Put: Leonardo Neri

Formatted in 2021, the Guidance Guide on electoral issues was made available at the beginning of 2022 not only by coincidence, since it is an election year in the country and with the increase in access to information through virtual means, it is necessary for citizens to have transparency and security regarding their personal data at this decisive moment that involves the political future of the nation. 

Therefore, for better understanding, the manual explains in a cohesive manner the main legal bases of the General Data Protection Law, LGPD. Being them, the Consent the use of personal data, which is stated in Article 7, paragraph I and Article 11, paragraph I. The Legal Obligation, discriminated against in the article 7, paragraph II and article 11, paragraph II,; and finally, the Legitimate Interest of the Controller or Third Party, expressed in greater detail in the article 7, item IX of the same law. 

It is also worth noting that it demonstrates how to use the principles of necessity, adequacy and purpose for the legitimate processing of sensitive personal data. Furthermore, it explains by way of example how to avoid misuse of purpose in the processing of personal data. Let's see: 

After fulfilling its function. The processing of personal data is finalized and terminated, and such data cannot be used for purposes incompatible with the original legal basis that gave legitimacy to the data processing operation. Therefore, as a rule, it is necessary to delete or anonymize personal data that is not suitable for a respective legal basis, as expressed in the body of the LGPD itself. 

When assessing the context of the use of personal data in the electoral environment, monitoring the principle of accountability and provision of services will be of utmost importance, Accountability. This principle emphasizes that the entity responsible for processing personal data must provide documents that prove the mitigation of risks in a given risk operation implemented by decision of the company or public entity itself. This is the case of the Privacy Governance Program (PGP), which is included in article 50, §2, item I of the LGPD. In addition to complying with the guidelines covered by the principles of the LGPD, as well as the legal bases presented above, entities are also required to establish a record of personal data processing operations, as demonstrated in article 37 of the LGPD, which in practice we call a data inventory. 

Another extremely important point is the channels through which the right holder must seek to fully exercise the principles of transparency and free access, whether through access to an application, website, email or any digital form, which is directly linked to the channel through which the holder provided his/her data. 

Subsequently, and no less essential, the way in which entities should protect themselves and provide security regarding the personal information acquired was disclosed, through information security policies, specialized training, contract management, access control and password management, storage and communication security, as well as routine maintenance of institutional programs, etc.  

Finally, data protection must be interpreted by electoral legislation in a practical way through joint and coordinated action between the National Data Protection Authority (ANPD) and the TSE, with legitimate use of the database collected prior to the LGPD, in addition to the transfer, donation and sale of databases, sending of instant electronic messages and boosting of content. 

Source: https://www.gov.br/anpd/pt-br/assuntos/noticias/guia_lgpd_final.pdf