Principles governing the processing of personal data
Any processing of personal data carried out by a controller or processor must be organised and carried out in such a way as to comply with the processing principles. Processing personal data in contravention of the processing principles constitutes a breach of the GDPR and may give rise to legal liability.
A key concept in data processing is the purpose of the processing, which should be explicit, clearly defined and linked to one of the grounds for processing set out in the GDPR.
The purpose of the processing is key to determining other relevant parameters of the processing, such as its scope or duration.
It is prudent for controllers to organise their activities and design their data processing operations in such a way that they can demonstrate compliance with the data processing principles. To this end, they should document individual activities, such as risk analyses.
What are the practical implications of the principles governing the processing of personal data:
The principles for the processing of personal data set out in GDPR Article 5 provide the basic framework for any processing of personal data that falls within the scope of the GDPR.
Any processing of personal data by a controller or processor must be organised and carried out in such a way as to comply with the processing principles. Processing personal data in breach of the processing principles constitutes a breach of the GDPR and may give rise to legal liability.
From a practical point of view, in order to minimise the risk of non-compliance with the GDPR, it is advisable that, before implementing or introducing a new data processing operation, the controller should assess that operation in advance for compliance with the processing principles, treating the catalogue of principles set out in GDPR Article 5 as a kind of "checklist" for compliance with the GDPR.
We provide below general guidance to help assess what conditions should be met in order to claim that a particular processing operation complies with the processing principles set out in GDPR Article 5.
When is data processing lawful:
In order to claim that a particular processing of personal data is lawful, the processing should be carried out:
on the basis of one of the grounds for processing set out in Article 6, Article 9 (in the case of special categories of data, such as health data) or Article 10 in the case of data relating to criminal liability; and
in accordance with the requirements related to each of the grounds for processing, in particular those laid down by law when the processing is carried out on the basis of legal provisions.
For more information on the different grounds for processing, see the comments on Articles 6, 9 and 10.
When is data processing transparent:
The principle of transparency of processing is developed in GDPR Article 13 and Article 14. At its core is the controller's obligation to ensure that those whose personal data he/she processes are aware of the fact of that processing, its main characteristics and the rights they have in relation to that processing.
In order to be able to claim that a particular processing of personal data is carried out transparently, the controller should ensure that information about the processing of personal data is made available to all those whose personal data he/she processes, to the extent, at the time and in a manner that complies with the requirements set out in GDPR Article 13 or Article 14.
For more on information about the processing of personal data, see the comments to GDPR Article 13 and Article 14.
When is the principle of ‘purpose limitation’ met:
In order to claim that a particular processing of personal data is carried out in accordance with the “purpose limitation” principle, the entity carrying out the processing must:
Define a specific and explicit purpose for the processing in question in relation to one of the grounds for processing set out in GDPR Article 6, Article 9 or Article 10;
Ensure that the personal data processed in the context of a particular processing operation is actually processed only for the specific purpose of the processing operation and not for other purposes, unless there are separate grounds for doing so.
In other words, any processing of personal data covered by the GDPR must be carried out for a clear and defined purpose in order to be lawful. Such a defined purpose for processing is key to verifying the basis for processing, and will also be key to organising the processing, as is apparent from the other processing principles discussed below.
When is the principle of ‘data minimisation’ met:
In order to be able to claim that a particular processing operation is carried out in accordance with the principle of ‘purpose limitation’, the processor of that operation must ensure that the scope of the data processed as part of a particular operation includes only the data necessary for the purposes of that operation.
It is advisable that “necessity” be interpreted as narrowly as possible, i.e. that only data is processed in a given operation without which it is objectively impossible to achieve the purposes of the processing. As a general rule, controllers should be wary of collecting and processing personal data that they “might need” or “just in case”.
When is the principle of ‘accuracy’ of processing met:
In order to be able to claim that a particular processing of personal data is carried out in accordance with the principle of ‘accuracy’, the processor must ensure that arrangements are put in place so that the personal data processed as part of a particular processing operation remain accurate throughout the period of processing.
In order to implement this principle, the controller should pay particular attention to:
Implementing mechanisms to ensure the collection of accurate data, e.g. by making use of automated solutions that minimise the risk of collecting inaccurate data from the data subject (e.g. preventing the collection of a telephone number with an incorrect number of digits in a contact form or an email address without specifying the domain or verifying the accuracy of an e-mail address by sending a control message);
Implementing mechanisms to ensure that data can be easily updated during processing, both at the initiative of the controller (when he/she realises that it is out of date) and at the request of the data subject;
Implementing mechanisms to ensure that the amended data is appropriately updated in all of the controller’s data filing systems, where this should be done.
The implementation of the principle of ‘accuracy’ of processing is also achieved through the implementation of the obligations arising from the right granted to data subjects to rectify their data. For more information on this right, see the commentary on GDPR Article 16.
When is the principle of ‘storage limitation’ met:
The ‘storage limitation’ principle sets the permitted period for storage of personal data.
In order to be able to claim that a particular processing of personal data is carried out in accordance with the ‘storage limitation’ principle, the entity carrying out such processing must ensure that personal data processed for a particular purpose is processed and kept by the entity only for as long as it is necessary to achieve the purposes of the processing.
As in the case of the ‘data minimisation’ principle, ‘necessity’ should be interpreted as narrowly as possible, i.e. data should only be processed in the context of a particular operation for as long as is objectively necessary to achieve the purposes of the processing (in other words, the purpose of the processing cannot be achieved without processing for a certain period of time).
It is advisable for data controllers to set a retention period tailored to the individual purposes and processing operations and, in view of the principle of ‘accountability’, to document (with justification) the adopted retention periods, e.g. in an internal data retention policy.
When is the principle of ‘integrity and confidentiality’ met:
In order to be able to claim that a particular processing of personal data is carried out in accordance with the principle of ‘integrity and confidentiality’, the entity carrying out such processing must ensure that personal data is adequately protected. This principle is primarily developed in GDPR Article 32, which, among other things, provides more explicit guidance on how to determine adequate data protection measures. For more information, see the commentary on Article 32.
When is the principle of ‘accountability’ met:
The essence of the principle of ‘accountability’ is the obligation of the controller to ensure that he/she can demonstrate compliance with the principles of data processing.
In practice, this means that the controller should organise the processing in such a way that, for example, in the event of an audit by a supervisory authority, he/she will be able to demonstrate compliance with the obligations under GDPR Article 5(1). Importantly, the inability to demonstrate compliance with the obligations under GDPR Article 5(1) may itself be considered a breach of the GDPR, even if there is no concurrent breach of other provisions of the GDPR.
The GDPR does not specify how the controller should ensure that compliance with the data processing rules can be demonstrated. The manner will depend on the nature of the obligation. For example, compliance with the principle of integrity and confidentiality can be demonstrated by conducting and documenting a risk analysis, which will form the basis for determining the data protection measures referred to in GDPR Article 32 (for more on this see the commentary on GDPR Article 32), and then documenting the implementation of the relevant measures.
It is advisable for the controller to organise his/her activities and design data processing operations, taking into account the need to ensure that compliance with data processing rules can be demonstrated.
Commentary to art. 5
Principles governing the processing of personal data
What are the practical implications of the principles governing the processing of personal data:
The principles for the processing of personal data set out in GDPR Article 5 provide the basic framework for any processing of personal data that falls within the scope of the GDPR.
Any processing of personal data by a controller or processor must be organised and carried out in such a way as to comply with the processing principles. Processing personal data in breach of the processing principles constitutes a breach of the GDPR and may give rise to legal liability.
From a practical point of view, in order to minimise the risk of non-compliance with the GDPR, it is advisable that, before implementing or introducing a new data processing operation, the controller should assess that operation in advance for compliance with the processing principles, treating the catalogue of principles set out in GDPR Article 5 as a kind of "checklist" for compliance with the GDPR.
We provide below general guidance to help assess what conditions should be met in order to claim that a particular processing operation complies with the processing principles set out in GDPR Article 5.
When is data processing lawful:
In order to claim that a particular processing of personal data is lawful, the processing should be carried out:
For more information on the different grounds for processing, see the comments on Articles 6, 9 and 10.
When is data processing transparent:
The principle of transparency of processing is developed in GDPR Article 13 and Article 14. At its core is the controller's obligation to ensure that those whose personal data he/she processes are aware of the fact of that processing, its main characteristics and the rights they have in relation to that processing.
In order to be able to claim that a particular processing of personal data is carried out transparently, the controller should ensure that information about the processing of personal data is made available to all those whose personal data he/she processes, to the extent, at the time and in a manner that complies with the requirements set out in GDPR Article 13 or Article 14.
For more on information about the processing of personal data, see the comments to GDPR Article 13 and Article 14.
When is the principle of ‘purpose limitation’ met:
In order to claim that a particular processing of personal data is carried out in accordance with the “purpose limitation” principle, the entity carrying out the processing must:
In other words, any processing of personal data covered by the GDPR must be carried out for a clear and defined purpose in order to be lawful. Such a defined purpose for processing is key to verifying the basis for processing, and will also be key to organising the processing, as is apparent from the other processing principles discussed below.
When is the principle of ‘data minimisation’ met:
In order to be able to claim that a particular processing operation is carried out in accordance with the principle of ‘purpose limitation’, the processor of that operation must ensure that the scope of the data processed as part of a particular operation includes only the data necessary for the purposes of that operation.
It is advisable that “necessity” be interpreted as narrowly as possible, i.e. that only data is processed in a given operation without which it is objectively impossible to achieve the purposes of the processing. As a general rule, controllers should be wary of collecting and processing personal data that they “might need” or “just in case”.
When is the principle of ‘accuracy’ of processing met:
In order to be able to claim that a particular processing of personal data is carried out in accordance with the principle of ‘accuracy’, the processor must ensure that arrangements are put in place so that the personal data processed as part of a particular processing operation remain accurate throughout the period of processing.
In order to implement this principle, the controller should pay particular attention to:
The implementation of the principle of ‘accuracy’ of processing is also achieved through the implementation of the obligations arising from the right granted to data subjects to rectify their data. For more information on this right, see the commentary on GDPR Article 16.
When is the principle of ‘storage limitation’ met:
The ‘storage limitation’ principle sets the permitted period for storage of personal data.
In order to be able to claim that a particular processing of personal data is carried out in accordance with the ‘storage limitation’ principle, the entity carrying out such processing must ensure that personal data processed for a particular purpose is processed and kept by the entity only for as long as it is necessary to achieve the purposes of the processing.
As in the case of the ‘data minimisation’ principle, ‘necessity’ should be interpreted as narrowly as possible, i.e. data should only be processed in the context of a particular operation for as long as is objectively necessary to achieve the purposes of the processing (in other words, the purpose of the processing cannot be achieved without processing for a certain period of time).
It is advisable for data controllers to set a retention period tailored to the individual purposes and processing operations and, in view of the principle of ‘accountability’, to document (with justification) the adopted retention periods, e.g. in an internal data retention policy.
When is the principle of ‘integrity and confidentiality’ met:
In order to be able to claim that a particular processing of personal data is carried out in accordance with the principle of ‘integrity and confidentiality’, the entity carrying out such processing must ensure that personal data is adequately protected. This principle is primarily developed in GDPR Article 32, which, among other things, provides more explicit guidance on how to determine adequate data protection measures. For more information, see the commentary on Article 32.
When is the principle of ‘accountability’ met:
The essence of the principle of ‘accountability’ is the obligation of the controller to ensure that he/she can demonstrate compliance with the principles of data processing.
In practice, this means that the controller should organise the processing in such a way that, for example, in the event of an audit by a supervisory authority, he/she will be able to demonstrate compliance with the obligations under GDPR Article 5(1). Importantly, the inability to demonstrate compliance with the obligations under GDPR Article 5(1) may itself be considered a breach of the GDPR, even if there is no concurrent breach of other provisions of the GDPR.
The GDPR does not specify how the controller should ensure that compliance with the data processing rules can be demonstrated. The manner will depend on the nature of the obligation. For example, compliance with the principle of integrity and confidentiality can be demonstrated by conducting and documenting a risk analysis, which will form the basis for determining the data protection measures referred to in GDPR Article 32 (for more on this see the commentary on GDPR Article 32), and then documenting the implementation of the relevant measures.
It is advisable for the controller to organise his/her activities and design data processing operations, taking into account the need to ensure that compliance with data processing rules can be demonstrated.