Six data protection principles
One might be curious to know how the processing of personal data should take place and whether there are certain fundamental principles applicable to it. Let’s discuss them here and while you go through them, think about the data processing you are involved in and answer for yourself a question whether these principles are applicable.
Six data protection principles form the basis of the processing of personal data and are of crucial importance. This processing must be based on these principles that can be found in Article 5(1) GDPR.
The first principle concerns lawfulness, fairness and transparency. It requires that personal data are processed in a lawful, fair and transparent manner in relation to data subjects. Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand. Also, clear and plain language needs to be used in this regard. More specifically, this principle ensures data subject receive information on the identity of controllers and purposes of the processing of personal data.
The second principle is that of purpose limitation. It means that personal data are to be collected only for specified, explicit and legitimate purposes and it is not allowed to process them further in a way that is not compatible with those purposes. One should bear in mind, however, that further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.
As the third principle, we need to refer to data minimisation. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Essentially, it means that data cannot be processed unless it is needed to process them in order achieve the above-mentioned purposes.
Accuracy is the fourth principle meaning that it is required to ensure that personal data are accurate and are kept up to date where it is necessary. Personal data that are inaccurate – considering the purposes for their processing – must be deleted or rectified without any delay.
The fifth principle is storage limitation. It entails that personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing. Storing these data for longer periods is allowed when the processing of the data will aim at achieving purposes in the public interest, scientific or historical research purposes or statistical purposes. Nevertheless, also in these cases rights and freedoms of data subjects must be safeguarded.
Finally, the sixth principle of integrity and confidentiality requires that in the processing of personal data appropriate security of personal data is ensured. This should include protection against unauthorised or unlawful processing, destruction and damage. Appropriate technical or organisational measures are to be taken in order to comply with this requirement: such data security measures can include the use of encryption and authentication and authorisation mechanisms.
In addition to the six data protection principles, the GDPR introduces in Article 5(2) GDPR the principle of accountability, without which they cannot be brought to life. According to this principle, the controller shall be responsible for compliance with the principles listed in Article 5(1) GDPR and addressed above and shall be able to demonstrate its compliance with them. This and other duties of the controllers will be discussed in greater detail later in the course.
© University of Groningen