Deletion requests: anonymize or hard-delete PII irreversibly

Related rules

From the same buckets as this rule.

• Critical

  Children's data: verify age and parental consent

  If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.

  compliance-lgpdapi-conventions+1
• Critical

  Encrypt PII at rest with AES-GCM and managed keys

  For fields like CPF, birth_date, and address, use AES-256-GCM with envelope encryption. Keys must come from a managed KMS; rotate data keys at least annually and store key IDs with the ciphertext.

  compliance-lgpdsecurity-hardening
• Critical

  Require explicit consent before processing sensitive data

  Before handling sensitive personal data (e.g., health, biometric), verify a valid consent record and attach its ID to the processing context. Provide a path to revoke consent and stop further processing.

  compliance-lgpdapi-conventions+1