CHAPTER III
 

DATA SUBJECTS’ RIGHTS
 

Art. 17.

Every natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
 

Art. 18.

The data subject5, regarding the data subject’s data being processed by the controller, at any time and by means of request, has the right to obtain the following from the controller:
 

I – confirmation of the existence of the processing;
II – access to the data;
III – correction of incomplete, inaccurate or out-of-date data;
IV – anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
V - portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;
V – portability of the data to another service provider or product provider, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets; (New Wording Given by Law No. 13,853/2019)
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
VII – information about public and private entities with which the controller has shared data;
VIII – information about the possibility of denying consent and the consequences of such denial;
IX – revocation of consent as provided in §5 of Art. 8 of this Law.
 

§1 The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.
§2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
§3 The rights provided in this article shall be exercised by means of an express request by the data subject or her/his legally constituted representative to the processing agent.
§4 If it is impossible to immediately adopt the measure mentioned in §3 of this article, the controller shall send a reply to the data subject in which she/he may:
 

I – communicate that she/he is not the data processing agent and indicate, whenever possible, who the agent is; or
II – indicate the reasons of fact or of law that prevent the immediate adoption of the measure.
 

§5 The request as mentioned in §3 of this article shall be fulfilled without costs to the data subject, within the time periods and the terms as provided in regulation.
§6 The responsible shall immediately inform the processing agents with which she/he has carried out the shared use of data of the correction, deletion, anonymization or blocking of data, so that they can repeat an identical procedure.
§6 The controller shall immediately inform the processing agents with which she/he has carried out the shared use of data of the correction, deletion, anonymization or blocking of data, so that they can repeat an identical procedure, except in cases in which this action is proven impossible or involves disproportionate effort. (New Wording Given by Law No. 13,853/2019)
§7 The portability of personal data referred to in item V of the lead sentence of this article does not include data that have already been anonymized by the controller.
§8 The right referred to in §1 of this article may also be exercised before consumer-defense entities.
 

Art. 19.

Confirmation of the existence of or access to personal data shall be provided by means of request by the data subject:
 

I – in a simplified format, immediately; or
II – by means of a clear and complete declaration that indicates the origin of the data, the nonexistence of registration, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy, provided within a period of fifteen (15) days as from the date of the data subject’s request.
 

§1 Personal data shall be stored in a format that facilitates the exercise of the right to access.
§2 Information and the data may be provided, at the data subject’s discretion:
 

I – by electronic means that is safe and suitable for this purpose; or
II – in printed form.
 

        §3 When processing originates from the consent of the data subject or from a contract, the data subject may request a complete electronic copy of her/his personal data,     subject to commercial and industrial secrecy, in accordance with regulations of the national authority, in a format that allows its subsequent use, including for other processing operations.
    §4 The national authority may provide differently regarding the time periods provided in items I and II of the lead sentence of this article for specific sectors.
 

Art. 20.

The data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting her/his interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality. (New Wording Given by Law No. 13,853/2019)
 

§1 Whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy.
§2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
§3 (vetoed). (Included by Law No. 13,853/2019)
 

Art. 21.

Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.
 

Art. 22.

The defense of the interests and rights of data subjects may be carried out in court, individually or collectively, as provided in pertinent legislation regarding the instruments of individual and collective protection.