With the forthcoming issuance of the Personal Data Protection Law, companies must adapt their procedures to collect and carry out the appropriate handling of the personal data of their consumers or customers.
The correct handling of personal data is one of the main tools for companies to adequately market their products; not only to protect the personal information of their customers, but also to benefit their businesses.
The main purpose of the draft Law is to regulate the exercise of the right to protection of personal data, self-determination information, and circulation of this type of data (Article 1).
The legitimacy principle (Article 9) establishes the conditions or situations in which the collection and processing 1 of personal data by companies is legitimate and lawful:
- Consent of the personal data owner to the sharing of his information for a specific purpose.
The consent must be free, specific, unequivocal, prior and informed. A company may share someone’s personal data when he authorizes or gives consent knowing the purpose of the use of his information.
- Legal obligation for the sharing of personal data.
In this case, the law orders the company to share the personal data of an individual.
Example: The Labor Code requires employers to have certain personal information of their workers such as address, marital status, number of children, and some other relevant information. In this case the will of the data owner is irrelevant since it is the law that orders the sharing of this information.
- Contractual relationship.
A company can use the data of an individual with whom they have a contractual relationship. The limitation to this use is related to the data necessary for compliance with contractual obligations and may not exceed the limits established in the contract.
Example: In a contract of sale of goods, the company cannot use the data of the individuals to send commercial promotions, except if there is a clause in the contract that expressly authorizes the sending of such promotions.
1 The Personal Data Protection Law project defines the handling as any operation performed on personal data; this includes collection, conservation, modification, transfer, among other actions.
- 4. Vital interests of the owner.
The sharing of data of a person may be carried out if through this process the vital interests of the owner are protected, such as the protection of fundamental rights.
Example: A company can share the personal data of a person if it helps to save the life of the individual, such as in a medical emergency.
- Order of a judicial authority or resolution of competent authority.
If through a ruling or a decision of the competent authority the delivery or processing of personal data is ordered, the company will be bound to do so without facing negative consequences.
The legitimacy of the sharing and use of personal data is not given only by the consent of his owner. Companies must analyze in each particular situation which of the above mentioned scenarios the handling of personal data applies, thus complying with the principle of legitimacy.