In modern society, we see that commercial relations give rise to the constant collection of personal data, from basic information regarding individuals, such as name, CPF, e-mail, address and occupation, to more advanced information relating to circle of friends, tastes and interests, physical characteristics, etc.
This enormous quantity of information is stored in various data banks, which are very valuable economically, enabling businessmen and politicians to direct their operational strategies, and determining market, political, behavioral and religious tendencies, among others.
In view of the unbridled use of this information, it was considered necessary to regulate this activity in order to avoid abuse leading to violation of the fundamental rights of individuals, including privacy and intimacy.
In this context, in the wake of international legislation, especially the General Data Protection Regulation of the European Union (known as GDPR), Law 13.709/2018 (LGPD) has been enacted in Brazil, the object of which is to regulate the manner in which companies, government agencies and even individuals process personal data.
But what is the meaning of “personal data processing”?
For the purposes of the LGPD, processing is any operation relating to personal data, such as those involving the collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transference, diffusion or extraction. Personal data is any information relating to an identified or identifiable natural person.
Thus, in short, one can say that personal data processing is any conduct that involves information relating to natural persons.
Data processing is allowed in various situations described in article 7 of the LGPD, as follows:
I – with the consent of the data subject – this is the general rule and is based on the principle that someone can only deal with your personal data with your permission. The consent must be a free, informed and unequivocal statement, whereby the data subject agrees to the processing of his/her personal data for a given purpose, bearing in mind that such consent may be revoked at any moment by a further statement by the data subject. Consent is not required for data manifestly made public by the data subject, but the obligation to respect his/her rights continues.
II – for compliance with a statutory or regulatory obligation by the controller - the controller is defined as the natural person or legal entity responsible for the decisions relating to the processing.
III – by the public authorities, for the processing and shared use of data necessary for the execution of public policies.
IV – for carrying out studies by a research body, on the guarantee, whenever possible, of anonymization of the personal data – anonymization of personal data means, as the very name implies, ensuring that the data subject remains anonymous, in other words, to make it impossible to link that information to that specific individual.
V – when necessary for execution of a contract or preliminary procedures relating to a contract to which the data subject is a party, at the latter’s request;
VI – for the regular exercise of rights in judicial, administrative or arbitration proceedings;
VII – for protection of the life or physical safety of the data subject or of a third party;
VIII – for the protection of health, in a procedure carried out by health professionals or sanitary entities;
IX – when necessary to meet the legitimate interests of the controller or of a third party, except in the event of prevalence of fundamental rights and liberties of the data subject which require protection of the personal data; or
X – for the protection of credit.
It should also be observed that, even in cases of processing of personal data to which the public have access, the purpose, good faith and public interest justifying the disclosure must be taken into consideration.
Apart from the general rules relating to the processing of personal data, the LGPD established rules for when the processing refers to sensitive personal data, the latter being defined as any personal data regarding racial or ethnic origin, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data, when linked to a natural person.
Sensitive personal data can only be processed in the following events:
I – whenever the data subjects or their legal representative specifically and emphatically consent to such processing, for specific purposes;
II – without the data subjects’ consent, whenever they are essential for:
a) compliance with a statutory or regulatory obligation by the controller;
b) shared processing of data required for the enforcement by the public authorities of public policies set forth in the laws or regulations;
c) carrying out studies by a research body, on the guarantee, whenever possible, of anonymization of the sensitive personal data;
d) the regular exercise of rights in judicial, administrative or arbitration proceedings;
e) protection of the life or of the physical safety of the data subjects or of third parties;
f) protection of health, in a procedure carried out by health professionals or by sanitary entities; or
g) guarantee of the prevention of fraud and of the security of the data subjects, in the processes of identification and certification of records in electronic systems, observing the rights mentioned in article 9 of this Law and except in the event of prevalence of fundamental rights and liberties of the data subjects that require protection of the personal data.
The LGPD further created special rules regarding the processing of personal data of children and adolescents, based on the principle that this should be done always in their best interests.
As a general rule, the processing of personal data of children must be done with the specific and emphatic consent of at least one of the parents or legal guardian.
In exceptional cases, children’s personal data may be collected without consent when such collection is necessary to establish contact with the parents or legal guardian, and used only once and without storage, or for their protection, and in no case may data be passed on to a third party without consent.
As regards termination of the processing of data, this will occur in the following circumstances:
I – confirmation that the purpose of the processing has been fulfilled or that the data have ceased to be necessary or relevant to fulfillment of the specific purpose intended;
II – end of processing period;
III – communication by the data subject, including the exercise of his/her right to revoke consent, subject to the public interest; or
IV – determination of the national authorities, when there is a violation of the Law.
On termination of the processing, the personal data will normally be eliminated, retention being authorized for the following purposes:
I – compliance with a statutory or regulatory obligation by the controller;
II – study by a research group, with guaranteed anonymization, whenever possible, of the personal data;
III - transfer to a third party, provided the data processing requirements are observed; or
IV – exclusive use by the controller, access by third parties being prohibited, and provided the data are maintained in anonymity.
These are, in summary, the questions that we should comment on data processing. As we can see, we are facing a new era with a great number of challenges, and it is very important that companies are prepared to comply with the new legislation as soon as it comes into force.
Charles Wowk
Partner
charles.wowk@stussinevessp.com.br
+55 11 3093-6650
0+