loading...

THE DISPOSAL OF PERSONAL DATA

Recently, the Federal Supreme Court (STF) positioned itself against the right to be forgotten versus the media’s right to report certain facts. In this specific case, the STF ended up endorsing the thesis recognizing a right to be forgotten would be an act of censorship, given the media’s right to report news for society’s knowledge accurately.

However, concerning the General Data Protection Law (LGPD), lawmakers did not reach the same understanding, attributing to the subject of personal data a right to request the elimination of their data when its treatment is framed in this consent. This is something that resembles the right to be forgotten but only on the part of the one who was processing your data, with your knowledge.

In addition to being a right of the subject, in the circumstance described above, personal data must be eliminated by the controller or operator when the purpose for its use is extinguished. The question that arises is how the controller or operator will show that the personal data has been deleted.

When examining the LGPD, it is evident that it lacks regulation to guide the controller or operator on how the National Data Protection Authority (ANPD) will require evidence of data disposal whose purpose has been exhausted or upon the subject’s request who had previously given consent. In principle, there is a presumption of veracity attributed to the controller or operator when they affirm that they have disposed of the personal data, either by the end of the purpose or by the subject’s request. Naturally, they will respond to non-compliance with this action under the terms of the administrative sanctions provided for in Art. 52 of the LGPD, in addition to penalties for the unlawful act and reparation of damages provided for in the civil code and the ideological falsehood provided for in the criminal code.

By the way, the LGPD assigns to the data protection officer (DPO) the task of contacting the data subject before taking any initiative,  especially transfer and deletion actions, to check if the person is, in fact, the subject or someone with a power of attorney granted by the subject. Therefore, while the ANPD does not regulate such an initiative, it is recommended that the DPO request a copy of the document in digital format to confirm their identity or at least the presumption of identity and request confirmation of their e-mail via an e-mail with a validation link.

There would be no way to determine the control of personal data disposal due to the end of the purpose if there was no policy on document retention or a policy on retaining personal data, depending on the scope that the company wants to control.

For the data subject’s request for data to be discarded, the DPO must also be careful about the treatment of the personal data being requested. The LGPD is clear that the right to delete or dispose is available under previous consent. Therefore, if there is a framework that justifies the maintenance of that personal data, the controller or operator has the right to maintain the treatment of that specific personal data.

It is also essential that the DPO keeps the evidence of the data subject’s request. This can be done securely in two most frequent ways: (i) by an online form or (ii) by a duly archived e-mail.

Regardless of this evidence, it is equally important that the DPO starts a log recording all of their contacts with data subjects, including requests for data disposal.

Thus, the DPO will be responsible for conducting the disposal of personal data with mastery and risk mitigation, especially at the request of the respective subjects.