Global Data and Cyber Handbook

Brazil

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 3 January 2025

The following are potential legal bases for processing personal data:

☒        the data subject has provided consent to the processing for the identified purposes

☒        the personal data is necessary to perform a contract with the data subject

☒        the personal data is necessary to comply with a legal obligation

☒        the personal data is necessary to protect the vital interests of a natural person

☒        the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

☒        other

Under Article 7 of the LGPD, the following are additional legal bases for processing non-sensitive data:

  • The personal data is necessary for the performance of public policies by the public administration (government bodies)
  • The personal data is necessary for the performance of studies by research organizations, and, when possible, the personal data should be anonymized
  • The personal data is necessary for the regular exercise of rights in legal, administrative or arbitral proceedings
  • The personal data is necessary for the protection of health and for proceedings performed by healthcare professionals or by health entities
  • The personal data is necessary for credit protection
Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 3 January 2025

Yes

The following are potential legal bases for processing special categories of personal data:

☒       the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

☒        processing is necessary for the establishment, exercise or defense of legal claims

☒        processing is necessary for reasons of substantial public interest

☒        processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

☒        processing is necessary for reasons of public interest in the area of public health

☒        other

Article 11 of the LGPD sets forth separate legal bases to process sensitive data, as follows:

a. Free, informed and unequivocal consent by the data subject, and such consent must be specific and highlighted, and shall refer to specific purposes, or

b. Without consent from the data subject, where it is required for:

  1. Compliance with legal or regulatory obligations by the data controller
  2. For the shared processing of data as required by public administration to carry out public policies that are set forth in laws and regulations
  3. For research institutions to conduct studies and research, in which case the anonymization of sensitive data should be guaranteed whenever possible
  4. For the regular exercise of rights, including in contracts and in lawsuits, administrative proceedings or arbitration
  5. For the protection of life or physical integrity of data subject or third parties
  6. For the protection of health, solely in proceedings carried out by health professionals or health services, or
  7. To prevent fraud and guarantee the security of data subjects in proceedings for identification or authentication in electronic systems, provided that data subjects' rights are protected, and except in case the fundamental rights and freedoms of data subjects prevail to require the protection of personal data.
Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 3 January 2025

Yes.

A minor within the meaning of data privacy laws is a person below the age of 18.

The LGPD establishes specific requirements for the processing of data from children and adolescents.

According to Brazil's Child and Adolescent Statute, a child is any person up to 12 years of age, and an adolescent is any person between 13 and 18 years of age. Therefore, both are considered minors for purposes of the law, and the LGPD imposes special requirements in relation to personal data of minors.

According to the Brazilian Civil Code, only individuals over the age of 18 are capable of binding themselves personally. Minors under 16 are considered absolutely incapable, while those between 16 and 18 are considered relatively incapable (i.e., they can bind themselves with the assistance of their parents or guardians).

In 2023, the ANPD published a statement providing a standardized interpretation on the application of legal bases for the processing of children's and adolescents' personal data. According to the ANPD, the processing of minors' data can be based on the legal bases provided in Articles 7 and 11 (i.e., general legal bases for the processing of non-sensitive and sensitive personal data), as long as the minors' best interests are observed (to be assessed on a case-by-case basis).

The Guide on Legitimate Interest, published in February 2024, contains a chapter dedicated to the use of legitimate interest in the processing of children's and adolescents' data. The ANPD recommended carrying out a balancing test, similar to the legitimate interest assessment, as a method to assess the existence of the best interests of the child and/or adolescent and to keep a record of the reasons for carrying out the processing.

In what circumstances do these special requirements apply?

Last review date: January 2025

☒        generally

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 3 January 2025

☒       additional data subject rights are granted to minors (e.g., deletion, access, transparency)

Controllers must process personal data of children and adolescents only in their best interests. They must make information about the data categories collected, the use of such data, and the procedures to exercise data subject rights publicly available.

Furthermore, information about data processing must be provided in a simple, clear, and accessible manner, taking into account the physical, perceptive, sensory, intellectual, and mental characteristics of the user. The use of audio-visual resources may be appropriate in some instances and parents or legal representatives must be provided with the necessary information.

☒       other

Where consent is required, personal data relating to children may be collected without consent if it is necessary to contact the parents or legal representative, and the personal data is used only once and is not stored, or for the child's protection. In this scenario, personal data cannot be transferred to third parties without consent.

The data controller must not make a data subject's participation in games, internet applications, or other activities conditional upon the provision of personal data beyond what is strictly necessary for participating in the activity.

Where consent is needed, the data controller must make every reasonable effort to verify whether the consent was given by the child's representative, considering the available technologies.

{{ $store.state.loadingScreen.message }} ...