Access, correction and/or erasure

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII. ... - Licensed content not shown -



Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...
Art.18: The data subject has the right to obtain from the controller, relating to the data subject’s data that is processed by the controller, at any time, and upon request: I – Confirmation of the existence of the processing; II – Access to the data; III – Rectification of incomplete, inaccurate, or outdated data; IV – Anonymization, blocking, or elimination of data that is unnecessary, excessive, or processed noncompliant with the provisions of this Law; V – Portability of the data to other providers of services or goods, through express request, in accordance with the regulations of the national authority, observing trade and industrial secrets; (New wording included by Law No. 13,853 of 2019) VI – Elimination of data processed with the data subject’s consent, except in the scenarios outlined in Article 16 of this Law; VII – Information regarding public and private legal entities with which the controller has performed shared use of data; VIII – Information on the possibility of not providing consent and on the effects of consent denial; IX – Withdrawal of consent under the terms of § 5 of Article 8 of this Law. § 1 The data subjects has the right to petition to the National Data Protection Authority against the controller in connection their data. § 2 The data subject may object to the processing performed on the basis of one of the consent waiver scenarios, in case of violation of the provisions of this Law. § 3 The rights outlined in this Article will be exercised through express request by the data subject or their legally-empowered representative, to the processing agent. § 4 If the immediate adoption of the measures referred to in § 3 of this Article is impossible, the controller will send to the data subject a response in which it may: I – Inform that it is not the processing agent and specify, whenever possible, the processing agent; or II – Specify the factual and legal reasons that prevent the adoption of immediate measures. § 5 Requests referred to in § 3 of this Article will be fulfilled without costs for the data subject, within the terms established in regulations. § 6 The responsible must immediately inform processing agents with which it shared use of data regarding the rectification, elimination, anonymization, and blocking of such data, so that processing agents may repeat the same proceeding. (New wording included by Law No. 13,853 of 2019) § 7 The portability of personal data mentioned in item V of the head provision of this Article does not include data that have already been anonymized by the controller. § 8 The right mentioned in § 1 of this Article may also be exercised before consumer protection agencies.
Art.19: The confirmation of the existence of processing or the access to personal data will be provided through request of the data subject: I – In a simplified format and immediately; or II – Through a clear and complete statement specifying the origin of the data, the nonexistence of records, and criteria used for processing, as well as its purpose, respecting commercial and industrial secrecy, provided within at least fifteen (15) days, counting from the date of the data subject’s request. § 1 The personal data will be stored in a format that promotes the exercise of the right to access. § 2 The information and data may be provided, at the discretion of the data subject: I – Through electronic means that are secure and appropriate for such purpose; or II – Through printed means. § 3 When the processing originates from the data subject’s consent or from a contract, the data subjects may request a full electronic copy of their personal data, respecting commercial and industrial secrecy, under the terms of the National Data Protection Authority ‘s regulations, in a format that allows it to be used subsequently, including in other processing operations. § 4 For specific industries, the National Data Protection Authority may establish different terms than those provided in items I and II of the head provision of this Article.