What rights does the LGPD provide for consumers in my store?
Understand what rights the General Data Protection Law (“LGPD”) provides for your consumers and general ideas on how to proceed in the event of a request
About the LGPD
What rights does the data subject have?
The consumer has rights regarding their personal data and, upon express request, by themselves or by an authorized third party (representative), may request the store owner, at any time:
Confirmation of processing and access in a simplified format - The consumer may ask the store owner to confirm that they process their data and, also, request access to a simplified list containing the personal data that the store owner has about that consumer in its database;
Clear and complete statement about the processing of their data - The consumer may request more detailed information about the processing of their personal data;
Correction of incomplete, inaccurate and outdated data - The consumer will have the possibility to correct incomplete, incorrect and outdated data;
Anonymization, blocking or deletion of unnecessary, excessive data or data processed in non-compliance with the law - If the consumer understands that the processing of his/her personal data by the retailer violates the LGPD, he/she may request that the retailer perform:
Anonymization - of his/her data, which, in a simplistic way, implies the continuation of the processing of the consumer's personal data, but in a way that they can no longer be associated with that specific consumer;
Blocking - which guarantees that the personal data will no longer be used by the retailer, but will remain in the systems in which they are inserted;
Deletion - which consists of the deletion of personal data from the retailer's systems.
Portability - The consumer has the right to request that the retailer transfer his/her data to another entity. This right may only be exercised after regulation by the National Data Protection Authority;
Deletion of personal data processed with your consent - If the consumer wishes, they may request the deletion of personal data that is processed by the retailer based on consent;
Information on the public and private entities with which the retailer shares data - The consumer may request information from the retailer about the third parties with whom their data has been shared;
Information on the possibility of not providing consent and on the consequences of refusal - Whenever personal data is processed based on consent, the consumer has the right to know about the consequences if they decide not to consent to that specific processing;
Revocation of consent - At any time, the consumer may revoke their consent for the processing of their personal data by means of an express statement;
Review of decisions made solely based on automated processing of personal data that affect your interests - If the retailer processes personal data in an automated manner, for example, in a process that is intended to define the consumer's personal or professional profile, the consumer may request that the retailer inform the consumer of the logic involved in this automated process.
There are exceptions to the rights of data subjects. For example, it will not be possible to delete personal data if the retailer is required by law to keep it or has another legitimate purpose for keeping such data.
Likewise, access to a consumer's personal data may be refused if the provision of the information could reveal personal data of other people or, even, information that could reveal the retailer's business secrets.