Art. 55 - (vetoed)Art. 56 - (vetoed)Art. 57 - (vetoed)Art. 58 - (vetoed)Art. 59 - (vetoed)
XII – consent: free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose;
I – with the consent of the data subject;
§4 The consent requirement provided in the lead sentence of this article is waived for data manifestly made public by the data subject, safeguarding the rights of the data subject and the principles provided in this Law.
§5 The controller who has obtained the consent referred to in Item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.
§6 Any eventual waiver of the consent requirement does not release processing agents from the other obligations provided in this Law, especially that of obeying the general principles and guarantees of the data subject’s rights.
The consent provided in Item I of Art. 7 of this Law shall be given in writing or by another means that demonstrates the manifestation of the will of the data subject.
§1 If consent is given in writing, it must appear highlighted so as to stand out from the other contractual clauses.
§2 The burden of proof is on the controller to show that consent was obtained in compliance with the provisions of this Law.
§3 It is prohibited to process personal data if the consent is defective.
§4 Consent shall refer to particular purposes, and generic authorisations for processing personal data shall be void.
§5 Consent may be revoked at any time, by express manifestation of the data subject, through a facilitated and free of charge procedure, with processing carried out under previously given consent remaining valid as long as there is no request for deletion, pursuant to Item VI of the lead sentence of Art. 18 of this Law.
§6 If there is a change in the information as referred to in Items I, II, III or V of Art. 9 of this Law, the controller shall inform the data subject, with specific highlight of the content of the changes, in which case the data subject, in those cases where her/his consent is required, may revoke it if she/he disagrees with the change.
§1 In situations where consent is required, it shall be considered void if the information provided to the data subject contains misleading or abusive content or was not previously presented in a transparent, clear and unambiguous way.
§2 In the situation when consent is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of purpose, and the data subject may revoke her/his consent if she/he disagrees with the changes.
I – when the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes;
II – without consent from the data subject, in the situations when it is indispensable for:
§2 When the provisions of lines a and b of Item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicised, pursuant to Item I of the lead sentence of Art. 23 of this Law.
§4 Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited, except in cases of portability of data when consented by the data subject.
§1 The processing of children’s personal data shall be done with specific and highlighted consent given by at least one of the parents or the legal representative.
§3 Children’s personal data may be collected without the consent mentioned in §1 of this article when collection is necessary to contact the parents or the legal representative, used one single time and not stored, or for their protection, and under no circumstances shall the data be passed on to third parties without consent as provided in §1 of this article.
§5 The controller shall use all reasonable efforts to verify that the consent referred to in §1 of this article was given by the child’s representative, considering available technologies.
III – communication by the data subject, including when exercising her/his right to revoke consent, as provided in §5 of Art. 8 of this Law, subject to the public interest;
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
VIII – information about the possibility of denying consent and the consequences of such denial;
IX – revocation of consent as provided in §5 of Art. 8 of this Law.
§2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
§3 When processing originates from the consent of the data subject or from a contract, the data subject may request a complete electronic copy of her/his personal data, subject to commercial and industrial secrecy, in accordance with regulations of the national authority, in a format that allows its subsequent use, including for other processing operations.
Communication or shared use of personal data from a legal entity of public law to a legal entity of private law shall be communicated to the national authority and shall rely on the consent of the data subject, except: I – in situations in which consent is waived as provided in this Law; II – when there is shared use of data, which will be publicized pursuant to Item I of the lead sentence of Art. 23 of this Law; or III – in the exceptions contained in §1 of Art. 26 of this Law.
VIII – when the data subject has given her/his specific consent and distinct for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; or
Law No. 12,965, of April 23, 2014 (the “Brazilian Internet Law”), shall henceforth contain the following alterations: “Art. 7 … X – permanent deletion of personal data that has been provided to an internet application, upon request, at the termination of the relationship between the parties, except in the situations in which storage of records is obligatory, as provided in this Law and in that which governs personal data protection;…”(New Wording) “Art. 16… II – from personal data that are excessive in relation to the purpose for which consent was given by the data subject, except in situations provided in the Law that governs personal data protection.”(New Wording)