Article 7 of the Brazilian Data Protection Law establishes ten specific circumstances under which processing personal data is lawful [cite: 1, 95, 96].
Unlike some privacy frameworks that heavily favour user permission, the LGPD provides a broad menu of legal grounds for data processing activities[cite: 13, 97, 107]. You must assign at least one of these bases to every data processing operation your organisation conducts[cite: 95, 96]. Failing to secure a valid legal basis renders the processing irregular and exposes your business to administrative sanctions[cite: 351, 402].
The legislation treats all ten bases equally, meaning no single justification holds inherent legal superiority over the others. Choosing the correct basis depends entirely on the specific purpose and context of your data processing [cite: 80, 81].
Documenting your chosen legal basis is a core requirement of accountability under the law[cite: 90]. The national authority can request records of your processing operations at any time[cite: 276, 320]. If your stated basis is invalid, you cannot simply swap it for another one after the fact. You must align your data collection strategies with the appropriate legal framework before you begin gathering user information[cite: 79].
Here is a detailed breakdown of the ten legal bases available to controllers under the Brazilian legislation.
1. Consent of the Data Subject
Consent must be a freely given, informed, and unambiguous manifestation where the data subject agrees to the processing for a given purpose[cite: 64]. If you rely on this basis, you bear the burden of proving that consent was obtained lawfully [cite: 120].
Generic authorisations for data processing are considered void under Brazilian law[cite: 122]. The request for consent must stand out from other contractual clauses if provided in writing[cite: 119]. Users also retain the right to revoke their consent at any time via a facilitated, free procedure[cite: 123].
Rely on this basis for marketing newsletters, tracking scripts, and non-essential site analytics.
2. Compliance with a Legal or Regulatory Obligation
The controller can process personal data to fulfill duties imposed by law or regulations[cite: 98]. This includes tax reporting, employee payroll records, or data retention mandates set by specific industry regulators.
3. Execution of Public Policies
The public administration may process and share data necessary to implement public policies[cite: 99]. These policies must be grounded in laws, regulations, or formal agreements[cite: 99].
4. Conduction of Studies by Research Bodies
Research bodies can process personal data to conduct studies[cite: 100]. The law explicitly requires these organisations to ensure the anonymisation of personal data whenever possible[cite: 100]. This protects the fundamental rights of freedom and privacy while allowing scientific or historical progress[cite: 13].
5. Contract Performance
You can process data when it is necessary for the performance of a contract to which the data subject is a party[cite: 101]. This also covers preliminary procedures related to a contract requested by the user[cite: 101].
An online retailer uses this basis to process a shipping address to deliver a purchased item.
6. Regular Exercise of Rights
Processing is permitted for the regular exercise of rights in judicial, administrative, or arbitration procedures[cite: 102]. The arbitration procedures explicitly reference the Brazilian Arbitration Law[cite: 102].
Companies retain customer dispute records or employee disciplinary files under this justification. The data cannot be used to the detriment of the data subject's regular exercise of their rights[cite: 239]. You must still limit the processing to the minimum required for the accomplishment of this specific purpose[cite: 83].
7. Protection of Life or Physical Integrity
Data processing is lawful when required to protect the life or physical integrity of the data subject or a third party[cite: 104]. Medical emergencies fall squarely into this category.
8. Protection of Health
This basis applies exclusively to procedures carried out by health professionals, health services, or sanitary authorities [cite: 105].
Private healthcare plan operators cannot process health data to select risks or exclude beneficiaries[cite: 162]. The shared use of health data for economic advantage is heavily restricted, except for specific service provisions or portability requests[cite: 159, 160].
9. Legitimate Interests of the Controller
Processing can occur to meet the legitimate interests of the controller or a third party[cite: 107]. This basis is invalid if the data subject's fundamental rights and liberties require personal data protection to prevail[cite: 107]. Legitimate interest often supports activities that promote the controller's operations or provide services benefiting the user[cite: 138, 139]. You must only process the data strictly necessary for the intended purpose [cite: 140].
Transparency is a critical requirement when relying on this ground [cite: 141].
The national authority may demand a data protection impact assessment for processing based on legitimate interest[cite: 142]. Such reports help ensure you maintain a balance between your commercial goals and user privacy rights.
10. Protection of Credit
Uniquely, the LGPD allows the processing of personal data for the protection of credit[cite: 109]. This includes referencing provisions in relevant financial and credit legislation [cite: 109].
This specific inclusion differentiates the Brazilian framework from many European counterparts.
Handling Sensitive Personal Data
Sensitive personal data requires tighter controls under the LGPD[cite: 51]. This category includes data revealing racial origin, religious belief, political opinion, health status, or biometric information[cite: 51]. You cannot rely on all ten general bases for processing this type of information [cite: 145].
Processing sensitive data generally requires specific and emphatic consent for specific purposes[cite: 146]. The law only permits processing without consent in highly restricted scenarios, such as compliance with legal obligations or protecting life [cite: 147, 148, 152].
Comparing GDPR and LGPD Legal Bases
Brazil's legislation shares structural similarities with the European GDPR, but diverges significantly regarding the available lawful grounds for processing.
| LGPD Basis | GDPR Equivalent | Notable Differences |
|---|---|---|
| Consent | Consent | Very similar requirements for informed, free action. |
| Legitimate Interest | Legitimate Interest | LGPD specifically lists the promotion of controller activities. |
| Protection of Credit | None | GDPR relies on legitimate interest for credit scoring. |
| Health Protection | Vital Interests | LGPD restricts this exclusively to health professionals. |
Data Subject Rights and Your Legal Basis
The legal basis you select directly impacts the rights available to the data subject[cite: 198]. Every natural person is assured ownership of their personal data [cite: 199].
If you process data based on consent, the user has the explicit right to request the erasure of that data[cite: 208]. They can also demand the portability of their data to another service provider[cite: 206]. You must provide clear information on the possibility of denying consent and the consequences of that denial[cite: 211, 212].
Conversely, if processing relies on a legal obligation, the right to erasure is limited. You are authorised to store the data to comply with that regulatory obligation, even if the user requests deletion [cite: 191, 192].
Transparency remains non-negotiable regardless of the chosen basis[cite: 86]. Data subjects have the right to obtain confirmation of the existence of the processing[cite: 201]. They can demand access to the data and request the correction of incomplete, inaccurate, or outdated records[cite: 202, 203]. You must deliver this information within fifteen days from the date of the request[cite: 227].
Structuring your data governance program around these rights ensures compliance and builds user trust.
Frequently Asked Questions
Do I need consent for every tracking mechanism under LGPD?
Yes, most tracking and marketing cookies require explicit user consent. You cannot rely on legitimate interest for invasive profiling.
What happens if a user revokes their consent?
Processing carried out before the revocation remains valid as long as there is no request for erasure[cite: 123]. You must cease new processing activities immediately.
Can I change my legal basis later?
No, the legal basis must be established and documented before data collection begins. Changing it retroactively violates the transparency principle.
Does the LGPD apply to companies outside Brazil?
Yes, the law applies if your processing activity offers goods to individuals in Brazil or processes data collected in the national territory[cite: 24, 25, 26, 28].
Is protection of credit a valid basis in Europe?
No, the protection of credit is a specific legal basis unique to the Brazilian LGPD. European organisations typically rely on legitimate interest for similar financial risk assessments.
Take Control of Your LGPD Compliance
If you operate a website serving users in Brazil, identifying the correct legal basis for your data collection is mandatory. Kukie.io detects your tracking technologies and helps you manage user choices seamlessly.
