2 examples of legitimate interest in the processing of personal data

On June 2, I published the article 10 situations where you can use data as off LGPD, where I present the situations in which the Controller will be able to process data of the holder, including situation 9. For the legitimate interests of the controller. Article 10 of the LGPD, which closes Section I - On the Requirements for the Processing of Personal Data, CHAPTER II - ON THE PROCESSING OF PERSONAL DATA, defines the possible legitimate interests of the controller and offers two examples as a way of elucidating possible questions. They are: 

1. Support and promotion of core activities

This way is assured the continued use of the holder’s data, even if consent is revoked, as long as the activities are related to the Controller’s core purpose. At this point, a potential discussion begins between what would or would not be a controller’s core purpose activity, whose interpretation will be based on the controller's legal registration documents, including the company's Articles of Incorporation and CNAE*. Thus, the legislator protects the continuity of the Controller's business, without giving up protection to the data of the Holder, always remembering that the Controller will bear the burden of proof of adherence to the LGPD.

*CNAE is the official description of activities of the company, issued by IRS upon the request to register the Articles of Incorporation and obtain the TAX ID, Every organization has at least the main CNAE and may have additional (multiple) secondary CNAEs.

2. Protection, in relation to the holder, of the regular exercise of his rights or provision of services that benefit him, respecting his legitimate expectations and fundamental rights and freedoms, under the terms of this Law.

In this 2nd example, the LGPD ratifies the intention to protect holder’s personal data without however making business continuity unfeasible. It is clear that the Holder will not be able to use the LGPD as an argument to obtain compensation after revocation of consent, provided that the use of the data is in alignment with the purpose of the deal and with the original consent. 

Basis for interpretation

In order to guarantee transparency and security in cases of data treatment for the legitimate interest of the controller, the article is complemented by 3 paragraphs. In the first, it defines that only data strictly necessary for the provision of services or products may be processed. 

The second reaffirms the need for transparency in the treatment of data in cases of legitimate interest and the third provides that the ANPD (National Data Protection Authority) may request a report on the impact of personal data protection whenever the treatment is based on legitimate interest. 

From the next article on, we will begin to analyze the regulations on the processing of sensitive data. For now I would like to know your opinion about LGPD and its impact on your daily life. How is data processing in your company today? Are you already adhering to the requirements presented here? Leave your comment. 

PS:Other articles related to LGPD posted by me on LinkedIn: 

1. 5 compared characteristics between LGPD and eSocial
2. 7 definitions to start understanding LGPD
3. The 4 exceptions to LGPD
4. The 10 principles that govern the LGPD
5. 10 situations where you can use data as off LGPD
6. 1 single rule for Consent in the LGPD
7. 7 rights on data processing information