What the data protection principles mean for you

All of your personal data must be processed in accordance with the seven data protection principles in Article 5 of the GDPR. These seven principles and what they mean for you are explained below. The full text of Article 5 is at the bottom of this page.

Remember …

  • All data controllers, no matter how big or small, must process your personal data in accordance with these principles. If they don’t then they are not processing your data in compliance with the GDPR.
  • The accountability principle means they must be able to show you how they are complying with these principles.
Lawfulness, fairness and transparency

Lawfulness means the data controller must have a lawful basis for processing your personal data. It also means the data processing must comply with the law in general, not just data protection law. So any data processing which breaches another law is also in breach of data protection law.

Recital 60 of the GDPR says “The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes”. This means you cannot be left unaware that someone is processing your personal data.

Transparency also means the data controller must take appropriate measures to inform you about how they are using personal data concerning you. There’s more detail about this in ‘More about your Right to Information’.

Purpose limitation
Any data controller wishing to process your personal data must have a good reason for doing so. In the words of the regulation the personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (GDPR, Article 5.1(b)). In practice this means that a data controller cannot collect your personal data for one purpose and then use it for another unrelated purpose. If you order delivery food then the restaurant will need to process your payment information and your address in order to successfully deliver the food to you. They can’t then use that personal data for a totally different purpose such as sending you marketing material. Purpose limitation is also connected to transparency and what the Data Protection Commission sometimes calls ‘foreseeability’, summarised in a DPC case study from 2016:
“Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.”
DPC Case Study #9, 2016, ‘The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry’
“A licence plate number can only be used for the specific purposes for which it was created. For example, a licence plate number, registered with a specific driver, can be used for identifying those drivers who are breaking the rules of the law i.e. driving dangerously. They can be used in aiding with car accidents and to regulating and identifying unregistered and undocumented vehicles. Registration plate numbers cannot be used, however, for any old purposes which have not been assigned for their purpose. To use the registration number to identify a litterbug is not compatible with its original purpose. The specific and determined purposes of processing data MUST be clear from the start.”

‘Ground Control to Farmer Tom’, Kate Doherty-Nicolau, Castlebridge

Data minimisation

This means a data controller should process the smallest amount of data required to achieve their specified purpose. They should not gather more personal data than they need.

The personal data processed must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (GDPR, Article 5.1(c)).

To continue on with the example of delivery food from above, the data controller has no need to collect any more personal data than your name, payment details and address in order to successfully deliver the food to you.

Accuracy
Every data controller must keep all personal data “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay” (GDPR, Article 5.1 (d)).
Storage limitation

Your personal data must only be kept for as long as is necessary for the purpose for which it is being processed.

Integrity and confidentiality
Data controllers must keep your personal data safe and secure. They must use what are referred to as technical and organisational measures to safeguard against “unauthorised or unlawful processing and against accidental loss, destruction or damage” (GDPR, Article 5.1(f)). Data protection is often confused with information security. These two areas are related and overlap but this is the only one of the seven principles of data protection which is concerned specifically with security.
Accountability

This principle is entirely new in the GDPR, unlike most of the six above, which have existed in some form in European data protection law since at least 1995.

Accountability is set apart in the text of the GDPR and is an overarching principle which applies to all others, which are contained in paragraph 1 of Article 5.

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1” (GDPR, Article 5.2).

So not only do controllers have to process your personal in accordance with the six other principles, they have to be able to show you how they are compliant.

This is why you will sometimes need to use your data protection rights, especially your Right of Access, to confirm that your data is being processed in compliance with data protection law.

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Where next?

Read more elsewhere
Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)