2 minute read
of personal data?
2.3. What are the principles applicable to the processing of personal data?
Principles can be understood as general norms embedding values that are particularly important within a legal system.79 The GDPR contains six principles governing the processing of personal data to which controllers are required to adhere. These are:80
Advertisement
1. Lawfulness, fairness and transparency
Lawfulness means that there must be a legal basis (or ground) for processing personal data.81 Fairness can be linked to ethical personal data processing, in the sense personal data must be handled in ways that people would reasonably expect, and not used in ways that have unjustified adverse effects upon them.82 Transparency requires informing the data subjects in clear and plain language as to how their data is being used, and what the risks, rules, safeguards, and rights connected to the processing of personal data are.83
2. Purpose limitation
Purpose limitation means that any processing of personal data must be done for a well-defined specific purpose, identified before the beginning of processing. Any further processing must be compatible with the original purpose.84 This is the principle that prevents collection of personal data ‘just in case’, without any outline as to how it will be used.
79 Oxford Bibliographies Online, ‘General Principles of Law’ https://www.oxfordbibliographies.com/view/document/obo-9780199796953/ obo-9780199796953-0063.xml. 80 Article 5 GDPR. 81 Footnote 30, 118. 82 ICO, ‘Principle (a): Lawfulness, fairness and transparency’ https://ico.org.uk/ for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/. 83 Footnote 30, 118. 84 Idem, 122.
3. Data minimization
Data minimization entails using only the data that is adequate, relevant and not excessive in relation to the purpose for which it has been collected and/or further processed.85
4. Accuracy
Accuracy requires that personal data must be checked regularly and kept up to date, and that inaccurate data is promptly erased or corrected (‘rectified’ in GDPR terminology).86
5. Storage limitation
Storage limitation requires the deletion or anonymization of personal data as soon as it is no longer needed for the purposes for which it was collected.87
6. Integrity and confidentiality
Integrity and confidentiality are related to data security. They imply that appropriate technical and organizational measures to secure personal data and prevent data breaches must be set in place.88
Controllers are accountable for demonstrating compliance with the six principles. For this purpose, SMEs need to put in place appropriate technical and organizational measures, and be able to demonstrate what they did and its effectiveness, when requested.89
85 Idem, 125. 86 Idem, 127. 87 Idem, 129. 88 Idem, 131. 89 See 3.7.1 Responsibility of the controller and the principle of accountability.
