The principles are set in article 5 of the GDPR and enshrined thorough all the Regulation, and they apply to every personal data processing activity. As the cornerstone of the Regulation, they should be kept in mind when interpreting the rights and duties established in the GDPR.
Useful? Embed this infographic on your website.
-
Lawfully, Fairly and Transparent
Lawfully refers to the duty to process personal data only when there is an appropriate legal basis or legislative measure under the GDPR, EU, or Member State Law. Strictly speaking only when you count with legitimate grounds to process personal data, e.g., explicit consent, you can collect and carry out the processing activities
In that sense, situations, where the collection of personal data has been done by non-authorised access, would be unlawful and therefore contrary to this principle
Relevant references: Articles 5, 6, 9 and 10 / Recitals: 39, 45 and 63
Fairly, requires providing sufficient information to the data subject to make the processing fair and transparent. In particular, the data subject needs to be informed of the existence of the processing activities and its purposes at the moment of collection. The information shall include all necessary details to ensure fairness and transparent processing, taking into account the specific circumstances and context in which the personal data is processed.
If it is the case, the data subject should be informed of the existence of profiling and consequences and any legal obligation on the data subject to provide with him/her personal data and its consequences if he or she does not do so.
Relevant references: Article 5 and 6 / Recitals: 39, 45, 60 and 71
Transparent, refer to the responsibility to ensure that any information or communication to the data subject shall be concise, easily accessible and easy to understand – clear and plain language; especially when is addressed to a child.
Furthermore, to ensure fair and transparent processing, this duty concerns the information that should be accessible to the data subject. By rule, all natural persons should be made aware of risk, rules, safeguards, and rights concerning the processing of him/her personal data and how to exercise their rights to such activities.
Relevant references: Articles: 5, 12 to 22 and 34 / Recitals: 39, 58 to 63 and 71
-
Purpose Limitation
This principle can be divided in two:
- personal data may only be collected for specified (defined), explicit (clear) and legitimate purposes (legal basis) determined at the moment of collection. Undefined and/or unlimited purposes is unlawful;
- personal data must only be processed in a manner compatible with those purposes. Otherwise, it is required a new and separate legal basis.
Now, there are two specific exemptions to this principle:
- 89(1) processing for archiving, scientific, historical or statistical purposes as far as appropriate technological and organizational measures are in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.
- 6(4) processing for another purpose compatible with the purpose for which the personal data are initially collected. To assess the compatibility the following points should be considered: (i) the fair processing information the controller initially provided to the data subject; (ii) the relationship between the purposes for which the data have been collected and the purposes of further processing; (iii) the context in which the data were collected and the reasonable expectations of the data subjects as to their further use; (iv) the nature of the data and the impact of the further processing on the data subjects; and (v) the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Relevant references: Article 5 and 6 / Recitals 39, 45 and 50
-
Data Minimisation
This principle refers to the duty to process personal data only when it is adequate (appropriate), relevant (pertinent) and limited to what is necessary for the purposes for which they are processed (not excessive).
To limit the storage of the personal data to a strict minimum, there is a need to establish time limits to delete data or to have periodic reviews to assess what should be erased. Also, to respect data minimisation an assessment should be made regarding the need to process personal data since if there is another reasonable privacy-friendly solution that can fulfil the purposes, the personal data shouldn’t be handled.
Relevant references: Article 5 and 25 / Recitals 39 and 156
-
Accuracy
This principle imposes the responsibility to take every reasonable step to ensure that personal data are accurate and up to date concerning the specific purposes for which they are processed. Inaccurate data shall be erased or rectified without delay.
Attention should be given to the word “reasonable”, the steps required shouldn’t be something that would involve a disproportionate effort.
Relevant references: Articles 5 and 18 / Recital 39
-
Storage Limitation
This principle refers to the obligation to keep the personal data as far as necessary to identify the data subjects for the purposes established. In that sense, data retention has to be set in a way that personal data is erased when the purposes have been served.
Now, there is one specific exemption to this principle:
- 89(1) processing for archiving, scientific, historical or statistical purposes as far as appropriate technological and organizational measures are in place to protect the rights and freedoms of the data subjects, in particular, the principle of data minimisation.
Relevant references: Articles 5, 6, 23 and 25 / Recital 39 and 45
-
Integrity and Confidentiality
This principle establishes the duty to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
Relevant references: Articles 5 and 32 / Recital 74 to 84, 94 and 95.
-
Accountability
This principle states the obligation to comply with the principles and to be able to demonstrate that processing is performed in accordance with them.
Relevant references: Articles 5 and 24
KEY POINTS:
- The obligation to comply with the principles rely on the Data Controller(s). However, the Data Processor(s) shall observe them and act accordingly – keep in mind the Data Processor’s obligation under article 28 (3)(h) GDPR.
- Union or Member State law may restrict by way of legislative measure the scope of article 5 as long as its provisions correspond to the rights and obligations provided in articles 12 to 22, and such restrictions respect the essence of the fundamental rights and freedoms and are necessary and proportionate measure in a democratic society to safeguard: national security, defence, public security, etc. For full details see recital 50 and Article 23 of the GDPR.
Jessica Lam
Latest posts by Jessica Lam (see all)
- Processing Personal Data - March 30, 2021
- What is Privacy? - February 25, 2021
- What is Privacy Engineering? - January 14, 2021