Data processing principles Flashcards
(13 cards)
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
Article 5, par. 1 of the GDPR sets out the principles governing the processing of personal data. These principles cover:
① lawfulness, fairness and transparency;
② purpose limitation;
③ data minimisation;
④ data accuracy;
⑤ storage limitation;
⑥ integrity and confidentiality.
Par. 2: Accountability principle
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
① The lawfulness of processing principles
Under the GDPR, lawfulness requires that processing has a lawful GROUND (Art. 6 GDPR) :
a) consent of the data subject;
b) necessity to enter a contract;
c) a legal obligation;
d) necessity to protect the vital interests of the data subject or of another person;
e) necessity for performing a task in the public interest;
f) necessity for the legitimate interests of the controller or a third party, if they are not overridden by the interests and rights of the data subject.
+ provisions that set out legal requirements concerning the manner of data processing
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
① The fairness of processing principles
- Personal data processing should be done in a fair manner.
- The data subject must be informed of the risk to ensure that processing does not have unforeseeable negative effects.
- Data subjects should be aware of the potential risks involved in processing their personal data
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
① Fairness of processing (relationship between data controller and data subject)
- Controllers should notify data subjects and the general public that they will process data in a lawful and transparent manner and must be able to demonstrate the compliance of processing operations with the GDPR.
- Furthermore, controllers, so far as possible, must act in a way which promptly complies with the wishes of the data subject, especially where his or her consent forms the legal basis for the data processing.
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
① The transparency of processing principles
- Personal data processing should be done in a transparent manner.
- Controllers must inform data subjects before processing their data, among other details, about the purpose of processing and about the identity and address of the controller.
- Information on processing operations must be provided in clear and plain language to allow data subjects to easily understand the rules, risks, safeguards and rights involved.
- Data subjects have the right to access their data wherever they are processed.
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
② The principle of purpose limitation
The principle of purpose limitation means that any processing of personal data must be done for a specific well-defined purpose and only for additional, specified, purposes that are compatible with the original one.
- The purpose of processing data must be defined before processing is started.
- Data controllers are responsible for identifying the lawful ground relevant to the defined purpose for processing the data.
- There can be no further processing of data in a way that is incompatible with the original purpose.
- The GDPR provides for exceptions to this rule for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes (Rec. 50 «In such a case, no legal basis separate from that which allowed the collection of the personal data is required»)
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
③ The data minimisation principle
- Data processing must be limited to what is necessary to fulfil a legitimate purpose.
- The processing of personal data should only take place when the purpose of the processing cannot be reasonably fulfilled by other means.
- Data processing may not disproportionately interfere with the interests, rights and freedoms at stake.
(Art. 5, par. 1, point c), GDPR)
«Personal data shall be: […] c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed».
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
④ The data accuracy principle
- The principle of data accuracy must be implemented by the controller in all processing operations.
- Inaccurate data must be erased or rectified without delay.
- Data may need to be checked regularly and kept up to date to secure accuracy.
(Art. 5, par. 1, point d), GDPR)
«Personal data shall be: […] d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay».
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
⑤ The storage limitation principle
- The principle of storage limitation means that personal data must be deleted or anonymised as soon as they are no longer needed for the purposes for which they were collected.
- Personal data may be stored for longer periods when these data will be processed for archiving:
- purposes in the public interest;
- scientific or historical research purposes;
- statistical purposes.
(Art. 5, par. 1, point e) GDPR)
«Personal data shall be: […] e) kept in a form which permits the identification of data subject for no longer than is necessary for the purposes for which personal data are processed».
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
⑥ The data security principle
- The security and confidentiality of personal data are key to preventing adverse effects for the data subject.
- Security measures can be of a technical and/or organisational nature.
- Pseudonymisation is a process that can protect personal data.
- The appropriateness of security measures must be determined on a case-by-case basis and reviewed regularly.
(Art. 5, par. 1, point f), GDPR)
«Personal data shall be: […] f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures».
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
⑥ The data security principle
(Controller)
Article 25 of the GDPR explicitly refers to pseudonymisation as an example of an appropriate technical and organisational measure that controllers should implement to accommodate the data protection principles and integrate the necessary safeguards.
Adherence to an approved code of conduct or an approved certification mechanism can help to demonstrate compliance with the security of processing requirement.
In cases where a personal data breach takes place, the GDPR require the controller to notify the competent supervisory authority of the breach with risks for rights and freedoms of individuals without undue delay.
In certain situations, exceptions to the notification obligation may apply.
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
⑥ The data security principle
(Controller and personal data processing principles)
Controllers can facilitate compliance with the personal data processing principles in various ways, which include:
- recording processing activities and making them available to the supervisory authority upon request;
- in certain situations, designating a data protection officer who is involved in all issues relating to personal data protection;
- undertaking data protection impact assessments for types of processing likely to result in a high risk to the rights and freedoms of natural persons;
- ensuring data protection by design and by default;
- implementing modalities and procedures for the exercise of the rights of the data subjects;
- adhering to approved codes of conduct or certification mechanisms.
KEY PRINCIPLES OF EUROPEAN DATA PROTECTION LAW
⑥ The accountability principle
Consists of two elements:
Ensure compliance with the GDPR;
Prove compliance with the GDPR.
According to the Article 29 Working Party’s opinion, the essence of accountability is the controller’s obligation to:
“put in place measures which would – under normal circumstances – guarantee that data protection rules are adhered to in the context of processing operations; and
have documentation ready which demonstrates to data subjects and to supervisory authorities the measures that have been taken to achieve compliance with the data protection rules”.
