The principles of the General Data Protection Law - LGDP

September 21, 2020

The General Data Protection Law (LGPD), Law 13,709 of August 14, 2018, was enacted after the president's sanction, on September 18, 2020,  converting the Provisional Measure 959/2020 into law, and regulating the protection of personal data of individuals, with a level of detail never before achieved by any other local law.

One of the most important aspects of the measure is that it will serve as a legal foundation for the National Data Protection Authority (ANPD) which in turn provides a mechanism to assess – and potentially disqualify – the framework adopted by a company for the treatment of personal data if it is alleged to violate the new legal norm.  These are currently principles which most companies ignore, and which are arguably not accorded their due importance even by some experts on the subject.

The following are the principles that govern the General Data Protection Law:

1. Purpose: Laying out processes for legitimate, specific, explicit, and informed handling (of personal data) for the holder, without the possibility of further treatment in a manner incompatible with those purposes.
2. Suitability: Compatibility of the handling with the purposes conveyed to the holder, according to the context of the treatment;
3. Need: Limitation of handling to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant data, proportional and not excessive according to the purposes of the data processing;
4. Free access: Guarantee to holders of free and easy consultation on the form and duration of handling, as well as on the completeness of their personal data;
5. Data quality: Guarantee to the holders of accuracy, clarity, relevance, and updating of data, associated with the fulfillment of the purpose of its processing;
6. Transparency: Guarantee, to the holders, of clear, accurate, and easily accessible information on the performance of the treatment process and that of respective agents, while preserving commercial and industrial secrets;
7. Security: Use of technical and administrative measures to protect personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or dissemination;
8. Prevention: Adoption of measures to prevent the occurrence of damages due to the processing of personal data;
9. Non-discrimination Precluding any usage for illicit or abusive discriminatory purposes;
10. Accountability: Demonstration, by the agent, of the adoption of effective measures capable of proving observance of and compliance with the rules of protection of personal data and the effectiveness of these measures.

Furthermore, it is no secret that the LGPD has been heavily influenced by the GDPR, the law on the protection of personal data enacted in Europe. This enables us to observe what regulators have interpreted in situations that will be very similar to those faced by the ANPD in Brazil.

In Finland, for example, Deputy Data Protection Ombudsman, the Finnish regulator, fined a taxi company  € 72,000 for violating the principle of minimizing data use, a principle similar to that of need in the LGPD, by installing security cameras in their taxis which also recorded audio of the passengers’ conversations.

Likewise, a large department store was fined by CNIL, the French regulator, € 250,000 for recording and retaining all telephone conversations in full and keeping customer bank data unencrypted, violating principles similar to our principles of need and security, respectively.

Another judgment frequently made by the Spanish regulator AEPD is to disqualify the legal justification for companies using footage from security cameras with coverage of public places adjacent to their property.  These rulings have been based on the assessment that such usage violates the principle of transparency because people are not informed by a poster that they may be filmed for security reasons.

Therefore, care must be taken in developing frameworks for the processing of someone’s personal data according to the legal bases provided in the LGPD to ensure that the principles described above are respected.

No items found.

RECENT POSTS

LINKEDIN FEED

Newsletter

Register your email and receive our updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Newsletter

Register your email and receive our updates-

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

FOLLOW US ON SOCIAL MEDIA

Licks Attorneys' Government Affairs & International Relations Blog

Doing Business in Brazil: Political and economic landscape

Licks Attorneys' COMPLIANCE Blog

The principles of the General Data Protection Law - LGDP

No items found.

The General Data Protection Law (LGPD), Law 13,709 of August 14, 2018, was enacted after the president's sanction, on September 18, 2020,  converting the Provisional Measure 959/2020 into law, and regulating the protection of personal data of individuals, with a level of detail never before achieved by any other local law.

One of the most important aspects of the measure is that it will serve as a legal foundation for the National Data Protection Authority (ANPD) which in turn provides a mechanism to assess – and potentially disqualify – the framework adopted by a company for the treatment of personal data if it is alleged to violate the new legal norm.  These are currently principles which most companies ignore, and which are arguably not accorded their due importance even by some experts on the subject.

The following are the principles that govern the General Data Protection Law:

1. Purpose: Laying out processes for legitimate, specific, explicit, and informed handling (of personal data) for the holder, without the possibility of further treatment in a manner incompatible with those purposes.
2. Suitability: Compatibility of the handling with the purposes conveyed to the holder, according to the context of the treatment;
3. Need: Limitation of handling to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant data, proportional and not excessive according to the purposes of the data processing;
4. Free access: Guarantee to holders of free and easy consultation on the form and duration of handling, as well as on the completeness of their personal data;
5. Data quality: Guarantee to the holders of accuracy, clarity, relevance, and updating of data, associated with the fulfillment of the purpose of its processing;
6. Transparency: Guarantee, to the holders, of clear, accurate, and easily accessible information on the performance of the treatment process and that of respective agents, while preserving commercial and industrial secrets;
7. Security: Use of technical and administrative measures to protect personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or dissemination;
8. Prevention: Adoption of measures to prevent the occurrence of damages due to the processing of personal data;
9. Non-discrimination Precluding any usage for illicit or abusive discriminatory purposes;
10. Accountability: Demonstration, by the agent, of the adoption of effective measures capable of proving observance of and compliance with the rules of protection of personal data and the effectiveness of these measures.

Furthermore, it is no secret that the LGPD has been heavily influenced by the GDPR, the law on the protection of personal data enacted in Europe. This enables us to observe what regulators have interpreted in situations that will be very similar to those faced by the ANPD in Brazil.

In Finland, for example, Deputy Data Protection Ombudsman, the Finnish regulator, fined a taxi company  € 72,000 for violating the principle of minimizing data use, a principle similar to that of need in the LGPD, by installing security cameras in their taxis which also recorded audio of the passengers’ conversations.

Likewise, a large department store was fined by CNIL, the French regulator, € 250,000 for recording and retaining all telephone conversations in full and keeping customer bank data unencrypted, violating principles similar to our principles of need and security, respectively.

Another judgment frequently made by the Spanish regulator AEPD is to disqualify the legal justification for companies using footage from security cameras with coverage of public places adjacent to their property.  These rulings have been based on the assessment that such usage violates the principle of transparency because people are not informed by a poster that they may be filmed for security reasons.

Therefore, care must be taken in developing frameworks for the processing of someone’s personal data according to the legal bases provided in the LGPD to ensure that the principles described above are respected.

No items found.