Legal bases for collection in accordance with the General Data Protection Law.
What is LGPD?
>>>>>>>>>>>>>>The General Data Protection Law, which came into force in September 2020, is the national law that establishes guidelines on the collection, use, storage and sharing of personal data , including in digital media, imposing sanctions in cases of non-compliance. Its objective is to protect the fundamental rights of freedom and privacy and the free development of the natural person’s personality.
Who needs to apply the LGPD?
>>>>>>>>>>>>>All businesses, of any size, that use or store personal data, i.e. public information, must comply with the General Data Protection Law.
This means that every company that creates or uses customer, employee or supplier registrations must apply the LGPD in its management.
What are Legal Bases?
Hypotheses in which the General Data Protection Law authorizes the processing of personal data. This means that companies that use and process personal data outside of the legal basis do so illegally and are subject to fines, in addition to other sanctions provided for in Law 13,709
In practice, compliance with legal bases is the key point for companies to have more transparent and fair relationships with consumers.
The LGPD has 10 legal bases , they are:
It is important to highlight that no legal basis overrides another, and therefore there is no dependence or predominance between them, and the User must verify which hypothesis is appropriate for the case of data collection carried out by their company.
It is also worth noting that the purposes for collecting and processing data must be clearly and accessible to the data subject.
1. CONSENT
It is characterized by the clear and unequivocal declaration that the holder agrees to the use of his/her data for the purposes proposed by the company. The Holder, therefore, must expressly agree to the provision of his/her data, as well as to its use by the company, for the purposes described.
2. COMPLIANCE WITH LEGAL OR REGULATORY OBLIGATIONS BY THE CONTROLLER
This database refers to the fulfillment of a legal obligation by the controller. This means that, according to current legislation, the controller is obliged to collect user data.
Ex: a company that has a legal obligation to submit the Income Tax Withheld at Source Declaration (DIRF) relating to its employees.
3. BY THE PUBLIC ADMINISTRATION
Exclusive hypothesis for the processing and shared use of data necessary for the Execution of Public Policies Provided for in Laws and Regulations or Supported by Contracts and Agreements and Other Instruments.
In this case, the purpose is to implement public policies, and the Public Administration must follow specific procedures to process data with this information.
4. CONDUCTING STUDIES BY RESEARCH AGENCIES
The General Data Protection Law defines research bodies as:
XVIII – research body: body or entity of the direct or indirect public administration or a non-profit private legal entity legally constituted under Brazilian laws, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its social or statutory objective basic or applied research of a historical, scientific, technological or statistical nature;
Still, according to the same device, whenever possible, anonymity must be guaranteed to the data subject.
5. FOR EXECUTION OF CONTRACTS
In this case, personal data may be processed in order to comply with an obligation established in the contract, or when data processing is necessary for the validation and commencement of an agreement.
Ex: To contract Rizer’s services, it is necessary to provide personal data to formalize the contract (contractor data, billing data, etc.)
6. FOR REGULAR EXERCISE OF LAW
The controller may keep personal information about the holder in its database in order to eventually defend itself against any judicial, administrative or arbitration proceedings.
Ex: Storage of former employee data by the former employer, to protect against possible labor lawsuits.
However, it is necessary to observe the LGPD data processing principles, highlighting the need and purpose.
7. FOR THE PROTECTION OF THE LIFE OR PHYSICAL INTEGRITY OF THE HOLDER OR A THIRD PARTY
It is possible to justify the collection and/or processing of personal data in cases where its use is of vital interest, whether of the data subject or of third parties.