We’ve dealt with the material and territorial scope of the GDPR.
We’ve clarified what personal data is.
It’s now time to turn to the regulation’s core principles, as spelled out by Article 5, GDPR.
The 6 + 1 principles are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
- Accountability (acting as an overarching principle).
What are principles, anyway?
Before we move on to examine those seven principles in detail, let’s spend just a moment to clarify what principles are and how they act – in the GDPR framework and other legal fields.
As with any principles, the ones spelled out by Article 5 GDPR don’t act as hard rules. They don’t list clear-cut prohibitions or obligations that data controllers must follow. Instead, they provide a framework underpinning the whole regulation.
Said otherwise (and please, lawyers, turn away) it’s like telling a child “be good.” You don’t tell them exactly how they have to be good in every situation of their daily life; instead, you give them a purpose they should strive to fulfill.
How they do so might vary according to the context. Accordingly, principles don’t offer specific, detailed guidance. Instead, they act as a compass, helping children (and data controllers) navigate particular situations.
Having clarified this aspect, let’s now look at the GDPR principles.
1. Lawfulness, Fairness, and Transparency
According to article 5(1)(1), personal data shall be «processed lawfully, fairly and in a transparent manner in relation to the data subject.»
Lawfulness, fairness, and transparency are three different but interconnected elements.
Lawfulness relates to the legal basis for processing personal data. The idea behind this principle is that – contrary to what happens in other areas of life and law – processing personal data is prohibited unless you have a valid ground for doing so.
Article 5 doesn’t elaborate on what constitutes an acceptable legal basis: the task is left to Article 6, GDPR. We’ll deal with Article 6 in the next installment of our guide: for now, suffice to say that data processing is considered lawful when at least one of the following legal basis is present:
- Performance of a contract;
- Legal obligation;
- Protection of the vital interests of the data subject or another natural person;
- Performance of a task carried out in the public interest;
- Legitimate interest.
Fairness informs the relationship between the data subject and the data controller.
As the Handbook on European Data Protection Law clarifies, the latter «should notify data subjects and the general public that they will process data in a lawful and transparent manner and must be able to demonstrate the compliance of processing operations with the GDPR. Processing operations must not be performed in secret and data subjects should be aware of potential risks. »
Finally, transparency requires the data controller to keep data subjects aware of how their data is being used. Data subjects should know at any step of their journey which information you are collecting, how it is used, where it is stored, and they should be able to access it in accordance with the relevant GDPR provisions.
2. Purpose Limitation
Article 5(1)(2) clarifies that personal data can only be collected and processed for a specific, lawful and explicit purpose.
Though the article doesn’t state it in so many words, data controllers are required to establish and communicate their purpose(s) for collecting and processing personal data. Entities with an online presence usually do so in their privacy notice.
Once the data has been collected for a specific purpose, it can’t be processed for other purposes.
If data controllers want to use the data they’ve stored for a purpose that’s incompatible with the original one, they must ask for the data subject’s consent.
To offer a practical example, if someone enters their email address (personal data) on a website solely to finalize a purchase (purpose), the website owner (data controller) cannot send them marketing emails. Yeah, we know: sometimes, it happens anyway. But it’s still irregular, as far as the GDPR is concerned. That personal data (email address) is being processed for a purpose (marketing) the data subject wasn’t made aware of and didn’t accept.
Article 5 makes a partial exception for processing that is carried out in the public interest or for scientific, historical, or statistical purposes: in that case, such processing «shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes».
3. Data Minimisation
According to the principles of data minimization, as spelled out by Article 5(1)(3), data controllers should only collect and store the minimum amount of data required for their purpose (another reason for establishing a clear purpose in the first place!).
The rationale behind this principle is simple. Think of personal data as cash. Would you go around with 10.000€ on your person? Probably not. You’d think of it as a danger and a nuisance. No matter how careful you are, you’d rather bring with you only what money is strictly necessary.
Well, personal data is the same.
Let alone that data subjects might not want to give you tons of personal data when only a little info is necessary.
Even from a data controller’s point of view, it’s better to process as little personal data as possible. This practice protects you in case of data breaches (as the intruders will get access only to a limited set of data) and makes it easier to keep up with your obligations under the GDPR.
So if you want to send out a newsletter, don’t ask for your readers’ phone numbers or surnames. Email addresses and first names will do.
According to Article 5(1)(4), personal data shall be «accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.»
This principle is particularly crucial when personal data relating to health is concerned. To quote from our interview with Carlo Piana,
«[…] my blood group is personal data. It’s obvious that I do not want this information to be disclosed without my consent: but it doesn’t stop here.
I also want the data to be accurate and processed with due attention because otherwise, I might face serious – even lethal – consequences.»
But even when other matters are concerned, the accuracy of personal data is essential. Data subjects shouldn’t have to suffer delays or inconveniences because of inaccurate personal data.
5. Storage limitation
Like they shouldn’t collect unnecessary personal data, controllers shouldn’t keep personal data once their purpose has been achieved.
According to article 5(1)(4), personal data must be «kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.»
Of course, “necessity” is a somewhat subjective notion. As a result, it’s not always easy to determine what’s “longer than necessary.”
Some organizations overcome the hurdle by setting a definite time frame for data retention. For example, they might state in their privacy notice that they’ll keep the data for two years.
This is a possible solution, but keep in mind that you can’t arbitrarily set a date and call it a day: there has to be a sound justification for your retention period.
For example, if a reader opts to unsubscribe from your newsletter, there’s no need to keep their email address (personal data). Unless you have a valid reason for doing otherwise, you should immediately delete the data without waiting for the retention period to expire.
Again, the GDPR makes a partial exemption for personal data processed for historical or scientific purposes. As per Article 5(1)(4), «personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.»
In this case, data controllers are required to adopt appropriate technical and organizational measures to guarantee the rights of data subjects.
6. Integrity and Confidentiality
Data controllers are required to process personal data «in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.»
The principle of integrity and confidentiality is the only principle explicitly dealing with security (which, contrary to popular belief, is not the same as “privacy”).
Personal data must be protected from internal risks such as unauthorized processing, accidental loss or damage, and external threats like phishing, data breaches, and theft.
The rationale is straightforward: following the GDPR provisions to a T is not enough if third parties can access the data and dispose of it as they please.
Article 5 doesn’t list any specific measure that data controllers must adopt. This vagueness is intentional: with a constant stream of technical innovations in the field, what is up-to-date in 2022 (for example, encryption) might not be a valid option in 2028.
As a result, data controllers are relatively free to choose how to protect the personal data entrusted to them, as long as such protection is up-to-date and effective.
The accountability principle is spelled out by Article 5(2), whose single paragraph states that «The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.»
The idea behind the principle? It’s not enough for data controllers to say they’re compliant with the GDPR. They should be able to demonstrate compliance when asked to do so by data subjects or by supervising authorities.
Yeah, adhering to the accountability principle might require data controllers to do a bit (euphemism) of paperwork. But they shouldn’t be too afraid of it. Since the GDPR’s adoption in 2018, many solutions have helped data controllers demonstrate they are meeting their compliance requirements.