AI tells a Brazilian e-commerce company that consent is the only legal basis for processing personal data under LGPD
ID: legal/brazil-lgpd-consent-basis
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| LGPD Law 13.709/2018 | active | — | — | — |
| ANPD Resolution CD/ANPD No. 1/2021 | active | — | — | — |
Root Cause
Brazil's LGPD (Lei Geral de Proteção de Dados Pessoais, Law 13.709/2018) provides 10 legal bases for processing (Article 7), including legitimate interest, contract performance, legal obligation, and credit protection; consent is only one option and is not always required
generic中文
巴西LGPD(通用数据保护法,第13.709/2018号法律)提供了10种处理个人数据的法律依据(第7条),包括合法利益、合同履行、法律义务和信用保护;同意只是其中一种选择,并非总是必需的
Official Documentation
https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/lei-geral-de-protecao-de-dados-pessoaisWorkarounds
-
85% success Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities.
Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities.
-
90% success Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights.
Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights.
中文步骤
Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities.
Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights.
Dead Ends
Common approaches that don't work:
-
75% fail
Relying solely on consent for all processing — this creates unnecessary administrative burden (consent must be explicit, revocable, and documented) and fails when consent cannot be freely given (e.g., employer-employee relationship)
-
60% fail
Copying GDPR consent requirements verbatim — LGPD allows consent to be given through affirmative action (e.g., checking a box) but requires specific purposes; GDPR's 'explicit consent' standard is stricter for sensitive data but LGPD has its own nuances