It is worth highlighting some important points here:

ayshakhatun3113 · Post by **ayshakhatun3113** » Tue Jan 28, 2025 9:00 am

Consent must be free from defects (That famous “you agree to our terms” button without explaining in detail what the term is about.)
The term must explain for what purpose the data will be used; any other need not included in the term will result in the need for a new consent request.
In addition to explaining where and how the data will be used, you must also provide information on the communication channels with the entity to obtain more information about personal data, including the deletion option.
2. Legitimate interest of the controller or third parties: When the data subject is already part of the entity's relationship base. In this case, the institution may contact the data subject to publicize activities, events, notices about campaigns, among other actions.

This legal basis is the most flexible, but it is worth taking some precautions:
Communication with this data may not infringe the rights and freedom of the data subject, there must be proof that the communication is in the interest of the recipient (Do not use part time data third-party or partner databases).
If this contact results in a subsequent action that involves processing such as: Financial integration from registration for an event, disclosure of data to a sponsor or partner, updating of data or payment of contributions, the institution must obtain consent for this.
3. Contract execution: When data is necessary so that a contract can be signed.

4. Compliance with legal obligation: When a law requires that data be stored for a certain period, the entity must comply with what the law requires and store the data for the necessary time (Example: data of members who received invoices, former employees, collaborators, former students, medical data of entities that work in the health area).

Other legal bases for knowledge:

Regular exercise of rights: The regular exercise of rights allows the use of personal data in contracts involving judicial, administrative and arbitration proceedings.
Protection of life: This legal basis is more limited to the need to monitor pandemics, ensure humanitarian aid, treatment of unconscious patients, emergency hospitalization or vaccination campaigns.
Health protection: Data collection by professionals to perform procedures and services related to health. This data cannot be shared to obtain financial advantages.
Implementation of public policies: This data may be used to implement public policies, to assist those in need and to solve community problems. For example: Bolsa Família registration, emergency aid and quota policies.
Study by research body: Data obtained through research may be carried out by direct or indirect public administration bodies with no profit motive. Private bodies cannot use this legal basis.
Credit protection: This legal basis allows the collection of personal data to create records of defaulters and compliant payers for credit risk assessment (e.g. positive record).
Now that we understand how we should collect and process personal data, what are the main roles involved in the LGPD?

Holder: This is the natural person who owns the personal data (Members, non-members, donors, employees, among others).
Controller: Natural or legal person who decides on the processing of personal data. In this case, it is the Association, Union or Federation.
Operator: An individual or legal entity that processes personal data on behalf of the controller. In this case, it would be your accounting firm, companies that process payments or even our management platform for associations, unions and federations.
Data Protection Officer: The person responsible for monitoring the processing of personal data of data subjects within the institution. This person must also be the communication channel with the national authority and partners. This person may be an individual or a legal entity.
What are the types of data according to the LGPD?

Personal data can be classified into two types: Personal Data and Sensitive Personal Data . Understand the difference:

Sensitive Personal Data: Any data that can identify the holder: Personal data about racial or ethnic origin, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a natural person.
Non-sensitive Personal Data: This is data that alone cannot identify the holder: Age, Sex, CPF, ID, Zip Code, IP Address, Date of Birth, etc. However, the combination of these data may result in identification, making the information sensitive.