In less than a year, more precisely on August 16, 2020, the Brazilian Data Protection Law No. 13.709/18, also known as “LGPD”, will enter into force, including Brazil in a global context aimed to the protection of data subjects’ rights and imposing on individuals and legal entities a number of obligations to be observed when processing personal data.
In this regard, LGPD lists ten lawful basis (indicated in its 7th Article) for processing. It should be clarified that legitimacy is achieved even if only one of the legal requirements is met, as well as when they are cumulatively considered under the law; thus, meeting one of the requirements is sufficient for the processing to be lawful.
However, the lawful basis applicable to each purpose needs to be clear for the data subject and must be documented. Therefore the controller must be able to demonstrate that the processing activity is based in one of the ten lawful basis provided for in the LGPD, as determined by the accountability principle, also provided in the LGPD.
The first lawful basis considers the consent of the data subject as a legitimate means for the processing of personal data. “Consent” in this case means the free, informed and unambiguous indication of the data subject’s agreement, which must be obtained on the basis of transparency, without requiring any compensation from the data subject and in a way that there is no doubt as regards to obtaining such authorization.
Information about the processing of personal data should be provided in clear, simple and objective language, and always in Portuguese. By designating consent as a legal basis for data processing, it should be noted that consent can be withdrawn by the data subject at any time.
Data processing may also be necessary to comply with any legal or regulatory obligation, which consists on the second legal basis provided for in LGPD (Article 7, II). For this purpose, it is necessary to identify the specific or appropriate legal standard that clearly demonstrates its obligation. On the other hand, public administration bodies, public authorities or companies that need to carry out activities of processing of personal data to the execution of public policies (as regards to health, education, housing, among others), can sustain the processing of data based on another legal requirement, as described in Article 7, III, LGPD.
Research bodies, which are construed in Article 5, XVIII, LGPD, with the exclusive purpose of conducting basic or applied research of historical, scientific, technological or statistical character, preferably from the anonymization of the data, can also perform the processing of personal data, as long as it is based on Article 7, IV, LGPD.
In situations where data processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, the legal basis indicated is the one provided in Article 7, V, of the LGPD.
The sixth legal basis consists in necessary data processing for the regular exercise of rights in judicial, administrative or arbitral proceedings (Article 7, VI, LGPD). This requirement also apply as a legal basis to support the retention of data for an additional period after the termination of the relationship between the controller and the data subject, using as a parameter the statute of limitation for each situation.
Subsequently, we have the lawful basis that covers life or death situations, which serves to protect the vital interests of the data subject. Upon identifying these situations, the data processing activity can be sustained under the Article 7, VII, LGPD, without prior consent from the data subject. Another requirement indicated on the health and welfare scope that sustains personal data processing is the one regarding health protection (Article 7, VIII, LGPD), which provides protection in a procedure conducted by health professionals or by health entities, but only for non-economic purposes.
Another lawful basis for processing personal data provided for in Article 7 consists on the legitimate interest. Although the concept of legitimate interest itself is valid, it is a more flexible requirement of the law, because it is not restricted to a particular purpose, offering the opportunity of being used in some circumstances. By contrast, it demands more caution from the controller, in order to always use the highest degree of security and protection of the rights, fundamental guarantees and freedom of data subjects.
That means, it is not enough to claim that there is a legitimate interest, one should record and defend this position if there is any question, considering that the administrative authority may request a data protection impact assessment from the agents involved.
Finally, the last legal requirement for the processing of personal data is related to credit protection (Article 7, X, LGPD), when performing credit analysis based on information about default of the data subjects, always in compliance with Brazilian Code of Consumer Defense (Law No. 8.078/90) and the Law No. 12.414/11, which regulates the arrangement and conference of databases with information for the development of credit history.
Briefly emphasized all the requirements that legitimate data processing, the criteria of which apply not only to private initiative, but also to public authorities, we emphasize that there is no hierarchy between the requirements, that is, there is not one lawful basis that is more important than the others.
The key issue is to think about the purposes of the data processing and the relationship with the individual, in order to determine the most appropriate lawful basis to support such purpose, according to the circumstances. Any processing activity that does not fit the lawful basis provided for in Article 7 of the LGPD is considered unlawful and may result in penalties for those who do not perform the processing activities in the manner provided by LGPD.