Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Despite the lack of unified rules applicable to data treatment activities, sectoral laws provide for certain principles and requirements that must be observed.

The Consumer Code, for example, establishes that suppliers must abide by the principles of information and transparency, pursuant to which the consumer (ie, data subject) must receive information regarding all relevant aspects of the service or product supplied (including risks, limitations and general characteristics). In addition to such principles, the Consumer Code establishes that the consumer should be made aware if his or her data (including behavioural data) is being added to a database. The same statute allows consumers’ right of access, correction and rectification of information.

The Internet Act provides that personal data will be collected only upon the prior, express and informed consent of the data subject. The data subject must be fully informed, in a clear and direct manner, of the collection, use, storage and processing of his or her data by internet applications, which can be made only:

  • for justifiable reasons;
  • if not otherwise prohibited by law; and
  • if allowed by the relevant terms of service or privacy policy.

In this regard, internet application providers must expressly detail what type of personal data is collected and how they intend to collect, use and treat such information.

The Internet Act states that internet connection providers are required to retain user connection logs for a minimum period of 12 months. Connection logs must include the date, time and duration of an internet connection, as well as the corresponding IP address. Internet application providers (ie, those that offer any kind of functionality to their users through the Internet, such as social networks or e-commerce websites) will store access logs for at least six months.

As a rule, there must be a reasonable correlation between the information collected and the purpose for which the notice or consent to collect data is given. Personal data (including log records) must be kept in secrecy and be disclosed only with the individual’s consent, a valid court order or if otherwise expressly allowed by law.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The Consumer Code establishes that negative credit information may not be stored for a period longer than five years. Under the Internet Act data minimisation principle, internet application providers may retain personal data that is needed for the offer of the services or products. Information will be deleted:

  • as soon as the purpose of use is reached;
  • at the end of the period determined by legal obligation; or
  • at the data subject’s request when the relationship terminates.

Brazilian courts have not yet recognised a general right to be forgotten. 

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, individuals have the right to access, correct and rectify personal data that is held by an organisation.

Do individuals have a right to request deletion of their data?

The Internet Act guarantees data subjects’ rights to request the deletion of their personal data. This right is available only on the termination of an agreement with the service provider. Service providers are not obliged to delete information that may be required to comply with a legal obligation.

Consent obligations

Is consent required before processing personal data?

If personal data is collected under a consumer relationship, a previous notice is required. If data is collected online, the Internet Act requires the previous, express and informed consent of the individual. Organisations should be able to demonstrate how and when notice or consent has been given.

If consent is not provided, are there other circumstances in which data processing is permitted?

Despite the fact that neither the Consumer Code nor the Internet Act provide for any derogations of the notice and consent requirement, the courts have been issuing decisions authorising the use of publicly available information without restrictions (ie, with no need to inform or seek consent). However, this is still a controversial matter and the use of publicly available data should be assessed on a case-by-case basis. Another aspect to consider is the processing of anonymised data. Despite the lack of laws and court decisions on the matter, and depending on the circumstances of the case, the processing of anonymised data without consent could be viable. Employees’ data may be treated by employers, regardless of an employee’s consent, for managing the employee relationship. Inter-company national or international transfer of employee data for the same purpose is also possible.

What information must be provided to individuals when personal data is collected?

As a rule, data subjects should receive clear and comprehensive information regarding the collection, use, storage and processing of personal data. Therefore, the following must be laid out in privacy policies:

  • the type of information collected and circumstances that may allow its transfer to third parties;
  • how and for what purpose the information is collected;
  • how the organisation will use, treat, process and transfer personal data;
  • what the organisation can do with the information;
  • how long the information will be treated or stored;
  • data controller contact information;
  • the level of protection afforded to the collected information (eg, safety standards adopted by the organisation); and
  • how the individual can reach the company in order to revoke consent, if applicable.

The courts have been systematically striking down privacy policy provisions that imply a waiver of all or substantially all of an individual’s privacy rights. As a result, organisations should be cautious as to how far they want to go in using data subjects’ data.

Click here to view the full article.