By Leonardo Neri
Continuing with the articles that delve deeper into the study of the Personal Data Law, the initial part of the General Data Protection Law also contains the principles that should guide data processing. This is an essential part of the new law, since these principles will help to understand many of the rules that will be examined later.
Under Article 6, the principles of data processing in Brazil are, in addition to objective good faith, the following:
| Principles of Personal Data Processing | Concept | Explanation |
| Purpose | The processing of personal data must be carried out for legitimate, specific, explicit purposes and informed to the holder, without the possibility of subsequent processing in a manner incompatible with these purposes. | Examples: Marketing or selling new products or services; Analysis of consumption profiles; adaptation and development of new products and services; etc. |
| Adequacy | Compatibility of the processing with the purposes informed to the data subject, according to the context of the processing | Considering the examples cited above, the data could not be used for religious purposes. |
| Need | Limitation of processing to the minimum necessary to achieve its purposes, covering relevant, proportionate and non-excessive data in relation to the purposes of data processing | In the case of the purpose of developing new products, the processing should be limited to the opinions of users about a given product or service, strictly linked to issues of improvement and adaptability and never to the collection of a person's intimate data, for example. |
| Free access | Guarantee to the holders of easy and free consultation on the form and duration of the processing, as well as on the integrity of their personal data | The user must have unrestricted access to the format in which the data processing was agreed upon. |
| Data quality | Guarantee to the holders of accuracy, clarity, relevance and updating of data, according to the need and to fulfill the purpose of its processing | This is a principle linked to that of necessity, as it establishes the verisimilitude of data over time. It is a guarantee to the user. |
| Transparency | Guarantee to the holders of clear, precise and easily accessible information about the performance of the treatment and the respective treatment agents, observing commercial and industrial secrets | This principle refers to the user's visibility on how their data is being processed. |
| Security | Use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination. | Monitoring and measures to protect privacy and intimacy |
| Prevention | Adoption of measures to prevent the occurrence of damages due to the processing of personal data | In order to prevent leakage of confidential information |
| Non-Discrimination | Impossibility of carrying out processing for unlawful or abusive discriminatory purposes | Closely linked to the essence of the purpose (legitimate, specific, explicit purposes informed to the holder) |
| Accountability and accountability | Demonstration, by the agent, of the adoption of effective measures capable of proving observance and compliance with personal data protection standards and, including, the effectiveness of these measures | This principle is closely linked to the monitoring of the standard by a competent agent to be defined by MP or subsequent Law. |
It is noted that the principles set out in Article 6 need to be interpreted in accordance with the foundations addressed in the previously written article, and it is a great challenge to achieve the objectives of free development of personality and preservation of the autonomy of human will, without due control on data processing. Therefore, without greater understanding and transparency about algorithms, it is not possible to guarantee the effectiveness of several of the principles listed by law.
Thus, article 5 of the law provides for how personal data will be protected, introducing the concept of control over data processing processes that may pose risks to fundamental rights. Without proper visibility into how data is used, risks cannot be properly identified or minimized. For this reason, expertise is very important for a deep understanding of the technical tool – algorithms – in order to ensure due transparency in compliance with the standard.
Based on the above, given the detailed analysis of the introductory part of the General Data Protection Law, it is already possible to identify some interpretative and implementation challenges, which will be discussed in detail in the next articles on the law.