Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

The Data Protection Principles provide the conditions on which an organisation is permitted to process personal data. If an organisation cannot satisfy the Data Protection Principles (and if no exemption or derogation applies) then such processing will be unlawful. Consequently, it is vital for organisations to understand these Principles.

What types of organisations are most affected?

The nature of an organisation's business, and the sector in which it operates, make no difference to that organisation's obligation to comply with the Data Protection Principles. Hence, all types of organisations are affected.

What should organisations do to prepare?

Organisations need to ensure that their data processing activities are carried out in accordance with the Data Protection Principles set out in the GDPR. In particular, organisations should pay close attention to the principles of transparency and data minimisation while implementing new data processing activities.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Fair, lawful and transparent processing

The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell data subjects what their personal data will be used for.

blank

Rec.38, Art.6(1)(a)

Personal data must be processed fairly and lawfully.

materially changes

Rec.39; Art.5(1)(a)

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

negative

This change imposes an additional compliance burden on organisations (albeit one that is implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities.

blank

The purpose limitation principle

In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible, purpose.

blank

Rec.28; Art.6(1)(b)

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of data for historical, statistical or scientific purposes is permitted, provided that Member States provide appropriate safeguards.)

materially changes

Rec.50; Art.5(1)(b)

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes, in accordance with Art.89(1), is permitted—see Chapter 17).

neutral

The GDPR brings limited changes to the principle of purpose limitation. Further processing of personal data for archiving, scientific, historical or statistical purposes is still permitted, but is subject to the additional safeguards provided in Art.89 of the GDPR.

blank

Data minimisation

The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.

blank

Rec.28; Art.6(1)(c)

Personal data must be adequate, relevant and not excessive in relation to the purposes for which those data are collected and/or further processed.

materially changes

Rec.39; Art.5(1)(c)

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

negative

The obligation to ensure that personal data are not excessive is replaced by a more restrictive obligation to ensure that personal data are "limited to what is necessary". Organisations will need to carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes.

blank

Accuracy

There are obvious risks to data subjects if inaccurate data are processed. Therefore controllers are responsible for taking all reasonable steps to ensure that personal data are accurate.

blank

Art.6(1)(d)

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete are either erased or rectified.

does not materially change

Rec.39; Art.5(1)(d)

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

neutral

The GDPR does not materially change the accuracy principle. The GDPR specifies that the erasure or rectification of inaccurate personal data must be implemented without delay, but that requirement is implicit in the wording of the Directive.

blank

Data retention periods

The idea that personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed, is key to ensuring fair processing.

blank

Art.6(1)(e)

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States are obliged to implement appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

materially changes

Rec.39; Art.5(1)(e)

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.

The principle is unchanged, but the GDPR introduces two important new factors:

 

neutral

There are specific provisions on the processing of personal data for historical, statistical or scientific purposes (see Chapter 17).

 

negative

The principle should be read in light of the "right to be forgotten" (see Chapter 9) under which data subjects have the right to erasure of personal data, in some cases sooner than the end of the maximum retention period.

blank

Data security

Controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees).

blank

Rec.46; Art.17(1)

The controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

does not materially change

Rec.29, 71, 156; Art.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

neutral

The GDPR moves this obligation into the Data Protection Principles, reinforcing the idea that data security is a fundamental obligation of all controllers. However, the principle itself is essentially unchanged.

blank

Accountability

The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand-in-hand with the growing powers of DPAs.

blank

Art.6(2)

The controller must ensure compliance with the Data Protection Principles.

materially changes

Rec.85; Art.5(2)

The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.

negative

Under the GDPR, the controller is obliged to demonstrate that its processing activities are compliant with the Data Protection Principles. This obligation is expanded upon in Chapter 10, which sets out the obligations of controllers.

 

Further analysis

Commentary: Data Protection Principles: from the Directive to the GDPR

The changes introduced by the GDPR to the Data Protection Principles are not revolutionary. However, they do consolidate the importance of those principles in respect of data processing activities. In particular, the principles of transparency and minimisation of data, as well as the requirement of data integrity and confidentiality, are now clearly established as Data Protection Principles.

Commentary: The data minimisation principle

Many non-EU organisations collect personal data and then later decide the purposes for which they wish to use those data. The Directive does not permit this approach, and the GDPR tightens the restrictions further, stating that organisations should not collect data that are not necessary for a specified purpose that has been notified to data subjects.

Organisations must ensure that, in relation to all processing activities by default, they process only the minimum amount of personal data necessary to achieve their lawful processing purposes. For example, in connection with an online service, a business must not collect personal data (e.g., contact details) that are not strictly necessary in connection with the provision of that service, unless the data subject chooses to provide those personal data. This is likely to require many businesses to re-think their data processing activities from the ground up.

Each organisation should carefully consider the extent to which it will need to amend its existing data collection practices in order to comply with these restrictions.

Example: The purpose limitation principle

Q. Organisation A is a reinsurer. It provides services to insurance companies. Over the years it has collected large amounts of personal data relating to insured data subjects. It would now like to combine data from its various customers into a single database, to enable it to price its products more accurately. Can it do this?

A. Personal data collected for one purpose (e.g., performance of an insurance contract) cannot be used for a new, incompatible purpose (e.g., creating a database of information about insured data subjects to set prices more accurately). Organisation A might be able to achieve its aims by taking additional steps (e.g., obtaining the consent of the affected individuals—see Chapter 8) or by anonymising the data before creating the database (subject to the need to ensure that such anonymisation is, itself, lawful processing of personal data).

 

NEXT CHAPTER
Chapter 7: Lawful basis for processing

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP