Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: Operationalising the LGPD: Part three - Consent and other lawful bases

Certainly, one of the most relevant points for compliance with Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') is related to the processing of personal data according to the most appropriate legal basis. Patricia Peck Pinheiro and Bruna Michele Wozne Godoy, Partner and Associate respectively at PG Advogados, discuss the various legal bases under the LGPD and provide some practical examples of how these may be approached.

Evan Smogor / Unsplash.com

The matter regarding legal bases is so relevant that one of the most common penalties related to the violation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), second only to data breaches, is that of an absence of legal grounds for processing the data.

But how to identify what is the most adequate legal basis for a given processing? What should be the parameters for this analysis? The following indicators are recommended for setting up an application grid for the legal basis:

  • What type of person or controlling institution? (If it a public institution, research body, or health professional, there may be some different prerogatives).
  • What type of data subject (category) does the personal data refer to?
  • Is sensitive data involved?
  • Is there any personal data of minors (especially children) involved?
  • What is the origin of the database (own, third party, public)?
  • Which specific purpose(s) will be applied to the processing? Are there any purposes that have greater relevance or prominence?
  • Among the purposes, are there any that are related to public security or fighting crime?
  • Will the personal data receive any kind of anonymisation methodology (which would then remove it from the personal data category at some point in the flow)?

With these eight factors it is possible to define how the application of the legal basis will take place and also whether it will be necessary to apply the consent requirement, or if it will be a case of where consent is not required but the application of the principle of transparency (awareness and clear information) is still mandatory.

The main legal bases for processing personal data are:

  • upon consent from the data subject;
  • where necessary to comply with a legal or regulatory obligation;
  • by the public administration, where processing is necessary to fulfil public policies set forth in laws, regulations, contracts, or similar legal documents;
  • by research organisations (as defined by the law), where necessary to conduct research (data should be anonymised where possible);
  • where necessary to perform a contract or any preliminary procedures related to the contract, provided it is upon the request of the data subject;
  • where necessary for the exercise of a legal right in any judicial, administrative, or arbitration proceedings;
  • where necessary to protect the life and physical well-being of the data subject or a third party;
  • where necessary for health protection, in procedures performed by health professionals, health services, or by health entities;
  • where necessary to meet the legitimate interests of the controller or of a third party except where the fundamental rights and freedoms of the data subjects related to data protection should prevail; and
  • where necessary for credit protection.

All legal bases available under the GDPR are also available under the LGPD. The main difference is that the LGPD provides a greater number of legal bases, including for research purposes and for credit protection purposes.

When the processing involves sensitive personal data, the legal bases offered by the LGPD differ, and it only might occur on the following cases:

  • upon consent from the data subject or his/her legal representative, which has to be specific and separate from other clauses;
  • where necessary to comply with a legal or regulatory obligation;
  • by the public administration, where processing is necessary to fulfil public policies set forth in laws or regulations;
  • by research organisations (as defined by law), where necessary to conduct research (data should be anonymised where possible);
  • where necessary for the exercise of legal rights in contracts or any judicial, administrative, or arbitration proceedings;
  • where necessary to protect the life and physical well-being of the data subject or a third party;
  • where necessary for health protection, in procedures performed by health professionals or by health entities; and
  • where necessary to prevent fraud or guarantee the safety of the data subject, in procedures of authentication and identification of electronic records systems except where the fundamental rights and freedoms of the data subjects related to data protection should prevail.

Almost all bases available under the GDPR are also available under the LGPD. Although the LGPD does not have some (such as the one related to processing carried out by a foundation, association, or not-for-profit body), it sets forth some bases that are similar to the ones under the GDPR but broader in scope. 

For instance, under the LGPD, processing of sensitive data is allowed where necessary to protect the life of the data subject, regardless of him/her being physically or legally incapable of giving consent. It also must be considered that processing activities that relate to personal data which is manifestly made public by the data subject is not a legal basis under the LGPD.

The eventual waiver of the requirement of consent does not relieve the agents of treatment of the other obligations in the LGPD, especially the observance of its general principles, such as transparency, which provides awareness to the data subject.

Difference between consent and awareness

Awareness of the processing activities should be given to all data subjects under the principle of transparency. It might be presented in documents such as privacy policies, notices, communications, and even more. The LGPD does not define a form on how awareness should be given to the data subject, however the data subject must always be aware as to what, how, and why his/her personal data is being processed, independently of the legal basis used to do so.

Consent, on the other hand, is one of the legal bases for processing personal data, and when it is applied, some requirements must be met in order to be valid. Consent is the free, informed, and unequivocal manifestation by which the data subject agrees with the processing of his/her personal data for a specific purpose.

Consent is specifically defined by Article 8 of the LGPD, which sets forth not only the definition of consent, but how it should be legally acquired and managed by the processing agents:

  • it must be provided in writing or by another means that demonstrates the intention of the holder;
  • if the consent is provided in writing, it must be included in a separate clause of the other contractual clauses;
  • the controller bears the burden of proving that the consent was obtained in accordance with the provisions of the LGPD;
  • the processing of personal data is prohibited through a defect of consent; and
  • consent must refer to specific purposes, and generic authorisations for the processing of personal data will be invalid.

When consent is used as a condition for the processing of personal data, its validity depends on meeting all the requirements below:

  • It must be given freely: the data controller must give the data subject the opportunity to provide or not his/her personal data, so that his/her choice is true and without prejudice, as well as inform the holder of personal data about the right to revoke consent before providing it

  • It must be informed : the data controller must previously inform the data subject why the data will be collected, in an objective, clear, and easy to understand way, that is possible to distinguish it from the other issues dealt with.

  • It must be unambiguous: the data controller must demonstrate that the processing of personal data is limited to that established in the term (contract, notice, or privacy policy), bound by the explicit consent given by the data subject.

  • It must be for a determined purpose: the data controller must be able to demonstrate that the data subject has agreed to the processing of his personal data for one or more specific purposes.

The authorisation given by the data subject must cover all processing activities carried out for the same purpose. In the event of a change in the purpose of the processing, the holder of the personal data must be informed in a specific and highlighted way about the content of the changes, enabling him/her to revoke the consent, if he/she does not agree. It is necessary to obtain specific and highlighted consent for specific purposes in the case of the processing of sensitive personal data.

Privacy by Default is highly recommended when obtaining consent, for instance, whenever using checkboxes they can never be pre-ticked. It always has to be an explicit and informed choice of the data subject. In addition, the processing of personal data is prohibited when consent has not been obtained in a legitimate way. Consent will be considered null if the information provided to the data subject was misleading or included abusive content or had not been previously presented with transparency, in a clear and unambiguous way.

This leads us to the conclusion that awareness must be present in all legal bases for the processing of personal data, including consent. Awareness is more than just a legal basis, it is a principle which sustains the LGPD. Consent can be revoked at any time by the express request of the data subject, via a free and facilitated procedure, which is outlined  in the terms under which consent was previously given, as long as there is no request for erasure. In the event that consent is required, if there are changes in the purpose for the processing of personal data not compatible with the original given consent, the controller must inform the data subject in advance of the changes in purpose, and the data subject may revoke the consent if he/she disagrees with the changes.

Processing of personal data by public entities

Currently in Brazil, Law No. 12.527/2011 on access to information ('the Access to Information Law') applies to all legal entities governed by public law, and establishes the right to access information as a fundamental right. In addition, the Access to Information Law cites transparency as one of its fundamental principles. Things are no different when it comes to processing of personal data by public bodies.

The processing of personal data by legal entities governed by public law must be carried out to fulfil its public purpose, in pursuit of the public interest, with the objective of executing legal powers or fulfilling legal attributions of public service. Public entities may carry out processing of personal data by providing clear and updated information on the legal provision, purpose, procedures, and practices used to perform these activities, which should be easily accessible, preferably on their websites.

The personal data must be maintained in an interoperable and structured format for shared use, regarding the implementation of public policies, the provision of public services, the decentralisation of public activity, and the dissemination and access of information by the general public.

However, the sharing of personal data by public entities with private organisations has some restrictions, which are only possible:

  • in cases of decentralised execution of public activity that requires the transfer, exclusively for this specific and determined purpose;
  • in cases where the data is publicly accessible, subject to the provisions of the LGPD.
  • when there is a legal provision or the transfer is supported by contracts, covenants, or similar instruments (which must be communicated to the national data protection authority); or
  • in the event that the transfer of data aims exclusively at preventing fraud and irregularities or protecting and safeguarding the security and integrity of the data subject, provided that processing for other purposes is prohibited.

This means that principles such as transparency, minimisation, and necessity are highly applicable also in these processing activities. The public administration is also subject to the obligations set forth in the LGPD, with some general specificities and exceptions related to pecuniary sanctions. Abuses by the Government such as surveillance on its citizens and foreigners when processing personal data will not be tolerated. All public entities fall under the scope of the LGPD. Currently there is a constitution amendment project (PEC 17/2019) in progress which aims to include the protection of personal data among the fundamental rights and to establish the Union's private competence to legislate on the matter, to avoid diffuse control by the judiciary.

How the right definition of legal bases impact businesses

Within businesses, there are two areas that are mostly impacted by the correct definition of legal bases: commercial (marketing) and human resources ('HR'), as they often require the processing of a lot of personal data. In the commercial area, there are two profiles of data subjects, one that already has a past relationship with the business, based on a contract or a customer relationship, and another that does not, which is the prospect of new clients, where the purpose is to generate new leads. For this reason, a legal basis such as execution of a contract or legitimate interest are frequently used, depending on whether there is a contract regulating the relation with the data subject or not.

Regarding HR matters, transparency and awareness must be given during the whole employee life cycle within a company, starting from the recruitment stage until the resignation. The most used legal basis is execution or preliminary procedures of a contract, both for employees and candidates. Candidates must be presented with privacy notices and have their personal data processed according to the LGPD. Information on how the processing occurs, what happens to the data, and for how long the data will be retained must be provided. The company may even maintain a 'talent bank' for later hires, based on its legitimate interest, although this must be informed of from the beginning of the proceedings with the candidates. For most processing activities on employees, the execution of the contract will be the legal basis which will support the processing, however it may differ when sensitive data is processed for the offering of benefits, such as health insurance plan, or when the company has to retain the data after the dismissal of the employee, in order to comply with legal and regulatory obligations.

To conclude, the legal bases may change according to the relation with the data subject and the type of processing activity. It is important to regularly check and update the data flows, offering transparency to the data subjects in order to always be compliant with the LGPD.

Patricia Peck Pinheiro Partner
[email protected]
Bruna Michele Wozne Godoy Associate
[email protected]
PG Advogados, São Paulo
https://www.pgadvogados.com.br/