Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

The Data Protection Principles provide the conditions on which an organisation is permitted to process personal data. If an organisation cannot satisfy the Data Protection Principles (and if no exemption or derogation applies) then such processing will be unlawful. Consequently, it is vital for organisations to understand these Principles.

What types of organisations are most affected?

The nature of an organisation's business, and the sector in which it operates, make no difference to that organisation's obligation to comply with the Data Protection Principles. Hence, all types of organisations are affected.

What should organisations do to comply?

Organisations need to ensure that their data processing activities are carried out in accordance with the Data Protection Principles set out in the GDPR. In particular, organisations should pay close attention to the principles of transparency and data minimisation while implementing new data processing activities.

 

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

 

Issue The Directive The GDPR Impact

Fair, lawful and transparent processing

The requirement to process personal data fairly and lawfully is extensive. It includes, for example, an obligation to tell data subjects what their personal data will be used for.

Rec.38, Art.6(1)(a)

Personal data had to be processed fairly and lawfully.

 Rec.39; Art.5(1)(a)

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

 The GDPR introduced an additional compliance burden on organisations (albeit one that was implied under the Directive). It requires that organisations take additional care when designing and implementing data processing activities.

The purpose limitation principle

In summary, the purpose limitation principle states that personal data collected for one purpose should not be used for a new, incompatible purpose

Rec.28; Art.6(1)(b)

Personal data could only be collected for specified, explicit and legitimate purposes and could not be further processed in a manner that was incompatible with those purposes. (Further processing of data for historical, statistical or scientific purposes was permitted, provided that Member States provided appropriate safeguards.)

 Rec.50; Art.5(1)(b)

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. (Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes, in accordance with Art.89(1), is permitted—see Chapter 17).

 The GDPR brought limited changes to the principle of purpose limitation. Further processing of personal data for archiving, scientific, historical or statistical purposes is permitted, but is subject to the additional safeguards provided in Art.89 of the GDPR.

Data minimisation

The principle of data minimisation is essentially the idea that, subject to limited exceptions, an organisation should only process the personal data that it actually needs to process in order to achieve its processing purposes.

Rec.28; Art.6(1)(c)

Personal data had to be adequate, relevant and not excessive in relation to the purposes for which those data were collected and/or further processed.

 Rec.39; Art.5(1)(c)

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

 The GDPR replaced the obligation to ensure that personal data are not excessive with a more restrictive obligation to ensure that personal data are "limited to what is necessary". Organisations should carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes.

Accuracy

There are obvious risks to data subjects if inaccurate data are processed. Therefore controllers are responsible for taking all reasonable steps to ensure that personal data are accurate.

Art.6(1)(d)

Personal data needed to be accurate and, where necessary, kept up to date. Every reasonable step had to be taken to ensure that data which were inaccurate or incomplete were either erased or rectified.

 Rec.39; Art.5(1)(d)

Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.

 The GDPR did not materially change the accuracy principle. The GDPR specifies that the erasure or rectification of inaccurate personal data must be implemented without delay, but that requirement was implicit in the wording of the Directive.

Data retention periods

The idea that personal data should not be retained for longer than necessary in relation to the purposes for which they were collected, or for which they are further processed, is key to ensuring fair processing.

Art.6(1)(e)

Personal data should have been kept in a form that permitted identification of data subjects for no longer than was necessary for the purposes for which the data were collected or for which they were further processed. Member States were obliged to implement appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

 Rec.39; Art.5(1)(e)

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.

The principle is unchanged, but the GDPR introduced two important new factors:

 There are specific provisions on the processing of personal data for historical, statistical or scientific purposes (see Chapter 17).

 The principle should be read in light of the "right to be forgotten" (see Chapter 9) under which data subjects have the right to erasure of personal data, in some cases sooner than the end of the maximum retention period.

Data security

Controllers are responsible for ensuring that personal data are kept secure, both against external threats (e.g., malicious hackers) and internal threats (e.g., poorly trained employees).

Rec.46; Art.17(1)

The controller had to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.

 Rec.29, 71, 156; Art.5(1) (f), 24(1), 25(1)-(2), 28, 39, 32

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 The GDPR moved this obligation into the Data Protection Principles, reinforcing the idea that data security is a fundamental obligation of all controllers. However, the principle itself is essentially unchanged.

Accountability

The principle of accountability seeks to guarantee the enforcement of the Data Protection Principles. This principle goes hand-in-hand with the growing powers of DPAs.

Art.6(2)

The controller had to ensure compliance with the Data Protection Principles.

 Rec.85; Art.5(2)

The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.

 Under the GDPR, the controller is obliged to demonstrate that its processing activities are compliant with the Data Protection Principles. This obligation is expanded upon in Chapter 10, which sets out the obligations of controllers.

 

Commentary: Data Protection Principles: from the Directive to the GDPR

The changes introduced by the GDPR to the Data Protection Principles are not revolutionary. However, they do consolidate the importance of those principles in respect of data processing activities. In particular, the principles of transparency and minimisation of data, as well as the requirement of data integrity and confidentiality, are now clearly established as Data Protection Principles.

Commentary: The data minimisation principle

Many non-EU organisations collect personal data and then later decide the purposes for which they wish to use those data. The Directive did not permit this approach, and the GDPR tightened the restrictions further, stating that organisations should not collect data that are not necessary for a specified purpose that has been notified to data subjects.

Organisations must ensure that, in relation to all processing activities by default, they process only the minimum amount of personal data necessary to achieve their lawful processing purposes. For example, in connection with an online service, a business must not collect personal data (e.g., contact details) that are not strictly necessary in connection with the provision of that service, unless the data subject chooses to provide those personal data. This is likely to require many businesses to re-think their data processing activities from the ground up.

Each organisation should carefully consider the extent to which it will need to amend its existing data collection practices in order to comply with these restrictions.

Example: The purpose limitation principle

Q. Organisation A is a reinsurer. It provides services to insurance companies. Over the years it has collected large amounts of personal data relating to insured data subjects. It would now like to combine data from its various customers into a single database, to enable it to price its products more accurately. Can it do this?

A. Personal data collected for one purpose (e.g., performance of an insurance contract) cannot be used for a new, incompatible purpose (e.g., creating a database of information about insured data subjects to set prices more accurately). Organisation A might be able to achieve its aims by taking additional steps (e.g., obtaining the consent of the affected individuals—see Chapter 8) or by anonymising the data before creating the database (subject to the need to ensure that such anonymisation is, itself, lawful processing of personal data).

 

 

NEXT CHAPTER
Chapter 7: Lawful basis for processing

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP