Fundamental Processing Principles
Eight principles that constitute binding legal obligations. Each principle requires specific controls and documentation to demonstrate compliance. Non-compliance may result in administrative liability.
Verifiable Implementation
Principles must be translated into documented technical and organizational controls. Agency oversight includes review of consent records, access logs, processor contracts, incident response procedures, and evidence of staff training.
Principles of Lawfulness and Fairness
Processing requires a valid legal basis that the controller must be able to demonstrate.
Applicable Legal Bases
- Data subject consent
- Contractual performance
- Legal obligation
- Legitimate interest of the controller
- Public interest or public authority
Required Documentation
- Record of legal bases applied
- Evidence of consents
- Legitimate interest analysis
Purpose Principle
Collection for specific, explicit and lawful purposes. Processing is limited to these declared purposes.
Requirements
- Specific purposes at collection time
- Processing limited to declared purposes
- Clear specification in privacy notices
Processing for Different Purposes
- Purposes compatible with the original ones
- New consent from the data subject
- When established by law
Proportionality Principle
Collection limited to necessary and relevant data. Retention only for the time required for processing purposes.
Data Minimization
- Collect only necessary data
- Limit to specific purposes
- Define retention periods
Deletion or Anonymization
- Delete when purposes are fulfilled
- Anonymize as an alternative
- Justify extended retention
Quality Principle
Data must be accurate, complete, current and relevant in relation to its source and processing purposes.
Maintenance Obligations
- Accuracy verification at collection
- Periodic data updates
- Correction of detected inaccuracies
Obsolete Data Management
- Identification of outdated data
- Deletion of irrelevant data
- Regular validation processes
Accountability Principle
The controller must demonstrate compliance with established obligations (accountability).
Implementation
- Documented policies and procedures
- Staff training
- Compliance audits
Required Evidence
- Record of processing activities
- Impact assessments
- Processor contracts
Security Principle
Technical and organizational measures appropriate to the processing risk level.
Technical Measures
- Data encryption
- Access controls
- Backups and recovery
Organizational Measures
- Security policies
- Cybersecurity training
- Incident response procedures
Transparency and Information Principle
Clear, accurate and accessible information about processing and data subject rights.
Mandatory Content
- Identity of controller and DPO
- Purposes and legal basis of processing
- Data subject rights and how to exercise them
Delivery Method
- Accessible privacy notices
- Layered information
- Clear and concise language
Confidentiality Principle
Duty of secrecy for the controller and anyone accessing personal data. Continues after the relationship ends.
Obligated Parties
- Internal staff
- Data processors
- Consultants and advisors
Implementation
- Confidentiality agreements
- Training on confidentiality duties
- Role-based access controls
Frequently asked questions
What are Law 21.719's fundamental principles?
Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. They underpin all processing and breaches constitute infringements under the Agency's regime.
What does the purpose-limitation principle require?
Processing may only occur for specified, explicit and legitimate purposes notified to the subject at or before collection. Data cannot be further processed for incompatible purposes, except in limited cases such as archiving, research or statistics with safeguards.
What does the proportionality/minimisation principle require?
Data processed must be adequate, relevant and limited to what is necessary for the purposes. Collecting unnecessary data or retaining it beyond the required period is a breach and increases risk in case of security incidents.
How is accountability satisfied?
Through documentation evidencing compliance: records of activities, impact assessments, internal policies, training, processor contracts, incident logs and records of responses to subject rights. The burden of proof falls on the controller before the Agency.
What is the transparency principle?
The controller must inform the subject clearly, accessibly and in plain language about processing, purposes, legal basis, recipients, retention periods, rights and the authority before which to complain. The privacy policy is the typical, but not the only, instrument.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
