Previous Chapter | Next Chapter | Index of Chapters
Overview
Why does this topic matter to organisations?
The Data Protection Principles provide the conditions on which an organisation is permitted to process personal data. If an organisation cannot satisfy the Data Protection Principles (and if no exemption or derogation applies) then such processing will be unlawful. Consequently, it is vital for organisations to understand these Principles.
What types of organisations are most affected?
The nature of an organisation's business, and the sector in which it operates, make no difference to that organisation's obligation to comply with the Data Protection Principles. Hence, all types of organisations are affected.
What should organisations do to prepare?
Organisations need to ensure that their data processing activities are carried out in accordance with the Data Protection Principles set out in the GDPR. In particular, organisations should pay close attention to the principles of transparency and data minimisation while implementing new data processing activities.
Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.
Detailed analysis
Issue |
The Directive |
The GDPR |
Impact |
|
Fair, lawful and transparent processing The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell data subjects what their personal data will be used for. |
Rec.38, Art.6(1)(a) Personal data must be processed fairly and lawfully. |
Rec.39; Art.5(1)(a) Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
This change imposes an additional compliance burden on organisations (albeit one that is implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities. |
|
The purpose limitation principle In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible, purpose. |
Rec.28; Art.6(1)(b) Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of data for historical, statistical or scientific purposes is permitted, provided that Member States provide appropriate safeguards.) |
Rec.50; Art.5(1)(b) Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes, in accordance with Art.89(1), is permitted—see Chapter 17). |
The GDPR brings limited changes to the principle of purpose limitation. Further processing of personal data for archiving, scientific, historical or statistical purposes is still permitted, but is subject to the additional safeguards provided in Art.89 of the GDPR. |
|
Data minimisation The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes. |
Rec.28; Art.6(1)(c) Personal data must be adequate, relevant and not excessive in relation to the purposes for which those data are collected and/or further processed. |
Rec.39; Art.5(1)(c) Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. |
The obligation to ensure that personal data are not excessive is replaced by a more restrictive obligation to ensure that personal data are "limited to what is necessary". Organisations will need to carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes. |
|
Accuracy There are obvious risks to data subjects if inaccurate data are processed. Therefore controllers are responsible for taking all reasonable steps to ensure that personal data are accurate. |
Art.6(1)(d) Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete are either erased or rectified. |
Rec.39; Art.5(1)(d) Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay. |
The GDPR does not materially change the accuracy principle. The GDPR specifies that the erasure or rectification of inaccurate personal data must be implemented without delay, but that requirement is implicit in the wording of the Directive. |
|
Data retention periods The idea that personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed, is key to ensuring fair processing. |
Art.6(1)(e) Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States are obliged to implement appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. |
Rec.39; Art.5(1)(e) Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards. |
The principle is unchanged, but the GDPR introduces two important new factors:
There are specific provisions on the processing of personal data for historical, statistical or scientific purposes (see Chapter 17).
The principle should be read in light of the "right to be forgotten" (see Chapter 9) under which data subjects have the right to erasure of personal data, in some cases sooner than the end of the maximum retention period. |
|
Data security Controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees). |
Rec.46; Art.17(1) The controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. |
Rec.29, 71, 156; Art.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32 Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. |
The GDPR moves this obligation into the Data Protection Principles, reinforcing the idea that data security is a fundamental obligation of all controllers. However, the principle itself is essentially unchanged. |
|
Accountability The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand-in-hand with the growing powers of DPAs. |
Art.6(2) The controller must ensure compliance with the Data Protection Principles. |
Rec.85; Art.5(2) The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles. |
Under the GDPR, the controller is obliged to demonstrate that its processing activities are compliant with the Data Protection Principles. This obligation is expanded upon in Chapter 10, which sets out the obligations of controllers. |
Further analysis
Commentary: Data Protection Principles: from the Directive to the GDPR
The changes introduced by the GDPR to the Data Protection Principles are not revolutionary. However, they do consolidate the importance of those principles in respect of data processing activities. In particular, the principles of transparency and minimisation of data, as well as the requirement of data integrity and confidentiality, are now clearly established as Data Protection Principles.
Commentary: The data minimisation principle
Many non-EU organisations collect personal data and then later decide the purposes for which they wish to use those data. The Directive does not permit this approach, and the GDPR tightens the restrictions further, stating that organisations should not collect data that are not necessary for a specified purpose that has been notified to data subjects.
Organisations must ensure that, in relation to all processing activities by default, they process only the minimum amount of personal data necessary to achieve their lawful processing purposes. For example, in connection with an online service, a business must not collect personal data (e.g., contact details) that are not strictly necessary in connection with the provision of that service, unless the data subject chooses to provide those personal data. This is likely to require many businesses to re-think their data processing activities from the ground up.
Each organisation should carefully consider the extent to which it will need to amend its existing data collection practices in order to comply with these restrictions.
Example: The purpose limitation principle
Q. Organisation A is a reinsurer. It provides services to insurance companies. Over the years it has collected large amounts of personal data relating to insured data subjects. It would now like to combine data from its various customers into a single database, to enable it to price its products more accurately. Can it do this?
A. Personal data collected for one purpose (e.g., performance of an insurance contract) cannot be used for a new, incompatible purpose (e.g., creating a database of information about insured data subjects to set prices more accurately). Organisation A might be able to achieve its aims by taking additional steps (e.g., obtaining the consent of the affected individuals—see Chapter 8) or by anonymising the data before creating the database (subject to the need to ensure that such anonymisation is, itself, lawful processing of personal data).
NEXT CHAPTER
Chapter 7: Lawful basis for processing
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 2: Preparing for the GDPR
Chapter 3: Subject matter and scope
Chapter 4: Territorial application
Chapter 6: Data Protection Principles
Chapter 7: Lawful basis for processing
Chapter 9: Rights of data subjects
Chapter 10: Obligations of controllers
Chapter 11: Obligations of processors
Chapter 12: Impact Assessments, DPOs and Codes of Conduct
Chapter 13: Cross-Border Data Transfers
Chapter 14: Data Protection Authorities
Chapter 15: Cooperation and consistency
Chapter 16: Remedies and sanctions
Chapter 17: Issues subject to national law
Chapter 18: Relationships with other laws
Chapter 19: Transitional provisions
Our Global Data, Privacy & Cyber Security Practice
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP