Data Subject Rights Under LGPD Access, Rectification, and Erasure

The LGPD, or the Brazilian General Data Protection Act (known as “Lei Geral de Proteção de Dados” in Portuguese), establishes a set of regulations governing the collection, management, storage, and sharing of personal data by organizations operating in Brazil. This legislation draws inspiration from the European Union’s General Data Protection Regulation (GDPR).

In today’s interconnected world, personal data has become a valuable asset. With the proliferation of digital services and platforms, our personal information is constantly collected, processed, and shared. In response to the growing concerns surrounding data privacy and security, many countries have implemented stringent data protection laws. In this blog post, we will delve into the rights of data subjects under the LGPD.

The LGPD, which came into force on September 18, 2020, is Brazil’s answer to safeguarding the privacy and security of personal data. It is heavily influenced by the European Union’s General Data Protection Regulation (GDPR) and shares many of its core principles. LGPD applies to any individual or entity that processes personal data in Brazil, even if they are located outside the country.

One of the key features of LGPD is its emphasis on the rights of data subjects. Data subjects are individuals whose personal data is being processed. LGPD grants several rights to data subjects to ensure that their personal data is handled responsibly and transparently. Let’s explore some of these rights in detail:

1. Right to Access: Data subjects have the right to request access to their personal data held by data controllers. This empowers individuals to know what data is being collected and how it is being used. Data controllers must provide this information within a reasonable timeframe.
2. Right to Rectification: If personal data is inaccurate or incomplete, data subjects have the right to request corrections. Data controllers must ensure that the data is accurate and up-to-date.
3. Right to Deletion (Right to be Forgotten): Data subjects can request the deletion of their personal data under certain circumstances. Data controllers must comply unless there are legitimate reasons to retain the data, such as legal obligations.
4. Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can then transmit this data to another data controller.
5. Right to Object: Data subjects can object to the processing of their data for specific purposes, such as direct marketing. Data controllers must stop processing the data unless they have compelling legitimate grounds for continuing.
6. Right to Restriction of Processing: Data subjects can request the restriction of data processing, which means that data controllers can store the data but not use it. This might be useful if there is a dispute about the data’s accuracy or the legality of its processing.
7. Automated Decision-Making and Profiling: Data subjects can opt out of automated decision-making processes, including profiling, which can have significant effects on them.
8. Consent Withdrawal: Data subjects have the right to withdraw consent for data processing at any time. Data controllers must make it easy for individuals to revoke their consent.

For these rights to be effective, it’s crucial that both data subjects and data controllers understand their responsibilities. Data controllers must establish clear and transparent data processing procedures, and data subjects should be aware of their rights and how to exercise them. Moreover, data controllers must implement data protection impact assessments and designate a Data Protection Officer (DPO) to oversee data processing activities.

Access to Personal Data

The right to access is a cornerstone of data protection laws. It empowers individuals to have full transparency into how their personal data is being used by organizations. Under LGPD, this right allows data subjects to:

• Request information about what data is being processed.
• Understand the purposes for which their data is being used.
• Learn with whom their data is shared.

To exercise this right, data subjects can submit a formal request to the data controller, who is then obliged to provide the requested information in a timely manner.

What is the right to access?

• The right to access allows individuals to obtain information about what personal data is being processed by organizations, the purpose of processing, and with whom the data is shared.

How individuals can exercise this right?

• Data subjects can submit a formal request to the data controller, specifying the data they want to access.
• Data controllers must respond promptly, providing a copy of the requested data in an accessible format.

Implications for businesses?

• Businesses must establish processes for handling access requests.
• Providing access can enhance transparency, trust, and compliance with LGPD.
• Failure to comply can lead to fines and legal consequences.

Rectification of Personal Data

Data accuracy is of paramount importance. The right to rectification allows individuals to have incorrect or incomplete data corrected. In this regard, data subjects can:

• Inform data controllers about any inaccuracies in their personal data.
• Request that data controllers update and correct the data as needed.

Data controllers are legally obligated to ensure that the data they hold is accurate and up-to-date, and they must promptly make any necessary corrections.

What is the right to rectification?
The right to rectification empowers individuals to request corrections to inaccurate or incomplete personal data held by organizations.

How individuals can request rectification?

• Data subjects can inform the data controller about the inaccuracies or omissions in their data.
• The data controller is responsible for promptly correcting the data and notifying any third parties with whom the data was shared.

Business responsibilities and implications:

• Organizations must establish mechanisms for rectification requests.
• Timely rectification enhances data accuracy and compliance with LGPD.
• Failure to rectify this can damage the reputation of businesses and result in legal consequences.

Erasure of Personal Data

The right to erasure, often referred to as the “right to be forgotten,” is another significant aspect of data subject rights. This right allows individuals to request the deletion of their personal data in specific situations, including:

• When the data is no longer necessary for the purpose for which it was collected.
• When the data subject withdraws their consent.
• When the data processing is unlawful.

Upon receiving a valid erasure request, data controllers are obligated to evaluate the request and, if justified, delete the data promptly. This right aims to give individuals control over the retention and use of their personal information.

Understanding the right to erasure:

• The right to erasure, often called the “right to be forgotten,” allows individuals to request the deletion of their personal data in specific situations, such as when the data is no longer necessary or processed unlawfully.

How individuals can request data erasure?

• Data subjects can formally request data erasure from the data controller, specifying the data and the grounds for the request.
• Data controllers must evaluate the request and, if justified, delete the data, and inform any third parties who have the data.

The impact of erasure on organizations:

• Erasure can result in the loss of valuable data for businesses, affecting historical records and analytics.
• Organizations must balance erasure requests with their legal obligations to retain certain data.
• Complying with erasure requests is vital for LGPD compliance and maintaining the trust of data subjects.

Compliance with these data subject rights is not only a legal requirement but also essential for maintaining the trust and confidence of customers and users. Businesses must establish mechanisms to handle these rights efficiently, and failure to do so can lead to significant fines and legal consequences under LGPD.

Data Subject Rights, such as Access, Rectification, and Erasure, play a vital role in LGPD’s framework, enabling individuals to assert control over their personal data. For businesses, understanding and implementing these rights are not only a legal obligation but a crucial step in building trust with their customers and complying with Brazil’s data protection laws.