Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

According to Law No. 13,709/2018 (the LGPD), personal data can only be processed and collected when justified in one of the 10 legal bases, which are:

  • consent of the data subject: the LGPD requires the consent to be a prior, free, informed and unambiguous manifestation of the data subject, for a specific purpose. It shall be provided in writing or by another demonstrable means, showing the data subject’s intention. If the data subject’s consent is given by a written declaration, the request for consent shall be presented in a manner clearly distinguishable from the others. Generic authorisations for data processing are considered null and void;
  • when necessary for the performance of a contract or preliminary understandings;
  • when necessary to comply with legal or regulatory obligations imposed on the controller;
  • based on the legitimate interest of the controller or third parties, if the interest or the fundamental rights and freedoms of the data subject are not overridden by such legitimate interest;
  • when necessary for the protection of credit;
  • exercise of rights during a court, administrative or arbitration proceeding;
  • when necessary for the protection of life or physical integrity of the data subject or third party;
  • when necessary for the protection of health, exclusively in procedures conducted by healthcare professionals, health services and sanitary authorities;
  • for research and studies conducted by non-profit research entities; and
  • by the government to perform public policies.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

The LGPD establishes a more stringent lawful basis for processing sensitive data. Sensitive personal data is personal data related to an individual in connection with racial or ethnic origin, religious belief, political opinion, trade union, philosophical or political organisation affiliation, health data, sexual life, genetic or biometric data. Processing sensitive personal data may only be carried out:

  • with specific consent, which must be provided separately from other consents that might be sought; or;
  • without consent, in case the processing is required for:
    • compliance with a legal or regulatory obligation;
    • protecting life or the physical safety of the data subject or third parties;
    • lawful exercise of rights, including in contracts and connection with judicial, arbitral or administrative proceedings;
    • protection of health, exclusively in procedures conducted by healthcare professionals, health services and sanitary authorities; or
    • ensuring fraud prevention and data subject’s authenticity, in electronic systems.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Data controllers shall make available to the data subject an easily accessible and detailed privacy notice with information regarding the data processing activities that are carried out. Such privacy notice shall contain clear, adequate and ostensive information including, but not limited to:

  • specific purposes of the data processing; form and duration of the data processing;
  • identification and contact information of the controller;
  • information regarding the shared use of personal data by the controller, to whom and the purpose of why data is shared;
  • responsibilities of the processing agents; and
  • rights of the data subjects.


If requested by the data subject, controllers shall inform and provide to the data subject the personal data they hold. Security incidents that may entail significant risk or damage to data subjects may have to be communicated to the data subject.

Exemption from notification

When is notice not required?

There is no exception to the requirement of making available clear and complete information to data subjects.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The collection of consent from the data subject shall be related to limited informed purposes. Even when consent is not required, data subjects must be guaranteed with clear, precise, and easily accessible information regarding the processing and the respective processing agents, considering commercial and industrial secrecy.

In addition to the right to have clear information about data processing, controllers shall guarantee that, without any additional cost and at any time, the following data subject rights are observed:

  • confirmation of the existence of the data processing;
  • access to the data;
  • rectification of incomplete, inaccurate or outdated data;
  • anonymisation, blocking, or elimination of data that is unnecessary, excessive, or processed non-compliant with the provisions of Law No. 13,709/2018 (the LGPD);
  • portability of the data to another service provider;
  • withdrawal of his or her consent and erasure of data processed with the data subject’s consent, except where retention is authorised by the LGPD;
  • information on the possibility of not providing consent and on the effects of consent denial; and
  • information regarding public and private legal entities with which the controller has performed shared use of data.


Moreover, when decisions related to PII are made solely based on automated processing, data subjects have the right to request the review of such decisions.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes, the LGPD lists a series of principles that must govern every data-processing activity, including:

  • data quality: guarantee to data subjects that their data is accurate, clearly displayed and highlighted, as well as the right to update it, according to the necessity and to fulfil the purpose of its processing;
  • adequacy: compatibility of the data processing with the purposes informed to the data subject; and
  • necessity: limitation on the processing of personal data to the minimum necessary for fulfilling its purpose, using appropriate and proportional data that is not excessive when compared to the purpose of its processing.
Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no specific provision related to the duration of the personally identifiable information PII storage. Controllers shall observe the necessity principle, whereby excessive data shall not be collected.

In addition, the processing of PII shall be legitimised on specific grounds. As a result, data processors shall not process PII if the correspondent legal ground has ended or is not enforceable anymore.

Under the Internet Act, access logs to the internet and internet applications shall be retained for a period of 12 and six months, respectively. Access logs must include the date, time and duration of connections to the internet application.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes. According to the purpose limitation principle imposed by the LGPD, the processing of personal data must be carried out for legitimate, specific and explicit purposes and be communicated to the data subject, observing the established purpose for which the data was collected.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

If the purpose has changed, the controller must inform the individual and observe whether the legal basis initially applied is still compatible with the new purpose. Besides, publicly available personal data may be processed for new purposes, subject to the legitimate purposes of the new processing activity and the rights of the data subject, as well as the principles established by the LGPD.

Law stated date

Correct on

Give the date on which the information above is accurate.

3 May 2021.