Identify lawful basis
The organization should determine, document and comply with the relevant lawful basis for the processing of
PII for the identified purposes.
- Licensed content not shown -
Art.6: The operations of personal data processing
must be performed in good faith and follow these
I – Purpose: Performing the processing for legitimate,
specific, and explicit purposes that the data subject
is informed of, without the possibility of further
processing in a manner that is incompatible with
II – Adequacy: Compatibility of the processing with
the purposes that the data subject was informed of,
according to the context of the processing;
III – Necessity: Limitation of processing to the
minimum necessary for fulfilling its purposes, using
pertinent, proportional and non-excessive data in
relation to the purposes of processing;
IV – Free Access: Guarantee, to the data subjects, of
the ability to easily query free of charge the means
and duration of processing, as well as the integrity
of their personal data;
V – Data Quality: Guarantee, to the data subjects,
of accuracy, clarity, relevance, and updating of data,
according to the need and to fulfill the purpose of its
VI – Transparency: Guarantee, to the data subjects,
of clear, precise, and easily-accessible information
regarding the processing and the respective
processing agents, respecting commercial and
VII – Security: Use of technical and administrative measures suitable to protect personal data from
unauthorized access and accidental or illicit
destruction, loss, change, communication, or
VIII – Prevention: Adoption of measures to prevent
the occurrence of damage as result of the
processing of personal data;
IX – Non-Discrimination: Impossibility of processing
for illegal or abusive discriminatory purposes;
X – Liability and Accountability: Demonstration,
by the processing agent, that effective measures
capable of proving the observance and compliance
with personal data protection rules, including the
efficacy of these measures, is adopted.
Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6)
If testing is not...
Art.7: The processing of personal data may only be
performed in the following scenarios:
I – Through the provision of consent by the data
II – For the compliance with legal or regulatory
obligation on the part of the controller;
III – By the public administration, for the processing
and shared use of data deemed as necessary for
the execution of public policies outlined in laws and
regulations or supported by contracts, agreements,
or similar instruments, following the provisions of
Chapter IV of this Law;
IV – To perform studies by research organizations,
ensuring, whenever possible, the anonymization of
the personal data;
V – When necessary for the performance of an
agreement or preliminary procedures relating to an
agreement to which the data subject is party, at the
request of the data subject;
VI – For the regular exercise of rights in court,
administrative, or arbitration proceedings,
considering that arbitration proceedings must follow
the provisions of Law 9,307, dated of September 23,
1996 (Arbitration Law); VII – For the protection of life or the physical safety
of the data subject or third party;
VIII – For the protection of health, exclusively, in
procedures performed by health care professionals,
health services or sanitary authorities; (New wording
included by Law No. 13,853 of 2019)
IX – When necessary to meet the legitimate
interests of the controller or third party, except
in cases where the data subject’s fundamental
rights and freedoms that require the protection of
personal data prevail;
X – For the protection of credit, including in relation
to the provisions of relevant
§ 1 (Revoked). (New wording included by Law No.
13,853 of 2019)
§ 2 (Revoked). (New wording included by Law No.
13,853 of 2019)
§ 3 The processing of personal data whose access
is public must consider the purpose, good faith, and
public interest that justify its availability.
§ 4 The requirement to obtain consent outlined in
the head provision of this Article is waived for in case
of data made manifestly public by the data subject,
preserving the data subject’s rights and the principles
outlined in this Law § 5 Controller that obtain the consent referred to in
item I of the head provision of this Article that need
to communicate or share personal data with another
controller must obtain specific consent from the data
subject for this purpose, except in the consent waiver
scenarios outlined in this Law.
§ 6 An eventual waiver of the requirement for consent
does not relieve the processing agents from the
other obligations outlined in this Law, especially the
obligation to comply with the general principles and to
guarantee the data subject’s rights.
§ 7 The subsequent processing of the personal data
referred to in § § 3 and 4 of this Article may be carried
out for new purposes, provided that the legitimate
and specific purposes for the new treatment and the
preservation of the rights of the holder are observed,
as well as the principles and grounds set forth in this
Law. (Included by Law No. 13,853 of 2019)
Art.11: The processing of sensitive personal data
may only be performed in the following scenarios:
I – When the data subject or their legal guardian
consents, in a specific and explicit manner, for
specific purposes; II – Without the provision of the data subject’s
consent, in scenarios in which it is indispensable for:
a) The compliance with legal or regulatory
obligation on the part of the controller;
b) Shared processing of data deemed necessary
for the execution, by the public administration, of
public policies outlined in laws and regulations;
c) In conducting studies by research
organizations, ensuring, whenever possible, the
anonymization of the personal data;
d) The regular exercise of rights in court,
administrative, or arbitration proceedings;
considering that arbitration proceedings must
follow the provisions of Law 9,307, dated of
September 23, 1996 (Arbitration Law);
e) The protection of life or the physical safety of
the data subject or third party;
f) The protection of health, exclusively,
in procedures performed by health care
professionals, health services or sanitary
authorities; or (New wording included by Law No.
13,853 of 2019)
g) Ensuring fraud prevention and data subject’s
safety, in the identification and authentication
process of registration in electronic systems,
preserving the rights mentioned in Article 9 of this
Law and except in cases where the data subject’s
fundamental rights and freedoms require the
protection of personal data prevail.
§ 1 The provisions of this Article apply to any
processing of personal data that reveal sensitive
personal data and that may cause damage to the data
subject, with the exception of the provisions of specific
§ 2 In cases when letters “a” and “b” of item II of the
head provision of this Article are applied by public legal
entities and bodies, the aforementioned waiver of
consent under the terms of item I of the head provision
of Article 23 of this Law will be disclosed.
§ 3 The communication or shared use of sensitive
personal data between controllers with the purpose
of obtaining economic advantages may be subject
to prohibition or regulation by the National Data
Protection Authority, consulting the public authorities’
sectorial bodies, within the scope of their powers.
§ 4 The communication or shared use of sensitive
personal related to health between controllers with
the purposes of obtaining economic advantages is prohibited, except when related to the provision of
health services, pharmaceutical assistance and health
care, provided that § 5 of this Article is observed,
including auxiliary services of diagnosis and therapy, to
the benefit of the data subjects’ interest, and to allow:
(New wording included by Law No. 13,853 of 2019)
I – data portability when the data subject requests;
or (New wording included by Law No. 13,853 of 2019)
II – the financial and administrative transactions
resulting from the use and provision of the services
referred to in this paragraph. (New wording included
by Law No. 13,853 of 2019)
§ 5 The operators of private health care plans are
prohibited from processing health data for the practice
of risk selection in the engaging of any modality, as well
as in the inclusion or exclusion of beneficiaries. (New
wording included by Law No. 13,853 of 2019)
CCPA (US, CA)
S.1798.105.d: (d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.
(c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
(d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
S.1798.125: (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
(A) Denying goods or services to the consumer.
(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(C) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.
(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
DPP (Data Protection Principles) - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698