10 LGPD principles that guide personal data processing
The principles of the LGPD (Brazilian General Data Protection Law) are the concepts and beliefs that support the law. It’s based on them that the law was created.
Therefore, companies must also base their actions on the LGPD’s principles when processing personal data. That’s why it’s so important to know them and, above all, to understand them.
But, to better understand the law, first of all, we shouldn’t confuse two essential terms in the LGPD: principles and legal basis. Do you know the difference between them?
We will discuss this distinction below and present in detail the 10 principles for personal data processing laid down in the LGPD.
If you prefer, access tips to help your company to comply with LGPD. In this other article, check rights that data subjects have and are guaranteed in the LGPD.
Table of Contents
What is the difference between the principles and legal basis?
First, it’s necessary to define the difference between principles and legal bases according to the LGPD.
- Principles: As explained earlier, the principles are the pillars of the LGPD that underlie and give logic to the law.
- Legal basis: on the other hand, the legal basis are the hypotheses or arguments that companies use to validate any operation involving personal data.
People usually confuse these terms due to their similar meanings and also because LGPD has 10 principles and 10 legal basis. Both must be taken into account when planning a compliance process with the law.
That said, it’s possible to say that using a legal basis doesn’t necessarily mean being in line with the principles. In other words, a company can adopt a legal basis to justify the use of personal data, but still break the law if it doesn’t comply with the principles.
A good example is a company that uses the legal basis of consent to collect data about a person’s race and then handles that data arbitrarily. In this way, the company could be violating the principle of non-discrimination, for example, being subject to legal sanctions.
Therefore, it’s imperative to be aware of both the legal basis and the principles of the LGPD.
What are the 10 principles of LGPD?
The principles of the LGPD that must guide and validate the processing of personal data are described in Article 6 of the law. Check out:
- Purpose;
- Adequacy;
- Necessity;
- Free access;
- Data Quality;
- Transparency;
- Security;
- Prevention;
- Non-Discrimination;
- Accountability.
Now, check the detail of each principle and some examples.
1. Principle of Purpose
According to the LGPD text, the purpose principle is related to the “realization of the processing for legitimate, specific, explicit and informed purposes to the data subject, without the possibility of further processing in a way incompatible with those purposes”.
In short, it means that the company must clarify the purpose and reason to collect and use personal data and remain loyal to them.
For example, if you make it clear to a person that you’re collecting personal data to process payments, you cannot use that same data for promotions and marketing.
2. Principle of Adequacy
The adequacy principle concerns the “compatibility of the processing with the purposes informed to the data subject, according to the processing context”.
Once the purpose of processing personal data has been defined, you must adapt the action as promised. In practice, it’s nothing more than enforcing the first principle.
3. Principle of Necessity
Here the LGPD avoids exaggeration, prohibiting companies from processing and collecting more data than necessary. The principle of necessity is concerned with “limiting processing to the minimum necessary to realise its purposes”.
Therefore, it’s essential to reflect on what personal data will be used for the purpose previously determined and whether you aren’t processing and collecting more data than you should.
4. Principle of Free Access
In the context of LGPD, the principle of free access says that the data subject must have access to his data in a transparent and accessible way.
From the company’s point of view, free access is defined as the “guarantee, to the subjects, of free and easy consultation on the duration and the way of the processing, as well as on the completeness of their data”.
5. Principle of Data Quality
The fifth principle of the law states that the company must ensure that personal data are up to date and accurate. That is, they aren’t fake and out of date.
The LGPD says that the principle of data quality is the “guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of the data, according to the need and for the fulfillment of the purpose of its processing”.
6. Principle of Transparency
In general, the transparency principle talks about the company having accuracy, ethics, and honesty when dealing with personal data.
Principle of transparency: “guarantee, to the data subjects, clear, accurate and easily accessible information about the realization of the processing and the respective processing agents, observing the commercial and industrial secrets”.
7. Principle of Security
According to the LGPD, the security principle is “the use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination”.
The company needs to keep in mind security and privacy processes and solutions to comply with the law.
8. Principle of Prevention
Security and prevention go together. That said, the principle of prevention refers to the “adoption of measures to prevent the occurrence of damages due to the processing of personal data”.
By the way, it’s based on the principles of prevention and security that Gatefy helps companies to comply with LGPD. After all, companies need to protect themselves and prevent threats and attacks.
Adopting a Secure Email Gateway (SEG) solution for email protection, for example, blocks hacker attacks, preventing data breaches and protecting the information that the company handles and controls.
9. Principle of Non-Discrimination
According to the LGPD, the principle of non-discrimination is “the impossibility of processing for illicit or abusive discriminatory purposes”.
On this point, as already mentioned, the law is very clear: the company cannot process personal data for the purposes of discrimination and abuse.
10. Principle of Accountability
Last but not least, the tenth principle of the LGPD states that the company has to adopt and prove the use of measures that confirm that the requirements of the law are being complied with.
LGPD explained
Finally, by sharing the explanation of each of the 10 principles of the LGPD, we hope that you can have a better, broader understanding of the law so that you can comply with it more easily.
To see the full text of the LGPD (in Portuguese), click here.