Personal Data Protection and Privacy Guide

Understanding Personal Data in the Digital Age

Personal data, or dados pessoais, refers to any information that can be used to identify a natural person, either directly or indirectly. In an increasingly connected world, every click, purchase, search, and location ping generates bits of data that, when combined, can paint a detailed picture of who you are. This concept is central to privacy regulations around the globe, including Brazil's Lei Geral de Proteção de Dados (LGPD). Understanding what constitutes personal data is the first step toward protecting your privacy and exercising your rights as a data subject. Whether you are a consumer sharing information online or a business handling customer records, knowing the types of data and the rules that govern their use is essential for compliance and trust.

What Are Personal Data? The Legal Definition

According to Article 5, Item I of the LGPD, personal data is defined as any information related to an identified or identifiable natural person. This means that even if a piece of information does not directly reveal a person's name, it qualifies as personal data if it can be used to single that person out. The law adopts a broad scope to cover both obvious identifiers and more subtle ones. For instance, a combination of your browsing habits, IP address, and device ID can be enough to identify you. The National Data Protection Authority (ANPD) clarifies that the concept of identifiability includes any attribute that, when processed, leads to the recognition of an individual. This expansive definition ensures that privacy protections apply even when data is fragmented or anonymized only superficially.

Personal Data Protection and Privacy Guide - 1

A person is considered identifiable when they can be recognized through identifiers such as a name, identification number, location data, an online identifier (like a cookie or IP address), or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. This list is not exhaustive, and new forms of data constantly emerge with technological advances. The key is whether the data, alone or in combination, allows for the linking back to a specific human being.

Common Examples of Personal Data

To better grasp what personal data includes, consider the following everyday pieces of information. Many people assume that only sensitive documents like a passport number count, but most routine interactions create personal data. Below is a list of common examples found in both public and private contexts:

Personal Data Protection and Privacy Guide - 2
  • Full name and surname
  • Individual Taxpayer Registry (CPF) or General Registry (RG) numbers
  • Email addresses (corporate or personal)
  • Residential and business addresses
  • Telephone and mobile numbers
  • Date and place of birth
  • Internet Protocol (IP) addresses
  • Browser cookies and device fingerprints
  • Credit card numbers and transaction history
  • GPS location data from smartphones or vehicles
  • Purchase history and browsing behavior
  • Physical appearance (photographs, biometric patterns)
  • Consumer habits and preferences

Each of these items, when linked to a specific individual, falls under the protection of the LGPD. Organizations that collect, store, or process such data must comply with the law's obligations, including obtaining consent, ensuring security, and respecting data subject rights.

The Legal Framework: LGPD and Data Identification

The LGPD, enacted in 2018 and effective since 2020, establishes rules for the processing of personal data by any natural person or legal entity, whether public or private, in Brazil. Its provisions are inspired by the European General Data Protection Regulation (GDPR) but adapted to local contexts. The law applies to any operation carried out with personal data, even if the controller is based abroad, as long as the data subject is located in Brazil or the data is collected within its territory. One of the core principles is that data processing must have a lawful basis, such as consent, legal obligation, or legitimate interest.

Personal Data Protection and Privacy Guide - 3

The distinction between regular personal data and sensitive personal data is crucial because the latter receives stricter protections. The table below summarizes key differences and examples for each category.

Category Definition Examples Processing Restrictions
Personal Data (General) Any information relating to an identified or identifiable natural person Name, email, IP address, location, purchase history Requires lawful basis, data minimization, and transparency
Sensitive Personal Data Data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, health, sex life, genetic or biometric data Health records, political affiliation, biometric fingerprints, genetic tests, religious orientation Requires specific consent (or exceptional legal grounds) and heightened security measures

As shown, sensitive data demands a higher level of care because its misuse can lead to discrimination or serious harm. For example, sharing health information without consent could affect insurance coverage or employment opportunities. The LGPD imposes additional obligations on controllers handling such data, including the need for explicit consent and impact assessments.

Personal Data Protection and Privacy Guide - 4

Sensitive Personal Data: A Subcategory with Extra Protection

Sensitive personal data is a special category defined in Article 5, Item II of the LGPD. It includes information about an individual's racial or ethnic origin, religious conviction, political opinion, trade union membership, health data, sexual life, and genetic or biometric data. Because these details touch on intimate aspects of a person's identity, the law prohibits their processing unless the data subject gives specific and conspicuous consent, or one of the other narrow legal bases applies, such as compliance with legal obligation, protection of life, or the exercise of rights in legal proceedings. Biometric data, such as fingerprints used for access control, is also considered sensitive, even if it seems routine.

The rationale behind stricter rules is to prevent discrimination and protect fundamental rights. For instance, a company processing information about a candidate's health to make hiring decisions would violate the LGPD. Similarly, political opinions should not be used to target advertisements without clear permission. Organizations that handle sensitive data must also conduct data protection impact assessments and implement robust security measures to avoid leakage or unauthorized access. The ANPD provides guidance on how to treat these categories, emphasizing that they cannot be processed merely based on legitimate interest.

Personal Data Protection and Privacy Guide - 5

How Personal Data Is Treated: The Concept of Data Processing

The LGPD defines data processing (tratamento de dados) in Article 5, Item X as any operation carried out with personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, as well as communication, transfer, or extraction. In practice, nearly every interaction with data constitutes processing. When you fill out an online form, the company collects and stores your data. When they send you a promotional email, they are using it. When they delete your account, they are eliminating it. Each step must be justified by a legal basis and follow the principles of purpose, necessity, and transparency.

Controllers and processors must adopt administrative, technical, and physical measures to protect personal data from unauthorized access and accidental destruction. The law also mandates that data subjects be informed about the purpose of processing, the duration of storage, and their rights. One of the most important rights is the ability to request the deletion of data after the purpose is fulfilled. The LGPD establishes that data should be retained only as long as necessary, unless a legal obligation requires longer storage. This principle minimizes exposure and reduces risk for both individuals and organizations.

Why Protecting Personal Data Matters

In a world where data breaches are common and digital footprints are permanent, protecting personal data is not just a legal requirement but a matter of dignity and autonomy. Mismanagement of personal information can lead to identity theft, financial fraud, reputational damage, and discrimination. For businesses, non-compliance can result in severe fines (up to 2% of revenue in Brazil, limited to 50 million reais per infraction) and loss of consumer trust. On a societal level, weak data protection erodes the foundations of privacy and can facilitate surveillance or manipulation. By understanding what pessoais dados are and how they should be handled, individuals can make informed choices about sharing their information, and organizations can build systems that respect privacy from the design stage.

To dive deeper into the definitions and official guidelines, consult the ANPD frequently asked questions at gov.br/anpd. For the full text of the LGPD, including all articles referenced, visit the official legislation at planalto.gov.br. These resources provide authoritative interpretations and ongoing updates.

References

The information in this article was compiled from the following sources: Portal Gov.br (ANPD) – Perguntas Frequentes sobre Dados Pessoais, available at gov.br/anpd; Lei nº 13.709/2018 (LGPD) – official text at planalto.gov.br; Judex.io – examples of personal data, available at judex.io/blog/dados-pessoais; and Idec.org.br – definition of sensitive data, available at idec.org.br/dicas-e-direitos/o-que-sao-dados-pessoais. These sources form the basis for the definitions and examples provided.

privacy data protection personal data cybersecurity GDPR compliance online safety digital privacy
Notice This content is for general informational purposes only and is not legal advice.
Author

Stefano Barcellos

Contributor at Visite Barbados.

« Previous post
Negative Certificate: Meaning, Uses and How to Get It

Related posts