What the data protection principles mean for you
All of your personal data must be processed in accordance with the seven data protection principles in Article 5 of the GDPR. These seven principles and what they mean for you are explained below. The full text of Article 5 is at the bottom of this page.
Remember …
- All data controllers, no matter how big or small, must process your personal data in accordance with these principles. If they don’t then they are not processing your data in compliance with the GDPR.
- The accountability principle means they must be able to show you how they are complying with these principles.
Lawfulness, fairness and transparency
Lawfulness means the data controller must have a lawful basis for processing your personal data. It also means the data processing must comply with the law in general, not just data protection law. So any data processing which breaches another law is also in breach of data protection law.
Transparency also means the data controller must take appropriate measures to inform you about how they are using personal data concerning you. There’s more detail about this in ‘More about your Right to Information’.
Purpose limitation
DPC Case Study #9, 2016, ‘The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry’
‘Ground Control to Farmer Tom’, Kate Doherty-Nicolau, Castlebridge
Data minimisation
This means a data controller should process the smallest amount of data required to achieve their specified purpose. They should not gather more personal data than they need.
The personal data processed must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (GDPR, Article 5.1(c)).
To continue on with the example of delivery food from above, the data controller has no need to collect any more personal data than your name, payment details and address in order to successfully deliver the food to you.
Accuracy
Storage limitation
Your personal data must only be kept for as long as is necessary for the purpose for which it is being processed.
Integrity and confidentiality
Accountability
This principle is entirely new in the GDPR, unlike most of the six above, which have existed in some form in European data protection law since at least 1995.
Accountability is set apart in the text of the GDPR and is an overarching principle which applies to all others, which are contained in paragraph 1 of Article 5.
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1” (GDPR, Article 5.2).
So not only do controllers have to process your personal in accordance with the six other principles, they have to be able to show you how they are compliant.
This is why you will sometimes need to use your data protection rights, especially your Right of Access, to confirm that your data is being processed in compliance with data protection law.
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Where next?
Read more elsewhere
‘Principles of Data Protection’, Data Protection Commission
‘What data can we process and under which conditions?’, European Commission
Topics
Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)