ILN Data Privacy Paper

Brazil

4. for studies carried out by research bodies, guaranteeing, whenever possible, the anonymization of sensitive personal data; 5. regular exercise of rights, including in contracts and in judicial, administrative, and arbitration proceedings; 6. protection of the life or physical safety of the data subject or a third party; 7. protection of health, exclusively in procedures carried out by health professionals, health services or health authorities; or 8. guaranteeing the prevention of fraud and the security of the data subject in processes of identification and authentication of registration in electronic systems. Remarks on Consent: The LGPD defines consent as a freely given, informed, and unambiguous indication that the data subject agrees with the processing of their personal data for informed purposes. Consent must always be given in writing or by other means that evidence the effective manifestation of the data subject’s free will, always under a clause separate from other contractual clauses and shall relate to determinate purposes, provided that any generic consent shall be deemed null. The data subject may, at any time, revoke their consent through a free and facilitated procedure that must be made available by the controller.

5.2. Data storage and retention timelines Article 15 of the LGPD stipulates that personal data processing must cease upon the occurrence of any of the following conditions: (i) the purpose for processing the personal data has been achieved, or the data is no longer necessary or relevant for that specific purpose; (ii) the designated processing period concludes; (iii) the data subject requests the termination of processing, including as part of their right to withdraw consent, while considering public interest; or (iv) the ANPD mandates cessation due to a breach of the LGPD's regulations. The LGPD mandates that, following the conclusion of personal data processing activities, the personal data must be deleted within the operational and technical constraints of these activities. However, personal data retention is permitted under specific conditions: (i) to fulfill a legal or regulatory obligation by the controller; (ii) for research purposes by a research entity, ensuring anonymization of the personal data whenever possible; (iii) for transfer to a third party, subject to adherence to the LGPD's data processing requirements; or (iv) for the controller's exclusive use, without third-party access, provided the data is anonymized. 5.3. Data correction, completion, updating or erasure of data As established in Section 6.1, Article 18 of the LGPD grants data subjects

https://klalaw.com.br/en/home/

Made with FlippingBook - PDF hosting