Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Generally, personal data can be collected only with the prior, informed and written consent of the data subject.

Consent is not requried in the following cases:

  • when expressly allowed by law;
  • when the personal data is available in public access sources;
  • when personal data has been dissociated;
  • when the collection of personal data is needed for the compliance of obligations derived from a legal relationship between the data subject and the data owner;
  • when there is an emergency situation that jeopardises the individual or the commodities of the data subject; and
  • when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There is a general rule regarding the period for which an organisation must retain records, which states that records containing personal data must be retained only for the period necessary for the completion of the purpose for which the data was collected.

Article 37 of the regulations of the Federal Law for the Protection of Personal Information in Possession of Private Entities provides that the period for retaining records must not exceed the period necessary for completion of the purpose for which the data was collected, and in order to determine the applicable period, data owners must pay attention to any legal provisions applicable to the sort of data collected and also consider the administrative, tax, legal and historical aspects of the data.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, the legislation concerning personal information recognises and protects the rights of access, rectification, cancellation and opposition.

Do individuals have a right to request deletion of their data?

Yes, the legislation concerning personal information recognises and protects the rights of access, rectification, cancellation and opposition.

Consent obligations

Is consent required before processing personal data?

Yes, the legislation concerning personal information requires prior, informed and express consent, either in writing or through electronic means.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent is not required in the following cases:

  • when expressly allowed by law;
  • when personal data is available in public access sources;
  • when personal data has been dissociated;
  • when the collection of personal data is needed for the compliance of obligations derived from a legal relationship between the data subject and the data owner;
  • when there is an emergency situation that jeopardises the individual or the commodities of the data subject; and
  • when the collection of personal data is necessary for medical attention or diagnosis or for rendering sanitary assistance, medical treatment or sanitary services, provided that the data subject is unable to consent and provided that the data is collected by a person subject to legal professional privilege.

What information must be provided to individuals when personal data is collected?

The legislation concerning personal information requires data owners to provide the following information in a privacy notice:

  • the identity and place of domicile of the data owner;
  • the purpose of the data collection;
  • the options and means offered by the data owner to the data subject, to limit the access, use, sharing and transfer of his or her data;
  • the means by which the data subject can enforce his or her rights of access, rectification, cancellation and opposition;
  • detailed information as to the data transfers that the data owner is willing to make, involving personal information, expressly indicating the name of the data processor and the type and category of activity sector of the latter and expressly indicating the purpose of such transfer. Also, when required, a clause indicating whether the data subject consents to the data transfer;
  • the options and means offered by the data owner to the data subject to revoke his or her consent for the collection of personal information;
  • data owners must make an express mention that appropriate personal information is being collected, at the time of collecting such information;
  • information regarding the administrative, physical and technological measures implemented by the data owner, in order to protect the information collected;
  • information regarding the use of cookies, web beacons and any other technology that allows the collection of personal information from the data subject, as well as information regarding how to deactivate such data collection; and
  • information regarding any proceedings set forth by the data owner, in order to inform data subjects as to any changes to the privacy notice.

Click here to view the full article.