Overview of the personal data processing principles under the General Data Protection Regulation (GDPR) and where and how the principles relating to processing of personal data matter in becoming GDPR compliant, starting from GDPR Article 5 and moving beyond it.
To attain GDPR compliance it’s important to understand the essence of the GDPR in valuing personal data and giving back control over personal data to citizens far more than its predecessor, the Data Protection Directive or Directive 95/46/EC, did.
These goals and the according rights, freedoms and principles of the GDPR, aren’t just expressed in new or strengthened principles and duties for controllers and processors but also in the extra-territorial application of the GDPR (whereby all organizations acquiring and processing personal data of EU citizens are impacted, regardless of where processing occurs).
While many of the data subject rights and rules regarding the legal bases for lawful processing of personal data of EU citizens haven’t changed too much, it’s essential to understand how the new rules fit in the scope of the mentioned goals and the overall principles which the GDPR emphasizes.
This also goes for the principles relating to processing of personal data , the topic of this article.
Setting the scene of the principles regarding the processing of personal data
Obviously there is also a degree of “updating” to be more in line with modern data processing means and activities with the GDPR and the EU wants a far more consistent approach, application and enforcement for organizations in a market reality where big data and personal data are essential in times of digital transformation, data-driven innovation, new technologies such as IoT, and Industry 4.0.
Still, the principles, rights and freedoms are omnipresent and mentioned in virtually all aspects of the GDPR, whether it concerns the role of the DPO (Data Protection Officer), the rules on consent (informed, freely given, active, etc.) or the ways to demonstrate compliance with the endorsement of cybersecurity and data management practices such as encryption and pseudonymization, the importance of DPIAs, codes of conduct and so forth.
Becoming compliant with the GDPR starts with GDPR awareness, the understanding of data subject rights, choosing the proper grounds for lawful processing for all data processing activities and understanding the principles which are enshrined in the Regulation, including the principles relating to processing of personal data.
Previously we tackled the various legal grounds for lawful processing and zoomed in on some of them in-depth. Obtaining consent or having another legal ground for lawful processing of course is just one step when it boils down to personal data processing.
When legal bases exist, the processing still needs to happen and there are indeed clear principles regarding that actual processing of personal data. These personal data processing principles are always related with (and often include) general principles such as fairness, transparency, freedom of choice and more.
Six and nine principles of personal data processing
The principles for processing personal data under the GDPR can be found in GDPR Article 5. We cover 9 personal data processing principles and take a quick look at each before diving deeper in each of them.
Why do the personal data processing principles matter (a lot)?
The reasons why these personal data processing principles are essential?
Whether it concerns the GDPR itself, the guidelines of the European Data Protection Board or supervisory authorities, jurisprudence, the practical aspects for organizations in getting in line with the GDPR or the interpretation of rights, obligations and more: they always are there, as the crucial guidelines embedded in the Regulation which the principles relating to processing of personal data really are.
As we mentioned in our overview of GDPR Chapter 2 where the personal data processing principles of Article 5 belong to, there are really six principles for personal data processing (which are sometimes also called the six data processing principles or six privacy principles) and an additional one (in paragraph 2) on accountability, which applies to all six.
Several of these principles are bundled so to speak. For example: the first personal data processing principle which Article 5 mentions is ‘lawfulness, fairness and transparency’.
In the scope of this article we mention some separately though because, although they are closely intertwined (and also intertwined with other principles and rules across the GDPR), they do come back in a separate way across the GDPR. Moreover, the Article 29 Data Protection Working Party and others have established (non-legally binding) guidelines for one or more of these three that are mentioned as if they are one in GDPR Article 5. The WP29, for instance, published guidelines on transparency.
As we we’ve split some up and also include accountability we end up with 9 principles.
The place of the principles regarding personal data processing in the GDPR
The importance of the principles relating to processing of personal data is also hard to overlook, given its place in GDPR Article 5.
Where GDPR Chapter 1 has 4 Articles which respectively cover the subject-matter and objectives of the GDPR (emphasizing the fundamental rights and freedoms of natural persons and the right to protection of personal data, whereby GDPR Recital 4 presents the principle of proportionality stating that the protection of personal data needs to be balanced with other rights and freedoms such as freedom of thought and of expression), the material scope of the GDPR, the territorial scope (with the mentioned extra-territorial application) and the several definitions in Article 4, the second Chapter of the GDPR Articles immediately starts with the principles relating to processing of personal data, before the earlier mentioned legal grounds for lawful processing of Article 6, the conditions for consent of Article 7, the consent of children in Article 8, the processing of special personal data categories in Article 9, and the processing of personal data relating to criminal offense in Article 10 and processing where no identification is needed in Article 11, which are all part of Chapter 2.
The 9 data processing principles in details
That’s enough on the importance of the principles relating to processing of personal data for now. We’ve already mentioned lawfulness, fairness and transparency. Time for an overview of all personal data processing principles and context per principle.
The personal data processing principle of lawfulness
GDPR Article 5 starts by saying that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. So, lawfulness, fairness and transparency.
The principle of lawfulness pretty much speaks for itself. Processing of personal data must happen in a lawful way and thus have a legal basis which makes the processing legitimate. Lawfulness relates indeed to the legal bases for lawful processing we covered but also, in this scope, to the actual processing. Lawfulness needs to be interpreted strictly: there must be a law allowing the processing. There are indeed cases in which there are other laws than the GDPR, in the EU or in a Member State, that require personal data processing. Moreover, sometimes the essential legal grounds for personal data processing to be lawful aren’t sufficient. As an example: whereas consent is one of legal grounds, in some cases explicit consent is needed.
In GDPR Article 6 the key elements of lawfulness are further established and throughout the text rules are defined for specific types of personal data, processing activities and the consequences, rights, liabilities and administrative fines in case of unlawful processing, as well as when the grounds of lawfulness aren’t valid anymore.
GDPR Recital 10 foresees a margin of maneuver for Member States to specify its rules, among others regarding the processing of sensitive data, and precising the conditions under which the processing of personal data is deemed lawful.
Although lawfulness is most often mentioned in the context of legal grounds for lawful processing, lawfulness as said also pertains to the actual processing.
By way of an example: the GDPR and GDPR Recital 83 oblige the controller and processor to evaluate risks and recommend measures such as encryption, to have an appropriate level of security and confidentiality whereby unlawful destructions is one of several data security risks. Disclosure of personal data, transmission of data, storage of data and so on must happen in a lawful way in the sense that all these processing activities are in line with the law, which includes first and foremost the GDPR but also others. We particularly think about the ePrivacy Regulation here, which is ‘lex specialis’ to the GDPR and affects several data processing operations once it is there, mainly in the scope of electronic communications.
Principles relating to processing of personal data: the fairness principle
Fairness is still part of that stipulation that personal data must be processed lawfully, fairly and in transparent ways of GDPR Article 5. As you could see in the infographic above it is indeed often presented as a bundle with a reference to six instead of seven (if you add liability) or eight principles.
However, here as well, fairness and the principle of fairness comes back several times in the GDPR. Simply said, fairness, means that there must be a fair balance between the personal data which organizations process as well as the reasons why they process them (which comes back later) and what they have said – and promised and described (also think about the right for the data subject to be clearly informed and not misled in any way).
It must be a fair game. In our articles on GDPR and consent and on GDPR and legal grounds for processing we gave some examples of the latter.
An organization that wants to be compliant and wants to process personal data in all fairness with regards to the data subject who controls the data doesn’t hide things and doesn’t pull tricks: it offers all information the data subject needs to have in order to make a really free decision, it says what types of personal data are processed and why (certainly when acquiring them) and it tells who it is, how data subjects can get in touch regarding their personal data, what rights they have, what the consequences of the processing are, certainly in the scope of automated decision-making and profiling, and so forth.
GDPR Recital 71 emphasizes the fairness of processing in the context of automated processing and profiling, GDPR Recital 60 puts the information duties of controllers against the backdrop of fairness and when consent is the legal basis for lawful processing GDPR Recital 42 (on the duty of the controller to be able to demonstrate that consent was given) explicitly states that a declaration of consent should not contain unfair terms.
Transparency – the duty to be transparent in the scope of data processing principles
The third and last of that initial set of principles relating to the processing of personal data is transparency.
This principle does overlap with many of the elements of fairness. Transparency is for example also clearly emphasized in the context of profiling, information duties and the demonstration of consent. Transparency means explaining for which reasons organizations process which personal data.
However, transparency also needs to be seen in the scope of the ways information and communication obligations are fulfilled in relation to the data subject. Transparency requires that information and communication with data subject doesn’t just happen (which is part of the transparency principle as well) but is also done in a way that data subjects can understand it, for instance pointing to the fact that the language is easy to understand and that the information is easy to find and access whereby the context (e.g the communication channel, information carrier, etc.) matters. Moreover, the use of long texts full of language only lawyers understand should be avoided as the information needs to be concise.
Last but not least, the transparency principle also applies to the ways in which data subjects can exercise their rights (finding the ways to do so should be easy as well) and plays even more in the context of the personal data of children where language and style of communication should be even more adapted. Make it open, make it clear and empower the data subject to find, know and do whatever needs to be known and done without making it hard.
As mentioned the Article 29 Data Protection Working Party has published guidelines on transparency under the GDPR.
The guidelines zoom in on elements of transparency under the GDPR, including the notions of ‘Concise, transparent, intelligible and easily accessible’ and ‘clear and plain language’, the ways and context of providing information and communicating, providing information to children and the fact that the provision of information in the scope of several GDPR Articles (Articles 13 and 14, the Articles on the rights of data subjects and the data breach notification duty towards data subjects) needs to be free of charge. The guidelines also zoom in on GDPR Articles and 14 with regards to the information to provide to data subjects and more.
Regarding the meaning of transparency the guidelines point to GDPR Recital 39:
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed…”.
Purpose limitation as a data processing principle
Purpose limitation is the second principle of GDPR Article 5 on the processing of personal data principles if you follow the ‘six principles’ approach. We’ve already covered it more in-depth when tackling consent. However, here is a brief overview of what purpose limitation means.
Each data processing activity relating to personal data has one or more purposes. Different data processing activities can share one purpose.
The essential principle of purpose limitation consists of several purpose-related elements:
- When personal data are collected they must serve a specified, explicit and legitimate (lawfulness plays here too)
- Once collected, the personal data shouldn’t obviously be processed in a way that isn’t compatible with the purposes (which are communicated to the data subject).
- When personal data is processed for specific reasons, mentioned in GDPR Article 89 (e.g. further processing for archiving purposes in the public interest), this processing isn’t considered to be incompatible with the initial purposes.
However, purpose limitation stretches further than these 3 elements. It’s logical that personal data can’t be processed for any other purpose(s) than those mentioned to the data subject at the time of collection. It’s equally logical that, when over time the purposes are changed, this has consequences, with the exception of the mentioned specific reasons.
Despite the exceptions to the purpose limitation principle, the details matter here. A specified, explicit and legitimate purpose doesn’t just mean that there must be a purpose, it also literally means that the purpose needs to be limited.
This is particularly relevant in the context of consent (hence why we tackled it there) where various purposes cannot be bundled and granularity comes in. Simply said: depending on the scope and purpose of the data processing activity you need to select an appropriate legal ground and you shouldn’t mix various purposes with some exceptions. Most importantly, the purpose at the time of collection needs to match with the processing and when the purpose is different, organizations need to check their duties.
When processing activities occur under other legal grounds (e.g. in accordance with a legal obligation as mentioned in GDPR Recital 45) then other rules on purpose and purpose limitation can play (in the example of a legal obligation purpose limitations can for instance be determined by the EU or Member State law under which the legal obligation falls).
There is more to be said about purpose limitation of course but GDPR Recital 39 is clear: “The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed”.
The personal data processing principle of data minimization
The just mentioned quote from GDPR Recital 39 (the second sentence) is the exact description of data minimization: you have a personal data processing purpose, you have a need for personal data that serve this purpose but you can’t go beyond the processing of data which are strictly needed and relevant.
Adequacy and limitation simply means: nothing more than what is indeed needed. This principle of data minimization obliges organizations to limit themselves to the minimum of personal data which they need in the scope of a processing activity and its purpose(s).
GDPR Recital 39 builds further upon this (as do GDPR Articles) and foresees guarantees to make sure that both purpose limitation and data minimization are respected which, in turn brings us to more personal data processing principles such as storage limitation (see below).
In GDPR Article 25 once more the obligation to take “appropriate technical and organizational measures”, in proportion, is emphasized (in the context of data protection by design and by default) to implement data protection principles whereby data minimization is mentioned as such a principle and the GDPR again recommends pseudonymization.
The accuracy personal data processing principle
A logical next principle would have been storage limitation, yet let’s stick to the order of Article 5 on principles relating to processing of personal data and take a look at the next principle on the list: accuracy.
Accuracy has several meanings and certainly several areas of application. It plays in several contexts and is, among others, strongly emphasized in the context of profiling.
The essence of Article 5 and its principle of accuracy is that:
- Personal data which get processed must be accurate.
- Processed personal data must be kept up to data where such is needed (and it is indeed needed in several cases).
- Measures must be taken to erase or rectify without any delay inaccurate personal data (taking into account the process purposes).
So, accuracy does cover quite some duties and activities from the side of the controller (and/or processor) during the time of collection and during processing with an additional focus on accuracy in several circumstances. Moreover, accuracy also touches upon fundamental data subject rights such as the right to erasure (right to be forgotten) and right to rectification.
Accuracy also must be seen in the context of data hygiene, data management and data security in which accuracy mechanisms should be present, especially rectification mechanisms. If a data subject disagrees with the accuracy of personal data regarding him or her, he or she can exercise a right to restriction of processing. GDPR Recital 39 states that “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”.
As said, there is a particular attention for accuracy in the context of profiling. The Guidelines on profiling of the WP29 essentially state that across all the stages of profiling accuracy needs to be taken into account, from collection and analysis to the building of profiles and making decision upon them. Moreover, the data controller must make sure there are, as the guidelines put it, robust measures to make sure personal data is kept up to data at all times. It needs to be said that profiling in general also is stricter with regards to data minimization and storage limitation.
The storage limitation principle: thou shall limit processing in scope of time, need and served purpose
And that indeed brings us to that storage limitation principle we now mentioned a few times. As you could read in specific circumstances, such as profiling, extra attention is needed and storage limitation is related with purpose limitation and data minimization.
GDPR Article 5 essentially says this about storage limitation:
- Data making identification of a data subject possible shouldn’t be kept longer in a form that enables this identification then is strictly needed for the personal data processing purpose. Again the GDPR says to restrict it to the minimum but then in the scope of storage, related with purpose. Do note the ‘kept in a form’. Essentially you need to delete data in the scope of storage limitation. Yet, there are exceptions and do remember that anonymous data don’t fall under the scope of the GDPR (anonymous data can be useful, for instance for statistical purposes, obviously we’re talking about fields and records, not all data).
- The latter (statistical purposes) comes back in the exception regarding storage limitation in Article 5 whereby longer storage periods of personal data are allowed when the personal data is only processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, whereby the organization needs to take the right technical and organizational measures.
In general the rule is: data not needed anymore longer than is really strictly needed for the purpose: delete. And as the infographic above rightfully states: in practice your record retention policy needs to specify for how long data is stored (namely as long as required but you need to take actions and inform of course).
The principle of integrity and confidentiality
Although confidentiality is often mentioned separately in the GDPR we left the principle of integrity and confidentiality as one here since it’s specifically related to personal data processing principles that revolve around security and those technical and organizational measures which we mentioned several times and are omnipresent in the GDPR.
In a nutshell what GDPR Article 5 says about integrity and confidentiality:
- The data processing needs to be done in such ways that a proper level of security with regards to the personal data is guaranteed.
- In order to do so, the right measures need to be taken.
- Among the elements to look at from this security and measures perspective are elements such as protections and safeguards to prevent unauthorized and unlawful processing, accidental loss, destruction or damage of personal data which are processed and more.
Although as such this doesn’t need too much explanation, in practice is obviously essential and impactful from a GDPR compliance perspective and there are ample measures to take, on levels of information governance, security and certainly also GDPR staff awareness and security education as the human element can’t be overlooked in accidental losses, breaches of confidentiality and more.
The principle of personal data processing principles: accountability and the duty to guarantee processing principles
The principle of accountability is the final one in GDPR Article 5 and subject of paragraph 2. You can see it as a principle that includes all of the above mentioned principles and more: the controller is not just responsible for GDPR compliance in general and in the scope of all the data protection principles in paragraph one, the controllers also needs to be able to demonstrated that compliance.
We’ll keep it short as we wrote about the compliance and other duties, including accountability, of the controller. The accountability of the controller also includes responsibilities in working with data processors, a second topic we covered separately.
As the infographic above puts it accountability essentially refers to the duty to comply with the principles and the ability to demonstrate that processing is performed in accordance with these personal data processing principles.
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: Maksim Kabakou – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.