she/he disagrees with the change.
Art. 9
The data subject has the right to facilitated access to information
concerning the processing of her/his data, which much be made available in a
clear, adequate and ostensible manner, concerning, among other characteristics
provided in regulation for complying with the principle of free access:
I – the specific purpose of the processing;
II – the type and duration of the processing, being observed commercial and industrial secrecy;
III – identification of the controller;
IV – the controller’s contact information;
V – information regarding the shared use of data by the controller and the purpose;
VI – responsibilities of the agents that will carry out the processing; and
VII – the data subject’s rights, with explicit mention of the rights provided in Art. 18 of this Law.
§1 In situations where consent is required, it shall be considered void if the information provided to the data subject contains misleading or abusive content or was not previously presented in a transparent, clear and unambiguous way.
§2 In the situation when consent is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of purpose, and the data subject may revoke her/his consent if she/he disagrees with the changes.
§3 When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the data subject shall be informed with special highlight of this fact and of the means by which she/he may exercise her/his data subject’s rights as listed in Art. 18 of this Law.
Art. 10.
Controller’s legitimate interest can only be grounds for processing
personal data for legitimate purposes, based on particular situations, which
include but are not limited to:
I – support and promotion of the controller’s activity; and
II – protection of data subject’s regular exercise of her/his rights or provision of services that benefit her/him, subject to her/his legitimate expectations and fundamental rights and freedoms, in accordance with this Law.
§1 When processing is based on the controller’s legitimate interest, only the personal data which are strictly necessary for the intended purpose may be processed.
§2 The controller shall adopt measures to ensure transparency of data processing based on her/his legitimate interests.
§3 The national authority may request of the controller a data protection impact assessment, when processing is based on her/his legitimate interest, being observed commercial and industrial secrecy.
Section II
Processing of Sensitive Personal Data
Art. 11.
The processing of sensitive personal data shall only occur in the
following situations:
I – when the data subject or her/his legal representative specifically and
distinctly consents, for the specific purposes;
II – without consent from the data subject, in the situations when it is
indispensable for:
a) controller’s compliance with a legal or regulatory obligation;
b) shared processing of data when necessary by the public administration for the execution of public policies provided in laws or regulations;
c) studies carried out by a research entity, whenever possible ensuring the anonymization of sensitive personal data;
d) the regular exercise of rights, including in a contract and in a judicial, administrative and arbitration procedure, the last in accordance with the terms of Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
e) protecting life or physical safety of the data subject or a third party;
f) to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; (New Wording Given by Law No. 13,853/2019)
g) ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Art. 9 of this Law and except when fundamental rights and liberties of the data subject which require protection of personal data prevail.
§1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
§2 When the provisions of lines a and b of item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicized, pursuant to item I of the lead sentence of Art. 23 of this Law.
§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their regulatory capacity.2
§4 Communication or shared use between controllers of sensitive personal data referring to health in order to obtain an economic advantage is prohibited, except in hypotheses related to the provision of health services, pharmaceutical assistance and health insurance3, as long as the paragraph 5 of this article is observed, including auxiliary diagnostic and therapeutic services, in benefit of the interests of the data subject and also to allow:
I - data portability of data when requested by the data subject; or
II - the financial and administrative transactions resulted from the use and provision of the services referred to in this paragraph.
§5 Operators of private health care plans are prohibited from processing health
data
for the practice of risk evaluation in any modality of hiring, as well as the
hiring and exclusion of beneficiaries. (Included by Law No. 13,853/2019)
Art. 12.
Anonymized data shall not be considered personal data, for purposes of
this Law, except when the process of anonymization to which the data were
submitted has been reversed, using exclusively its own efforts, or when it can
be reversed applying reasonable efforts.
§1 The determination of what is considered reasonable shall take objective factors into account, such as cost and time necessary to reverse the process of anonymization, depending on the available technology, and the exclusive use of its own means.
§2 Data can be considered personal, for purposes of this Law, when they are used to formulate behavioral profiles of a particular natural person, if that person is identified.
§3 The national authority may provide for standards and techniques to be used in processes of anonymization, and carry out security checks, with opinions from the National Board for the Protection of Personal Data.
Art. 13.
When carrying out public health studies, research entities may have
access to personal databases, which shall be processed exclusively within the
entity and strictly for the purpose of carrying out studies and research. Those
databases shall be kept in a controlled and secure environment, in accordance
with security practices provided in specific regulation and this includes,
whenever possible, anonymization or pseudonymization of the data, as well as
taking into account the proper ethical standards related to studies and
research.
§1 Disclosure of the results or of any portion of the study or the research, as mentioned in the lead sentence of this article, shall under no circumstances reveal personal data.
§2 The research entity shall be held liable for the security of the information provided in the lead sentence of this article, and it is forbidden, under any circumstances, to transfer the data to a third party.
§3 Access to data as provided in this article shall be the object of regulation by the national authority and of the authorities in the area of health and sanitation, within the scope of their regulatory capacity.4
§4 For purposes of this article, pseudonymization is the processing by means of which
4 See footnote number 2.
data can no longer be directly or indirectly associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment.
Section III
Processing of Children and Adolescents’ Personal Data
Art. 14.
The processing of personal data belonging to children and adolescents
shall be done in their best interest, pursuant to this article and specific
legislation.
§1 The processing of children’s personal data shall be done with specific and highlighted consent given by at least one of the parents or the legal representative.
§2 When processing data as mentioned in §1 of this article, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights of data subjects referred to in Art. 18 of this Law.
§3 Children’s personal data may be collected without the consent mentioned in §1 of this article when the collection is necessary to contact the parents or the legal representative, and as long as the data are used one single time and not stored, or for their protection, and under no circumstances shall the data be passed on to third parties without consent as provided in §1 of this article.
§4 Controllers shall not condition the participation of data subjects, as referred to in §1 of this article, to games, internet applications or other activities for providing personal information beyond what is strictly necessary for the activity.
§5 The controller shall use all reasonable efforts to verify that the consent referred to in §1 of this article was given by the child’s representative, considering available technologies.
§6 Information on the processing of data referred to in this article shall be provided in a simple, clear and accessible manner, taking into account the physical-motor, perceptive, sensorial, intellectual and mental characteristics of the user, using audiovisual resources when appropriate, in order to provide the necessary information to the parents or the legal representative and that is appropriate for the children’s understanding.
Section IV
Termination of Data Processing
Art. 15.
The processing of personal data shall be terminated under the following
circumstances:
I – verification that the purpose has been achieved or that the data are no longer necessary or pertinent to achieve the specific purpose intended;
II – end of the processing period;
III – communication by the data subject, including when exercising her/his right to revoke consent, as provided in §5 of Art. 8 of this Law, subject to the public interest; or
IV – determination by the national authority when there has been a violation of the provisions of this Law.
Art. 16.
Personal data shall be deleted following the termination of their
processing, within the scope and technical limits of the activities, but their
storage is authorized for the following purposes:
I – compliance with a legal or regulatory obligation by the controller;
II – study by a research entity, ensuring, whenever possible, the anonymization of the personal data;
III – transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or
IV – exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.