The processing of sensitive personal data shall only occur in the following situations:
I – when the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes;
II – without consent from the data subject, in the situations when it is indispensable for:
a) controller’s compliance with a legal or regulatory obligation;
b) shared processing of data when necessary by the public administration for the execution of public policies provided in laws or regulations;
c) studies carried out by a research entity, whenever possible ensuring the anonymization of sensitive personal data;
d) the regular exercise of rights, including in a contract and in a judicial, administrative and arbitration procedure, the last in accordance with the terms of Law No. 9,307, of September 23, 1996 (the “Brazilian Arbitration Law”);
e) protecting life or physical safety of the data subject or a third party;
f) the protection of health, in a procedure carried out by health professionals or by health entities; or
f) to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; (New Wording Given by Law No. 13,853/2019)
g) ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Art. 9 of this Law and except when fundamental rights and liberties of the data subject which require protection of personal data prevail.
§1 The provisions of this article apply to any processing of personal data that reveals sensitive personal data and that may cause harm to the data subject, subject to the provisions of specific legislation.
§2 When the provisions of lines a and b of item II of the lead sentence of this article are applied by public agencies and entities, said waiver of consent shall be publicized, pursuant to item I of the lead sentence of Art. 23 of this Law.
§3 Communication or shared use of sensitive personal data between controllers for the purpose of obtaining an economic advantage may be prohibited or regulated by the national authority, being heard the sectoral entities of the public authority, within their regulatory capacity.[2]
§4 Communication or shared use between controllers of sensitive personal data referring to health for the purpose of obtaining an economic advantage is prohibited, except in cases of portability of data when consented by the data subject.
§4 Communication or shared use between controllers of sensitive personal data referring to health in order to obtain an economic advantage is prohibited, except in hypotheses related to the provision of health services, pharmaceutical assistance and health insurance[3] , as long as the paragraph 5 of this article is observed, including auxiliary diagnostic and therapeutic services, in benefit of the interests of the data subject and also to allow:
I – data portability of data when requested by the data subject; or
II – the financial and administrative transactions resulted from the use and provision of the services referred to in this paragraph.
§5 Operators of private health care plans are prohibited from processing health data for the practice of risk evaluation in any modality of hiring, as well as the hiring and exclusion of beneficiaries. (Included by Law No. 13,853/2019)