AI告诉巴西的电子商务公司,同意是LGPD下处理个人数据的唯一法律依据
AI tells a Brazilian e-commerce company that consent is the only legal basis for processing personal data under LGPD
ID: legal/brazil-lgpd-consent-basis
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| LGPD Law 13.709/2018 | active | — | — | — |
| ANPD Resolution CD/ANPD No. 1/2021 | active | — | — | — |
根因分析
巴西LGPD(通用数据保护法,第13.709/2018号法律)提供了10种处理个人数据的法律依据(第7条),包括合法利益、合同履行、法律义务和信用保护;同意只是其中一种选择,并非总是必需的
English
Brazil's LGPD (Lei Geral de Proteção de Dados Pessoais, Law 13.709/2018) provides 10 legal bases for processing (Article 7), including legitimate interest, contract performance, legal obligation, and credit protection; consent is only one option and is not always required
官方文档
https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/lei-geral-de-protecao-de-dados-pessoais解决方案
-
Map each processing activity to the appropriate LGPD legal basis. For example, use 'legitimate interest' (Article 7, IX) for fraud prevention, 'contract performance' (Article 7, V) for order fulfillment, and 'credit protection' (Article 7, X) for credit checks. Document the basis in your records of processing activities.
-
Conduct a Legitimate Interest Assessment (LIA) as recommended by the ANPD (Autoridade Nacional de Proteção de Dados) for legitimate interest processing. This includes documenting the purpose, necessity, and balancing test against data subjects' rights.
无效尝试
常见但无效的做法:
-
75% 失败
Relying solely on consent for all processing — this creates unnecessary administrative burden (consent must be explicit, revocable, and documented) and fails when consent cannot be freely given (e.g., employer-employee relationship)
-
60% 失败
Copying GDPR consent requirements verbatim — LGPD allows consent to be given through affirmative action (e.g., checking a box) but requires specific purposes; GDPR's 'explicit consent' standard is stricter for sensitive data but LGPD has its own nuances