VI – controller: natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data;

VII – processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller;

VIII – officer: natural personal, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority;

IX – processing agents: the controller and the processor;

X – processing: any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;

XVII –impact report on protection of personal data: documentation from the controller that contains the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures, safeguards and mechanisms to mitigate the risk;

II – for compliance with a legal or regulatory obligation by the controller;

IX – when necessary to fulfil the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail; or

§5 The controller who has obtained the consent referred to in Item I of the lead sentence of this article that needs to communicate or share personal data with other controllers shall obtain specific consent from the data subject for this purpose, except when the need for such consent is waived as provided in this Law.

§2 The burden of proof is on the controller to show that consent was obtained in compliance with the provisions of this Law.

§6 If there is a change in the information as referred to in Items I, II, III or V of Art. 9 of this Law, the controller shall inform the data subject, with specific highlight of the content of the changes, in which case the data subject, in those cases where her/his consent is required, may revoke it if she/he disagrees with the change.

III – identification of the controller;

IV – the controller’s contact information;

V – information regarding the shared use of data by the controller and the purpose; VI – responsibilities of the agents that will carry out the processing; and

§2 In the situation when consent is required, if there are changes in the purpose of the processing of personal data that are not compatible with the original consent, the controller shall previously inform the data subject of the changes of purpose, and the data subject may revoke her/his consent if she/he disagrees with the changes.

Controller’s legitimate interest can only be grounds for processing personal data for legitimate purposes, based on particular situations, which include but are not limited to:

I – support and promotion of the controller’s activity; and

§1 When processing is based on the controller’s legitimate interest, only the personal data which are strictly necessary for the intended purpose may be processed.

§2 The controller shall adopt measures to ensure transparency of data processing based on her/his legitimate interests.

§3 The national authority may request of the controller an impact report on protection of personal data, when processing is based on her/his legitimate interest, being observed commercial and industrial secrecy.

a) controller’s compliance with a legal or regulatory obligation;

§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their competences.

§4 Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited, except in cases of portability of data when consented by the data subject.

When carrying out public health studies, research entities may have access to personal databases, which shall be processed exclusively within the entity and strictly for the purpose of carrying out studies and research and shall be kept in a controlled and secure environment, in accordance with security practices provided in specific regulation and that include, whenever possible, anonymisation or pseudonymization of the data, as well as taking into account the proper ethical standards related to studies and research.

§4 For purposes of this article, pseudonymization is the processing by means of which data can no longer be directly or indirectly associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment.

§2 When processing data as mentioned in §1 of this article, controllers shall make public the information about the types of data collected, the way it is used and the procedures for exercising the rights referred to in Art. 18 of this Law.

§4 Controllers shall not condition the participation of data subjects, as referred to in §1 of this article, to games, internet applications or other activities for providing personal information beyond what is strictly necessary for the activity.

§5 The controller shall use all reasonable efforts to verify that the consent referred to in §1 of this article was given by the child’s representative, considering available technologies.

I – compliance with a legal or regulatory obligation by the controller;

IV – exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymised.

The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:

V – portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;

VII – information about public and private entities with which the controller has shared data;

§1 The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.

§4 If it is impossible to immediately adopt the measure mentioned in §3 of this article, the controller shall send a reply to the data subject in which she/he may:

§7 The portability of personal data referred to in Item V of the lead sentence of this article does not include data that have already been anonymised by the controller.

§1 Whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy.

II – when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in this Law, in the form of:

The controller and the processor shall keep records of personal data processing operations carried out by them, especially when based on legitimate interest.

The national authority may determine that the controller must prepare an impact report on protection of personal data, including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial secrecy. Sole paragraph. Subject to the provisions of the lead sentence of this article, the report must contain at least a description of the types of data collected, the methodology used for collection and for ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and mechanisms of risk mitigation.

The processor shall carry out the processing according to the instructions provided by the controller, which shall verify the obedience of the own instructions and of the rules governing the subject.

The controller shall appoint an officer to be in charge of processing personal data. §1 The identity and contact information of the officer shall be publicly disclosed, in a clear and objective manner, preferably on the controller’s website. §2 Officer’s activities consist of: I – accepting complaints and communications from data subjects, providing explanations and adopting measures; II – receiving communications from the national authority and adopting measures; III – orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and IV – carrying out other duties as determined by the controller or set forth in complementary rules. §3 The national authority may establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.

The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material, moral, individual or collective damage to others, in violation of legislation for the protection of personal data, are obligated to redress it.

I – the processor jointly answers for the damages caused by the processing when they do not comply with the obligations of data protection legislation or when she/he has not followed controller’s lawful instructions, in which case the processor is deemed equivalent to the controller, except in cases of exclusion as provided in Art. 43 of this Law;

II – controllers who are directly involved in the processing from which damages resulted to the data subject shall jointly answer, except in cases of exclusion as provided in Art. 43 of this Law.

III – the techniques for processing personal data available at the time it was done. Sole paragraph. The controller or the processor who neglect to adopt the security measures provided in Art. 46 of this Law shall be held liable for the damages caused by the violation of the security of the data that caused the damage.

The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.

§2 The national authority shall verify the seriousness of the incident and may, if necessary to safeguard the data subjects’ rights, order the controller to adopt measures, such as:

Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organisation, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms of supervision and risk mitigation and other aspects related to the processing of personal data.

§1 When establishing rules of good practice, the controller and the processor shall take into consideration, regarding the processing and the data, the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of data subject’s data.

§2 When applying the principles mentioned in Items VII and VIII of the lead sentence of Art. 6 of this Law, and subject to the structure, scale and volume of her/his operations, as well as the sensitivity of the processed data and the probability and seriousness of the damages to data subjects, the controller may:

a) demonstrate the controller’s commitment to adopt internal processes and policies that ensure broad compliance with rules and good practices regarding the protection of personal data;

b) are applicable to the entire set of personal data under her/his control, irrespective of the means used to collect them;

The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.