At the beginning of everything are the legal bases of the LGPD, that is, the legal grounds (legitimate reasons) why companies not only can, but must access customer data in order to do their jobs well. You might wonder, isn’t selling a product or providing a service a legitimate reason to use customer data? What if I need this information in order to meet the terms of a contract? And in fact, both of these are examples of situations addressed by the legal bases of the LGPD.
These ten legal bases describe the conditions that justify the use of personal data, and they were designed to encompass all of the various hypothetical reasons data usage may be necessary. They are the structural basis that supports the ethical use of data, in order to prevent this same legislation from becoming a subterfuge used to circumvent other equally essential regulations.
Your task as manager or the person in charge of your company's data is to find among these ten the basis that best suits your business model and other governing legislation to which your company is subject. This applies to all possible steps included in data processes within your company, such as:
Remember, we are talking about the right to privacy in the context of data that not only identifies the citizen, but also assigns them to behavioral and demographic matrices.
According to the LGPD, sensitive personal data include:
Racial or ethnic origin, religious or philosophical beliefs, political opinions, union membership, genetics, biometrics, and issues about a person's health or sex life.
With that in mind, let's look at the 10 legal bases of the LGPD.
Before we delve into each of the legal bases, let’s separate “consent” and “legitimate interest” into a category of their own, because despite being the most popular, they are less straightforward than the others and require additional care in their use. The eight bases that follow are clearer and more secure from a legal perspective.
Now, let’s take a closer look at each one:
However, it is worth noting that the law specifies that this consent must be in writing, or by means that demonstrate the unequivocal expression of the holder's will. Therefore, when citizens are asked to give their consent, they must have clarity, ease, and the freedom to do so autonomously.
Precisely here is a feature that differentiates this legal basis from the others: it must be as easy for customers to revoke their consent as it is for them to provide it in the first place.
Thus, it is important that the collection of consent, or opt-in (in the language of the market) is as agile and easy as revocation, or opt-out. This means that consent should not generate friction in the commercial relationship. Legal experts emphasize that, as a business owner, you should not rely solely on this modality to legitimize your use of data because this form of authorization tends to be fragile.
This is exactly why AdOpt so greatly values the agility, speed, and appearance of its communication, which corresponds with the visual identity of the company in question. When we studied the GDPR and its impact on large publishers (news and content portals) we saw that one of the biggest effects of those huge and unattractive notices (which look like the legal department designed them in Word) was the increase in bounce rate, a digital marketing and UX metric that shows the percentage of visitors that leave your website as soon as they access it.
Imagine yourself in your store watching customers come and go in a matter of seconds, without introducing themselves, asking for a product, or interacting with a salesperson.
This is the in-person analogy for the bounce rate metric. So, think carefully about the cookie notice you place on your site. It can act as a giant barrier for your customers.
Finally, understand that the use of consent in online and offline environments must be integrated with the other steps of data use and processing within your company. Therefore, it’s important to map the flow of data within your company so that you do not miss any blindspots.
This is the second most popular legal basis and perhaps the most widespread because, for many, legitimate interests serve as a lifeline or card up the sleeve if they cannot fit in with the others. This doesn't make it any less important, but it is necessary to emphasize that “legitimate interest” is somewhat subjective when we consider the parties: data owner versus data operator or controller. After all, money talks and commercial interests can speak louder. But not all commercial interests will necessarily constitute a legitimate interest for the use of such data.
Why not? Because this could damage the individual rights of the owner or even another express provision of the LGPD. Article 10 of the LGPD establishes that the legitimate interest of the controller can only serve as a basis for the processing of personal data for legitimate purposes, considered from concrete situations, which include but are not limited to:
Therefore, it’s important to ensure that the use of data is legitimately justified by the provision of the service or sale of the product, without any deviance that could weaken this legal basis under other current legislation.
As the LGPD is a fairly recent law, there are many other laws that oblige companies to, for example, collect, process, and share citizens’ personal data for other prior purposes. As such, if your business model, activity, or process is already subject to legislation in force that requires you to collect data, this legislation would be the best justification for its usage.
An example of this would be the personal data that companies must collect from their employees to report to the Ministry of Labour, Social Security, etc. Here, the holders - and in this case also employees, could not oppose their data being shared due to the legal obligation that the company is fulfilling by doing so.
This is perhaps one of the biggest benefits that the LGPD has given to data subjects, all of us citizens, and every taxpayer in this country. Governments must also comply with the LGPD, making this one of the biggest - if not the biggest - legal bases of the LGPD.
Today, the government, one of the institutions that benefits most from its citizens' data, including commercially, must also conform with this regulation.
According to article 7, paragraph III of the LGPD, public administration bodies need to comply with the law when processing or sharing personal data for the execution of public policies, contracts, agreements, or similar instruments, without the need for the consent of the holders.
Although there is no need for consent, data owners still have the right to a clear and unambiguous explanation of the purposes for which their data has been collected and the processes to which it is subject. A final note, however, is that public administration is not subject to fines. However, it is still subject to warnings, publication of infractions, and restriction or even deletion of data.
The LGPD also authorizes scientific researchers and developers to access personal data for the purpose of their studies. It is recommended, however, that this information is always anonymized in order to guarantee the privacy of the holders and to avoid possible leaks. This way the identities of the research subjects are protected, and the researchers themselves can rest assured of the safety of their scientific methods.
Once a contract is signed, the parties have their obligations and rights established therein. Thus, once a data holder has signed such a contract, the legal basis for the proper use of their data has been established. In this case, the owner himself gives his data and legitimizes the legal basis for its use as part of the document. In this sense, the situation is quite similar to that of consent. However, unlike with consent, if the data owner changes their mind, revocation of their permission is not as simple, since the contract has its own force of validity and may include additional legal bindings.
Another legal purpose for using personal data, by choice of the data controller, is the regular exercise of rights in judicial, administrative, or arbitration proceedings.
This legal basis aims to guarantee the right of one party to produce evidence against another in legal proceedings. This is intended to prevent one party from being able to defensively obstruct the other from accessing and processing data as part of the legal process.
The use of data is also granted by law in cases that relate to the protection of the life or physical integrity of the data owners, or third parties.
Based on article 11, section II of the LGPD, sensitive data may be processed without providing the consent of the owner if it is essential for the protection of life or the physical safety of these or third parties. As an example, imagine the work of first responders who bring in unconscious people in emergencies. Once the citizen and their medical records have been identified within a medical or hospital network, their information may be shared among physicians for the sake of the person, without their consent.
As in the previous item, the LGPD also provides a legal basis that authorizes the access and processing of data for the protection of health, as long as it is carried out by a health professional, health services, or a health authority.
This legal basis tends to be widely discussed and put to the test, mainly because of the interest in information that can be used on a public and commercial basis. However, the legislation emphasizes that data sharing cannot be performed in order to harm the owner or gain economic advantage over them. For example, imagine a scenario where access to some of the owner's health information automatically readjusted their health plan. This would be categorically vetoed by the LGPD. In other words, health plan operators are prohibited from using this data to assess risk or decide whether or not to accept clients.
The 10th and final legal basis is intended to ensure that in situations of collection or debt incurred, data owners do not use the mechanisms of the LGPD as a loophole to escape their financial obligations. An example would be if the owner requested that the creditor financial institution delete their data from its database, or even from agencies such as Boa Vista and Serasa, thus circumventing the charge. This also tends to be a much discussed legal basis given the controversial implications that the context involves.
Legal bases are just the foundation!
Finally, we hope we’ve made these ten legal bases clear enough that you’ll be able to process data within the guidelines of the law.
With this in hand, you’re ready to take the next steps on the path to compliance.