About
Solutions
Growth
Tools & Support
Resources
Contact SalesLog In
EN

When Can a Company Use Your Data Without Your Consent? LGPD Explained

There is a widespread misconception about Brazil's data protection law that needs to be addressed directly: the LGPD does not require consent for every use of personal data.

6 min
-
June 3, 2026

This surprises many people — and it is often exploited by companies who present privacy notices as though checking a box is all that matters. In reality, the LGPD establishes a nuanced framework in which consent is just one of ten valid legal bases for data processing, and in some important contexts — particularly financial services — it is not even the primary one.

Understanding when companies can process your data without your consent is not a legal loophole to worry about. It is essential knowledge that helps you understand your actual rights, recognize when processing is legitimate, and identify when it is not.

The Foundational Principle: Every Processing Needs a Legal Basis

Before addressing the specific cases, the fundamental principle must be clear: the LGPD does not permit arbitrary data processing. Every single instance of data collection, storage, use, sharing, or deletion must be justified by one of the legal bases explicitly listed in Article 7 (for regular personal data) or Article 11 (for sensitive personal data) of the law.

Consent is one legal basis. But the law recognizes that in many legitimate situations, requiring consent would either be impractical, contrary to the public interest, or would give one party disproportionate power to withhold cooperation from legitimate processes.

The key question is never just "did the person consent?" — it is "is there a valid legal basis for this processing?"

The 3 Most Important Non-Consent Legal Bases in Financial Services

1. Legal or Regulatory Obligation

What it means: A company may process personal data — without consent and regardless of the individual's preferences — when processing is necessary to comply with a legal or regulatory obligation.

Why it matters for consumers: Financial institutions in Brazil are subject to extensive regulatory requirements from the Banco Central do Brasil (BACEN), the Receita Federal, COAF (the financial intelligence unit), and other bodies. These requirements mandate that institutions:

  • Verify the identity of every customer (KYC — Know Your Customer)
  • Collect and retain CPF, name, address, and biometric data
  • Monitor transactions for signs of money laundering or terrorist financing
  • Report suspicious activity to COAF
  • Retain transaction records for minimum periods (typically 5 years)

When a digital bank asks for your CPF and a selfie during onboarding, or when a payment platform retains your transaction history for years after you close your account, it is not acting against the LGPD — it is fulfilling regulatory obligations under this legal basis.

What this means for you: You cannot prevent this processing by refusing consent, because consent is not the legal basis being used. However, you can verify that the processing is genuinely necessary for regulatory compliance (not just convenient for the company), and you can complain to regulators if data is retained beyond the legally required period.

2. Performance of a Contract

What it means: Data may be processed when it is necessary to fulfill a contract you have with the company, or to take the preliminary steps you requested before entering into one.

Why it matters for consumers: When you open a payment account, authorize a transfer, or purchase a product online, a contract is formed. Processing your account number, transaction details, and payment information to execute that transaction is not only permitted — it is required to deliver what you asked for.

This legal basis also covers pre-contractual processing: credit assessments, identity verification during the application process, and quote generation.

What this means for you: Processing under this basis is legitimate, but it must be genuinely necessary for the contract. A company cannot use contract performance as a basis to process data that goes beyond what is needed — for example, collecting your browsing history or location data is unlikely to be necessary for processing a payment, and would need a separate justification.

3. Protection of Life or Physical Safety

What it means: In genuine emergencies where someone's life or physical integrity is at risk, personal data may be processed without consent — even sensitive data.

Why it matters in practice: This basis is narrow and exceptional. It covers situations like a financial institution sharing account information with emergency services in a documented crisis, not routine processing.

What this means for you: This basis provides an important safeguard but should not be invoked broadly. If a company claims this basis for non-emergency processing, that is a red flag.

The Consent Illusion: What Companies Often Get Wrong

Despite the existence of multiple valid non-consent legal bases, many companies default to consent collection as their primary compliance strategy — and this creates problems for consumers.

The consent checkbox problem: When a company uses consent as a catch-all basis for processing that should be justified under legal obligation or contract performance, it creates a false impression that the consumer controls the processing. In reality, refusing consent may simply cause the company to invoke a different legal basis — or worse, it may prevent you from accessing a service that you should be able to access without surrendering unnecessary consent.

Bundled consent: Some companies present a single consent request that covers multiple, unrelated processing purposes. The LGPD requires that consent be specific — you should be able to consent to some purposes and not others. Bundled consent that cannot be disaggregated is not legally compliant under the LGPD.

Consent as a precondition: The LGPD explicitly states that consent cannot be required as a condition for receiving a service if the processing is not strictly necessary for that service. A payment platform cannot make consent to marketing emails a condition for accessing payment services.

Withdrawal difficulties: Companies are required to make consent withdrawal as easy as the original consent. Hiding the opt-out mechanism behind multiple menus, requiring written requests for what was done with a single click, or failing to honor withdrawal requests are all LGPD violations.

Sensitive Data: Higher Standards Apply

When the data being processed falls into the LGPD's special categories — racial or ethnic origin, religious beliefs, health data, biometric data, political opinions — the rules are stricter.

For sensitive data, non-consent processing is only permitted in more limited circumstances:

  • Legal obligation: Same as regular data, but the necessity must be especially clear
  • Shared data made public by the data subject: If you publicly disclosed your own sensitive data, it may be processed — but only for purposes compatible with the original disclosure
  • Protection of life: Same narrow emergency basis
  • Fraud prevention and data subject protection: In specific contexts where processing is necessary to protect you
  • Medical and health contexts: For healthcare providers, with specific conditions

The biometric data implication: For payment platforms that collect facial recognition data or fingerprints during KYC, this is particularly relevant. Biometric data is sensitive under the LGPD. Its collection must be justified by a specific legal basis — typically legal obligation for regulatory KYC compliance — and must be protected by heightened security measures.

The Balancing Test: When Legitimate Interest Is Claimed

One additional non-consent basis deserves separate explanation: legitimate interest.

Unlike legal obligation or contract performance — which have clear, objective justifications — legitimate interest requires a subjective balancing test. The company must assess whether its interest in processing the data outweighs your rights and freedoms.

The LGPD requires this assessment to consider:

  1. The purpose: Is the company's interest legitimate and clearly articulated?
  2. The necessity: Is the processing actually needed to achieve that purpose?
  3. The balance: Do the company's interests override your privacy interests, given the potential impact on you?

In financial services, legitimate interest might justify processing your transaction history to detect fraud patterns that protect other customers — a genuine public benefit that likely outweighs the privacy impact. It would not justify using your transaction data to build marketing profiles for third parties, where the company's commercial interest does not obviously outweigh your privacy interests.

Your right to object: When legitimate interest is the legal basis, you have the right to object to the processing. The company must then demonstrate that its legitimate interests genuinely outweigh your rights — or stop the processing.

A Practical Checklist: Is This Processing Legitimate?

When you encounter a privacy notice or question how a company is using your data, use this framework:

Question What to look for
What legal basis is claimed? It should be explicitly stated in the privacy policy
Is the basis appropriate for this type of processing? Legal obligation for regulatory compliance; contract for service delivery; consent for optional uses
Is the data collected the minimum necessary? Excessive data collection beyond what is needed for the stated purpose is a red flag
Is sensitive data involved? Heightened scrutiny applies — the basis must be especially clear
Can you withdraw consent if it was the basis? The process should be simple and clearly described
Has the company documented its legitimate interest assessment? You can request this under your right of access

What to Do When You Believe Processing Is Unlawful

If you believe a company is processing your data without a valid legal basis:

  1. Request clarification in writing from the company's DPO or data protection channel. Ask specifically: "What is the legal basis under LGPD Article 7 for processing [specific data] for [specific purpose]?"
  1. File a complaint with the ANPD at gov.br/anpd if the company's response is unsatisfactory or if it fails to respond within 15 days.
  1. Report to BACEN if the company is a financial institution and the violation relates to financial data, transaction records, or KYC processes.
  1. Seek legal advice if you have suffered material or moral harm as a result of the violation. The LGPD explicitly provides for individual and collective compensation claims.

Conclusion

The LGPD's approach to consent is more sophisticated than most people realize: it is not a universal requirement, but one important legal basis among several. Understanding the full picture — when consent is needed, when it is not, and what protections apply regardless — gives you a more accurate and more useful understanding of your actual rights.

In financial services, where processing under legal obligation is common and legitimate, this understanding prevents you from expecting control you do not have while ensuring you exercise the very real rights you do have.

The goal of the LGPD is not to make data processing impossible — it is to ensure that when data is processed, it is for legitimate purposes, with appropriate transparency, and with genuine respect for your interests as a person.

OneKey Payments processes personal data only on valid LGPD legal bases, with full documentation of processing activities, transparent privacy policies, and a designated DPO available to handle all data subject requests.

Read OneKey's Privacy PolicyCompliance & Regulation

Recent Posts
June 3, 2026
How to Know If a Payment Platform Is Truly Trustworthy: 7 Signs That Matter
Not all payment platforms are equal. Behind the polished interfaces, the reassuring padlock icons, and the "bank-level security" marketing claims, there are meaningful differences in how platforms are built, regulated, and operated — differences that directly affect how safe your money and data are.
June 3, 2026
Phishing, Clean Desk & Strong Passwords: The 3 Pillars of Digital Security Every Consumer Should Know
Information security often sounds like a corporate concern — something for IT departments, not everyday people. But every consumer who uses online banking, digital wallets, payment apps, or e-commerce platforms is, in practice, responsible for securing their own digital environment.
June 3, 2026
When Can a Company Use Your Data Without Your Consent? LGPD Explained
There is a widespread misconception about Brazil's data protection law that needs to be addressed directly: the LGPD does not require consent for every use of personal data.
June 3, 2026
What Is LGPD? Your Personal Data Rights as a Consumer in Brazil
Every time you open a financial app, complete an online purchase, or register for a digital service in Brazil, your personal data is being collected, processed, and stored. The entity doing this has legal obligations toward you — obligations established by one of the most important laws in Brazil's recent history.
June 3, 2026
Conflict of Interest in Financial Services: What It Is and How to Spot It
When you ask a bank representative which product you should choose, are they recommending what is best for you — or what earns them the highest commission? When a payment platform routes your transaction through a specific provider, is it because that provider offers the best rate — or because of a commercial arrangement that benefits the platform at your expense?
June 3, 2026
What Is Ethical Conduct in Finance — and Why It Protects You as a Consumer
Every time you open a bank account, make an online payment, or share your financial data with a platform, you are placing trust in an institution. But what exactly makes a financial institution worthy of that trust?
kyc verification protection againts fraud
April 22, 2026
KYC Verification: Protection Against Fraud and Money Laundering
KYC (Know Your Customer) verification has become a fundamental process for companies operating in financial and digital sectors, especially in Latin America.
March 25, 2026
How to reduce cart abandonment with better payment options
The average cart abandonment rate is 70.19% in 2025, meaning that seven out of ten carts are abandoned before the transaction is completed.
March 18, 2026
Pix with Biometrics: How to Simplify Payments in Brazil and Increase Conversion
Brazil’s payment ecosystem continues to evolve, and one of the most promising innovations is Pix with facial biometrics
March 13, 2026
Foreign Exchange Risk in LatAm: How to Protect Your Business in International Transactions
Cross-border commerce represents a huge growth opportunity for modern businesses, but it also introduces a financial risk that many companies underestimate: foreign exchange risk.
March 13, 2026
Local vs. International Payment Methods: Which One Should You Choose?
If you run an online business in Latin America, you’ve probably experienced a frustrating paradox: customers attempting to pay with international credit cards see their transactions rejected for no apparent reason.
March 2, 2026
SBC Summit Rio 2026: One Key Payments and Virtual Pix at the Heart of Brazilian Payments
SBC Summit Rio 2026, taking place March 3–5 in Rio de Janeiro, brings together over 15,000 gaming, betting, and fintech professionals to shape the future of instant payments such as Pix.
Financial Fraud and Digital Security: How to Protect Your Money in the Online World
Every day, new scams and financial frauds emerge, trying to deceive ordinary people.With the rise of digital transactions, staying well-informed is essential to protect your data, your money, and your peace of mind.In this article, you'll learn how to identify scams, avoid traps, and keep your financial life safe in the digital environment.
Personal Budgeting and Financial Planning
Have you ever reached the end of the month without knowing where your money went? If so, you're not alone. Most people were never taught—practically speaking—how to manage their personal finances. But the good news is: that can change! In this article, we at OneKey will show you how to create a personal budget and financial plan in a simple, practical, and effective way.
Basic Banking Education: How to Understand and Make the Most of Your Bank’s Services
Did you know that many people pay bank fees without knowing why? Or miss out on free services simply because they don’t know they exist? In this article, we at OneKey will cover the fundamentals of banking education so you can use the financial system to your advantage and make smarter choices with your money!
June 26, 2025
Recurring payments reshaping LATAM
Recurring payments in LATAM are shifting from billing tools to growth engines—driving loyalty, automation, and revenue predictability.
June 26, 2025
The Power of PIX Biometrics in Brazil
From slow bank transfers to instant Pix, Brazil leads in real-time, secure, and scalable payments through bold financial innovation.
June 26, 2025
Leading Pix Biometric implementation
Pix with biometrics removes friction at checkout, boosts security and enables recurring flow: reshaping digital commerce in Brazil
Products
Payins
Payouts
KYC
Boost Payments
Compliance and Regulations
INDUSTRIES
iGaming and Sports betting
Ecommerce - Retail - Fashion
Remittance
Fintech and Digital banks
Platforms & Marketplaces
Travelling
Other industries
Resources
Content
Press & Media
Case Studies
Webinars & Events
Integrations
Documentation
 
Contact
Join our team
Support & FAQs
Sales
Join our Newsletter
2025 OKP - All Rights Reserved
DOCUMENTS & POLICIES