Processing of Sensitive Personal Data
The processing of sensitive personal data shall only occur in the following situations:
- when the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes;
- without consent from the data subject, in the situations when it is indispensable for:
- controller’s compliance with a legal or regulatory obligation;
- shared processing of data when necessary by the public administration for the execution of public policies provided in laws or regulations;
- studies carried out by a research entity, whenever possible ensuring the anonymization of sensitive personal data;
- the regular exercise of rights, including in a contract and in a judicial, administrative and arbitration procedure, the last in accordance with the terms of Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
- protecting life or physical safety of the data subject or a third party;
- the protection of health, in a procedure carried out by health professionals or by health entities; or
- ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Art. 9 of this Law and except when fundamental rights and liberties of the data subject which require protection of personal data prevail.
- The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
- When the provisions of lines a and b of Item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicized, pursuant to Item I of the lead sentence of Art. 23 of this Law.
- Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their competences.
- Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited,except in cases of portability of data when consented by the data subject.