Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

Fair, lawful and transparent processing

The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell data subjects what their personal data will be used for.

Rec.38, Art.6(1)(a)

Personal data had to be processed fairly and lawfully.

 Rec.39; Art.5(1)(a)

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

 The GDPR introduced an additional compliance burden on organisations (albeit one that was implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities.

The purpose limitation principle

In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible purpose

Rec.28; Art.6(1)(b)

Personal data could only be collected for specified, explicit and legitimate purposes and could not be further processed in a manner that was incompatible with those purposes. (Further processing of data for historical, statistical or scientific purposes was permitted, provided that Member States provided appropriate safeguards.)

 Rec.50; Art.5(1)(b)

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes, in accordance with Art.89(1), is permitted—see Chapter 17).

 The GDPR brought limited changes to the principle of purpose limitation. Further processing of personal data for archiving, scientific, historical or statistical purposes is permitted, but is subject to the additional safeguards provided in Art.89 of the GDPR.

Data minimisation

The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.

Rec.28; Art.6(1)(c)

Personal data had to be adequate, relevant and not excessive in relation to the purposes for which those data were collected and/or further processed.

 Rec.39; Art.5(1)(c)

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

 The GDPR replaced the obligation to ensure that personal data are not excessive with a more restrictive obligation to ensure that personal data are "limited to what is necessary". Organisations should carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes.

Accuracy

There are obvious risks to data subjects if inaccurate data are processed. Therefore controllers are responsible for taking all reasonable steps to ensure that personal data are accurate.

Art.6(1)(d)

Personal data needed to be accurate and, where necessary, kept up to date. Every reasonable step had to be taken to ensure that data which were inaccurate or incomplete were either erased or rectified.

 Rec.39; Art.5(1)(d)

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

 The GDPR did not materially change the accuracy principle. The GDPR specifies that the erasure or rectification of inaccurate personal data must be implemented without delay, but that requirement was implicit in the wording of the Directive.

Data retention periods

The idea that personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed, is key to ensuring fair processing.

Art.6(1)(e)

Personal data should have been kept in a form that permitted identification of data subjects for no longer than was necessary for the purposes for which the data were collected or for which they were further processed. Member States were obliged to implement appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

 Rec.39; Art.5(1)(e)

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.

The principle is unchanged, but the GDPR introduced two important new factors:

 There are specific provisions on the processing of personal data for historical, statistical or scientific purposes (see Chapter 17).

 The principle should be read in light of the "right to be forgotten" (see Chapter 9) under which data subjects have the right to erasure of personal data, in some cases sooner than the end of the maximum retention period.

Data security

Controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees).

Rec.46; Art.17(1)

The controller had to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

 Rec.29, 71, 156; Art.5(1) (f), 24(1), 25(1)-(2), 28, 39, 32

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 The GDPR moved this obligation into the Data Protection Principles, reinforcing the idea that data security is a fundamental obligation of all controllers. However, the principle itself is essentially unchanged.

Accountability

The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand-in-hand with the growing powers of DPAs.

Art.6(2)

The controller had to ensure compliance with the Data Protection Principles.

 Rec.85; Art.5(2)

The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.

 Under the GDPR, the controller is obliged to demonstrate that its processing activities are compliant with the Data Protection Principles. This obligation is expanded upon in Chapter 10, which sets out the obligations of controllers.