Understanding the case brought by LGPD to process personal data
Brazil approved its bill on personal data processing on July 10, 2018. Law Nr. 13709/2018 which, after the provisional measure published on December 27, 2018, will come into effect on August 2020, became known as General Law of Data Protection (LGPD) and addressed personal data processing with the purpose of protecting fundamental rights of freedom and privacy and the free development of the personality of the individual.
The definition of data processing is brought by the Law as every operation with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or information control, modification, communication, transfer, diffusion or extraction.
Under this concept, we can understand the extent assigned by the legislator to the definition of processing, thus considering all acts that involve personal data “processing”, so that, the individual or legal entity under public or private law that carries out any of the acts within such concept will be subject to Law Nr. 13709/2018.
In addition to the extent of the processing concept, which allows more agents to be subject to the law, the Law also established that the processing must comply with good faith and principles like purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination and accountability.
The purpose of establishing these principles is to protect the fundamental rights of freedom and privacy and the free development of the holders when their data is processed.
Under the same idea, Law Nr. 13709/2018 provides certain assumptions that authorize personal data processing. The cases described in Clauses 7 and 11 are divided according to the personal data to be processed, with Clause 7 referring to personal data and Clause 11 referring to sensitive personal data.
When verifying the subsections of Clause 7 we can observe that some case that authorize the data treatment were created to meet specific issues, such as the treatment by the Government to carry out the treatment and data that must be shared to implement public policies. The lawful data treatment in judicial, administrative or arbitral proceedings or to comply with legal or regulatory requirements by the controller, as well as the treatment to carry out studies by a research body, which, whenever possible, must anonymize the personal data.
In addition, the Clause sets forth that personal data processing may be carried out for credit protection. This Clause establishes the characteristics of credit protection and stresses the need to observe specific rules on the subject.
The legislator also created cases that allow the data treatment for subjects related to life and health protection. In such cases, the data may be processed to protect the life or physical safety and to protect the health, in procedures performed by health professional or by health entities.
Out of the scope of specific cases that authorize data processing, Clause 7 of Law Nr. 13709/2018 authorizes the data processing when signing a contract or carrying out preliminary procedures related to a contract in which the holder is a party.
This happens in cases when the data must be processed to sign a contract between the data holder and the data controller.
The Protection Law of General Data also provides the legitimate interests of the controller or of a third party as a case authorizing data processing, except when the rights and fundamental freedoms of the holder that require the protection of personal data prevail. Even if there are legitimate interests, a case that may be widely used to justify data processing, the lack of additional information on of its own concept has led to doubts in its interpretation.
To understand this important concept, it is worth noting that this is a new concept inspired by the General Data Protection Regulation (GDPR)1. In this way, the idea of legitimate interest brought by the European Commission:
“A company/organization that often has to process personal data to perform tasks related to its business activities. The personal data processing within this context may not necessarily be justified by a legal obligation or be carried out to enforce the terms of a contract with a party. In such cases, the personal data processing may be justified on grounds of legitimate interest”2
In short, we can understand that to process data based on this case the purpose must be to carry out a business activity that does not necessarily have a legal obligation.
In conclusion, although Clause 7 of the Law has been used to show the cases that authorize personal data processing, it should be worth noting that this greatly mirrors most cases under Clause 11, which provides for cases in which sensitive data can be processed. It should also be emphasized that one must take every precaution necessary when dealing with personal data and even more when dealing with sensitive personal data, considering that this data requires an even more rigorous standard to protect the data’s owners.
¹ EUROPEAN UNION. General Data Protection Regulation 2016/679 of 27 April 2016. On the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC ( General Regulations on Data Protection). The European Parliament and the Council of the European Union.
² European Commission. What does <grounds of legitimate interest?> Mean. Available in: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds legitimate-interest-mean_pt.
Published by Marília Rodrigues