Brazil
organizational to safeguard personal data, including measures related to international data transfers, and guide employees, contractors, and other relevant stakeholders on best practices for personal data protection, reinforcing organizational awareness and accountability. Importantly, the resolution emphasizes that, despite the DPO’s central role in promoting measures compliance, the DPO is not personally liable before the ANPD for the lawfulness of the controller’s processing activities, as ultimate responsibility remains with the data processing agents themselves. Requirements for Data Processing 5.1. Grounds for collection and processing https://klalaw.com.br/en/home/ (iii) by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments, subject to the provisions of Chapter IV of this Law; The LGPD provides that personal data processing activities carried out by entities may only be performed when relying on the following legal basis: (i) when the data subject has consented to the processing; (ii) or the compliance with legal or regulatory obligations by the controller;
(iv) for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data; (v) when necessary for the execution of a contract or preliminary procedures relating to a contract to which the data subject is a party; (vi) for the regular exercise of rights in judicial, administrative, or arbitral proceedings; (vii) for the protection of life and physical integrity of the data subject or third parties; (viii) for the protection of health, in procedures performed by professionals of the health area or by sanitary entities; (iX) when necessary to comply with the legitimate interests of the controller or of a third party, except when the fundamental rights and freedoms of the data subject prevail; and (x) for the protection of credit. The art. 11 of the LGPD states that the processing of sensitive personal data can only be carried out: (i) with the express consent of the data subject or person responsible, for specific purposes or; without the consent of the data subject, in cases where it is indispensable for:
Made with FlippingBook - PDF hosting