Let's explain one by one for you to understand better:

Personal Data Consist of any information that identifies an individual or that could lead to their identification. There are two types of personal data:

• Direct: Name, CPF, RG, enrollment, voter registration
• Indirect: Consumption habits, profession, sex, age, among others.

It is important to reinforce that personal data, even if made public, continue to be protected by law.

Sensitive Personal Data: They are made up of data classified by racial or ethnic origin, health, sex life, genetics, biometrics, religion, political opinion, skin color.

Anonymized: Are data in which the holder cannot be identified, considering the use of reasonable technical means available at the time of processing.

Pseudonymized: Are personal data that, through processing, lose the possibility of being directly or indirectly associated with an individual. In this case, the controller can locate the person using additional information that was kept separately.

Information of paramount importance for all of us to know is that the law only allows the processing of personal data when associated with a legal basis. The legal bases are conditions determined by the LGPD so that it is possible to collect personal data and process it, differentiating Personal Data and Sensitive Personal Data. Below, we will present what these legal bases are.

Legal Basis for Personal Data

• Consent;
• Compliance with legal or regulatory obligations;
• Execution of public policies by the Public Administration;
• Conducting studies by research bodies;
• Regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings;
• Protection of life or physical safety of the holder or third parties;
• Health protection;
• Legitimate interest of the controller or third parties;
• Credit protection;
• For the execution of contracts and preliminary procedures related thereto.

Legal Basis for Sensitive Personal Data

• Consent;
• Compliance with legal or regulatory obligations;
• Execution of public policies by the Public Administration;
• Conducting studies by research bodies;
• Regular exercise of rights, including in contracts and in judicial, administrative and arbitration proceedings;
• Protection of life or physical safety of the holder or third parties;
• Health protection;
• Ensuring fraud prevention and holder security.

The definition of who is in the position of controller or operator, according to the respective personal data processing activity, is important to determine obligations and responsibilities of each of these treatment agents.

This evaluation and definition can be simple or extremely complex tasks, due to the dynamic nature of the processing operations that usually involve its agents.

Controller:

• Makes all decisions regarding the processing of personal data throughout their lifecycle;
• Determines the purposes and means of processing personal data;
• Evaluates the framework of the legal bases of treatment;
• You may be directly liable for GDPR violations;
• It guarantees the fulfillment of the holders' rights.

Operator:

• Processes personal data on behalf of the controller;
• It has no decision-making power;
• May perform complex tasks and with some discretion, but always under the command of the controller;
• You may be held jointly and severally liable for violations that you cause to the LGPD.

The operator will always obey the controller, who effectively determines the purpose of data processing, but if the operator uses the same data for another purpose, he also becomes the controller, with the responsibilities inherent to the position.

The LGPD brings together, in one place, the rights of data subjects. Before that, they were provided sparsely in several laws, such as the Consumer Protection Code and the Civil Rights Framework for the Internet. The holder can exercise these rights over his personal data at any time, upon request to the controller.