The General Personal Data Protection Law (LGPD) is a legislation designed to safeguard the personal data of the data subject. The law confers a range of rights upon data subjects to ensure their personal data is managed securely by the data controller. These rights are central to the law’s efforts to ensure the protection and responsible handling of personal data.
Data Subject Rights Under LGPD
LGPD’s Chapter 3 outlines a comprehensive set of rights aimed at empowering data subjects- giving them substantial control over their personal data. The key rights under the law include:
a. Right to Access to Personal Data
The data subject has the right to access his personal data. This right enables data subjects to request and obtain confirmation of whether a data controller processes their personal data and, if so, to access such data. The right is articulated through two options:
- Data subjects can request and receive immediate confirmation in a simplified format about whether their personal data is being processed.
- Data subjects can request a detailed declaration that includes the origin of the data, whether there is any data recorded, and the criteria and purposes for processing while respecting any commercial and industrial secrets. This detailed access should be provided within fifteen days of the request.
b. Right of Rectification
Data subjects have the right to request the data controller to correct their personal data if it is inaccurate, incomplete, or outdated.
c. Right to Anonymization, Blocking, or Deletion
Data subjects have the right to have their personal data anonymized, blocked, or deleted if it is unnecessary, excessive, or processed in noncompliance with the law. Moreover, the right of deletion of personal data processed with consent can be exercised when the data subject withdraws his consent. However, the controller is not obligated to delete personal data right away when:
- it is necessary for compliance with legal or regulatory obligations;
- utilized for research by a research entity with efforts to anonymize the data;
- transferred to third parties while adhering to data processing requirements; or
- exclusively used by the controller with prohibited third-party access, provided the data has been anonymized.
d. Right to Data Portability
Data subjects have the right to request that his data be transferred to another service or product provider, in compliance with the regulations of national authority and subject to commercial and industrial secrets. The portability of personal data does not include data that have already been anonymized by the data controller.
The data subject has the right to know with which other companies and organizations, whether public or private, his information has been shared.
f. Right to Revoke Consent
Data subjects have the right to withdraw their consent at any time.
g. Right to Inquire About Consequences of Not Providing Data
The data subject has the right to request information concerning consequences that may result from his refusal of consent to data processing.
h. Right Regarding Automated Decision-making
Data subjects have the right to request the review of decisions made solely based on the automated processing of personal data affecting their interests, including decisions intended to define their personal, professional, consumer, and credit profile or aspects of their personality. Therefore:
- Upon request, the controller is obliged to furnish information about the criteria and procedures employed in automated decision-making while respecting commercial and industrial confidentiality.
- If information is withheld due to commercial and industrial secrecy, the national authority is empowered to audit the automated processing to ensure there is no discrimination.
As a result of these data subject rights, Brazilians have increased authority over how their personal data is processed by organizations that are subject to the law. Furthermore, data controllers and processors are required to undertake adequate measures to safeguard the confidentiality and security of their data subjects’ personal data.
