Obtain and record consent
The organization should obtain and record consent from PII principals according to the documented
processes.
...
- Licensed content not shown - LGPD (BRA)
Art.8: The consent outlined in item I of Article 7
of this Law must be provided in writing or by another
demonstrable mean that shows data subject’s
expression of intention. § 1 If the consent is provided in writing, it must be
contemplated in a clause separated from the other
contractual clauses.
§ 2 The burden of proof demonstrating that the
consent was obtained according to the provisions of
this Law lies on the controller.
§ 3 The processing of personal data based on an
irregular consent is prohibited.
§ 4 The consent must refer to determined purposes,
and generic authorizations for personal data
processing will be void.
§ 5 Consent may be revoked at any time through an
express manifestation of the data subject, through
an easy and free-of-charge process; it is ratified the
processing performed under the consent previously
given while there is no request for elimination, under
the terms of item VI of this head provision of Article 8
of this Law.
§ 6 In case of changes to the information referred
to in items I, II, III, or V of Article 9 of this Law, the
controller must inform, in a specific and highlighted
manner, the content of the referred amendment to the
data subjects, whom, in cases in which their consent
is requested, may revoke it if they disagree with the
change. Art.11: The processing of sensitive personal data
may only be performed in the following scenarios:
I – When the data subject or their legal guardian
consents, in a specific and explicit manner, for
specific purposes; II – Without the provision of the data subject’s
consent, in scenarios in which it is indispensable for:
a) The compliance with legal or regulatory
obligation on the part of the controller;
b) Shared processing of data deemed necessary
for the execution, by the public administration, of
public policies outlined in laws and regulations;
c) In conducting studies by research
organizations, ensuring, whenever possible, the
anonymization of the personal data;
d) The regular exercise of rights in court,
administrative, or arbitration proceedings;
considering that arbitration proceedings must
follow the provisions of Law 9,307, dated of
September 23, 1996 (Arbitration Law);
e) The protection of life or the physical safety of
the data subject or third party;
f) The protection of health, exclusively,
in procedures performed by health care
professionals, health services or sanitary
authorities; or (New wording included by Law No.
13,853 of 2019)
g) Ensuring fraud prevention and data subject’s
safety, in the identification and authentication
process of registration in electronic systems,
preserving the rights mentioned in Article 9 of this
Law and except in cases where the data subject’s
fundamental rights and freedoms require the
protection of personal data prevail.
§ 1 The provisions of this Article apply to any
processing of personal data that reveal sensitive
personal data and that may cause damage to the data
subject, with the exception of the provisions of specific
laws.
§ 2 In cases when letters “a” and “b” of item II of the
head provision of this Article are applied by public legal
entities and bodies, the aforementioned waiver of
consent under the terms of item I of the head provision
of Article 23 of this Law will be disclosed.
§ 3 The communication or shared use of sensitive
personal data between controllers with the purpose
of obtaining economic advantages may be subject
to prohibition or regulation by the National Data
Protection Authority, consulting the public authorities’
sectorial bodies, within the scope of their powers.
§ 4 The communication or shared use of sensitive
personal related to health between controllers with
the purposes of obtaining economic advantages is prohibited, except when related to the provision of
health services, pharmaceutical assistance and health
care, provided that § 5 of this Article is observed,
including auxiliary services of diagnosis and therapy, to
the benefit of the data subjects’ interest, and to allow:
(New wording included by Law No. 13,853 of 2019)
I – data portability when the data subject requests;
or (New wording included by Law No. 13,853 of 2019)
II – the financial and administrative transactions
resulting from the use and provision of the services
referred to in this paragraph. (New wording included
by Law No. 13,853 of 2019)
§ 5 The operators of private health care plans are
prohibited from processing health data for the practice
of risk selection in the engaging of any modality, as well
as in the inclusion or exclusion of beneficiaries. (New
wording included by Law No. 13,853 of 2019) Art.14: The processing of personal data of children
and teenagers must be performed on their best
interest, under the terms of this Article and relevant
legislation.
§ 1 The processing of personal data of children must
be performed with the specific and explicit consent
provided by at least one of the parents or legal
guardian.
§ 2 In processing the data under the provision of § 1 of
this Article, the controllers must permanently disclose
all information regarding the types of collected data,
the way they are used, and the procedures for the
exercise of rights under Article 18 of this Law.
§ 3 The personal data of children may be collected
without the consent referred to in § 1 of this
Article when the collection is necessary to contact the
parents or legal guardian, and data is used only once
and without being stored, or to protect them, and in
no case data may be given to third parties without the
consent under the provisions of § 1 of this Article.
§ 4 Controllers must not require data subjects referred
to § 1 of this Article to provide information in order to
participate in games, internet applications, or other
activities beyond those information strictly necessary
for the activity.
§ 5 Controller must undertake all reasonable efforts to
verify that the consent referred to in § 1 of this Article
was provided by one of the parents or legal guardian of
the children, considering available technology.
§ 6 The information on the processing of data referred
to in this Article must be provided in a simple, clear and
accessible manner, considering the physical-motor, perception, sensory, intellectual, and mental
characteristics of the user, with the use of audiovisual
resources when appropriate, in order to provide the
necessary information to the parents or legal guardian
and adequate information for the understanding of the
children. Art.33: The international transfer of personal data
will only be permitted in the following cases:
I – To countries or international organizations that
offer a level of protection of personal data that is
adequate to the protection provided in this Law;
II – When the controller offers and proves
guarantees of compliance with the principles, the
rights of the data subject, and the data protection
regime outlined in this Law, in the form of:
a) Specific contractual clauses for a particular
transfer;
b) Standard contractual clauses;
c) Binding corporate rules;
d) Certificates, and codes of conduct regularly
issued; III – When necessary for international legal
cooperation between government intelligence,
investigation, and prosecution bodies, according to
instruments of international law;
IV – When necessary for the protection of life or the
physical safety of the data subject or third party;
V – When authorized by the National Data
Protection Authority;
VI – When resulting from a commitment made in an
international cooperation agreement;
VII – When necessary for the execution of a public
policy or the fulfillment of a government legal duty,
being publicly disclosed under the terms of item I of
the head provision of Article 23 of this Law;
VIII – When the data subject has provided specific
and highlighted consent for the transfer, with prior
information on the international character of the
operation, clearly distinguishing this from the other
purposes; or
IX – When necessary to answer to scenarios
outlined in items II, V, and VI Article 7 of this Law.
Sole Paragraph. For the purposes of item I of this
Article, public legal entities referred to in the sole
paragraph of Article 1 of Law. 12,527, dated of
November 18, 2011 (Information Access Law), within
the scope of their legal powers, and responsible
individuals, within the scope of their activities, may
request from the National Data Protection Authority an
evaluation of the level of protection of personal data
provided by a country or international organization. APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
DPP (Data Protection Principles) - Hong Kong
Personal Data (Privacy) Ordinance - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698