Article 11
Processing of Sensitive Personal Data
The processing of sensitive personal data may only occur in the following cases:
- I - when the data subject or his legal guardian specifically and prominently consents to specific purposes;
- II - without providing consent from the data subject, in the cases in which it is indispensable for:
- a) compliance with legal or regulatory obligation by the controller;
- b) shared processing of data necessary for the public administration to execute public policies provided for in laws or regulations;
- c) conducting studies by a research body, ensuring, whenever possible, the anonymization of sensitive personal data;
- d) regular exercise of rights, including by contract and in judicial, administrative and arbitral proceedings, the latter pursuant to Law No. 9,307, of September 23, 1996 (Arbitration Law) ;
- e) protection of the life or physical safety of the data subject or third party;
- f) health protection, exclusively in a procedure performed by health professionals, health services or health authority; or
- g) Guarantee of fraud prevention and security of the data subject, in the processes of identification and authentication of registration in electronic systems, safeguarding the rights mentioned in art. 9 of this Law and except where the fundamental rights and freedoms of the data subject that require the protection of personal data prevail.
- 1. The provisions of this article shall apply to any processing of personal data that reveals sensitive personal data and may cause damage to the data subject, except as provided in specific legislation.
- 2. In the case of the application of the provisions of subparagraphs “a” and “b” of item II of the caput of this article by the organs and public entities, such waiver of consent shall be publicized, pursuant to item I of the caput of art. 23 of this Law.
- 3. The communication or shared use of sensitive personal data between controllers with the purpose of obtaining economic advantage may be object of prohibition or regulation by the national authority, after consultation with the sectoral agencies of the Public Service, within the scope of their competences.
- 4. Communication or shared use between controllers of health-sensitive personal data for the purpose of obtaining economic advantage is prohibited, except in the case of the provision of health services, pharmaceutical assistance and health care, provided that the § 5 of this article, including the auxiliary services of diagnosis and therapy, is for the benefit of the data subject's interests, and to permit: (Wording given by Law No. 13,853 of 2019)
- I - data portability when requested by the data subject; or
- II - the financial and administrative transactions resulting from the use and rendering of the services referred to in this paragraph.
- 5. The operators of private health care plans are prohibited from processing health data for the practice of risk selection in the hiring of any modality, as well as in the hiring and exclusion of beneficiaries.