7 rights on data processing information
Daniel Nusbaum
Payroll | Accounting | Legal Entity Setup | LGPD | GDPR | CCPA | CPO | DPO Certified | DPOaaS | Privacy by Design | Privacy by Default | ANPPD Member
Article 9 of the LGPD defines the 7 rights that the data owner has in relation to information on the processing of his data. The article begins by stating that the holder has the right to easy, clear, appropriate and conspicuous access to treatment information. In this way, it will not be possible to deal with this issue as some sites deal with the issue of Canceling Subscriptions, which although possible is hidden and tortuous. The legislator is already vaccinated about the tricks of the less scrupulous in the market and left explicit protection to the holder in the legislation.
The 7 rights of information about the data processing that the data owner has are:
1. Specific purpose
What will the data be processed for? The reason has to be clearly defined.
2. Form and duration
How the data will be processed and for what period. There is no limitation here to an undefined term, but this should be made clear in the consent.
3. Controller identity
Who is the controller, which in this case can be a company (Legal Entity) or another citizen (Individual).
4. Controller contact information
Interestingly, the legislator chose to highlight the contact details, from the identity, item 3 above, with a clear objective of once again explaining that subterfuge to hide information or access to it from the data holder will not be accepted.
5. Shared use
Will the controller share data with third parties (operators) that will carry out the treatment, restricted to the purpose defined in item 1? If so, with whom and for what specific purpose? In other words, the Operator will be responsible for which part of the treatment and purpose? Here we can observe the co-responsibility between Controller and Operator, neither of which can be exempted leaving the responsibility to the other, which will be jointly owned.
6. Responsibility of the treatment agents
In this item we have the personalization of who will make the treatment. Once again the legislator seeks to bring concreteness to the treatment, which does not occur in an ethereal way and of its own free will. Even if an automatic system performs treatment tasks, it was developed, installed, configured and managed by a person, in addition to the system operator agents. All of these are treatment agents. What will each one do with the data? What training and controls are implemented to protect and safeguard data for the defined purposes, and so on.
7. Additional rights defined in article 18
In this article the legislator deals with the rights related to information on the processing of data, leaving the Rights of the Holder as a whole defined in article 18 of the LGPD, which will be the subject of discussion in a future publication here on LinkedIn.
Complementing the 7 rights to information presented above, the legislation included 3 paragraphs with some details:
Paragraph 1 - Consent
The above rights apply to the treatment of data whether by consent or for one of the 9 other reasons provided for, such as public management, security , credit protection, etc., which was discussed in article 10 situations where you can use data as off LGPD. In this 1st paragraph the law defines that if the Consent in any way tries to hide or deceive the holder, it will be considered null, even if it has been granted by the holder. Once again, data protection overrides technicality, in defense of the person.
Paragraph 2 - Change of purpose
In cases where consent is necessary, if there is a change of purpose for the treatment of data, it must be informed. For example, a company obtains the consent to carry out medical insurance from operator A, but when renewing the contract, it chooses to switch to operator B. It is mandatory to notify the change and the holder is entitled to revoke the consent if he so wishes.
Paragraph 3 - Condition for supplying a product or service
If the delivery of a product or service is only possible after processing the data, this information must be clear in the consent, as well as the rights of the holder, which, as mentioned above, will be discussed on a future article. For example the sale of services, which depend on the data to identify who will receive the services fall into this category. Without the consent, delivery of the service is not possible, therefore the sale depends on the consent and after it is completed, the consent cannot be revoked with retroactive effect.
Next steps
As we move forward in the design of the LGPD we have a clear view that the focus is on protecting the data and the individual. Undoubtedly guarantees were given to companies, such as the non-disclosure of commercial or industrial secrets masked by access to the type of treatment, or the non-retroactivity of consent, but the main focus is on protecting the citizen, and not leaving loopholes for creative explorations of the legislation.
What data do you handle on a daily basis in your company? What are the processes for controlling and protecting this data? How will you respond to the demands of the LGPD? Leave your comments and questions below to exchange ideas and prepare efficiently for the entry into force of the LGPD. I'm waiting for you.
PS: Other articles related to LGPD posted by me on LinkedIn: