The Seven Data Protection Principles of the GDPR
Article 5 of the GDPR
Summary of the 7 GDPR Principles
The Seven Data Protection Principles of the GDPR
The seven data protection principles of the GDPR, must be adhered to by companies that process personal data. The European General Data Protection Regulation, also known as the GDPR, is an EU regulation that came into force in 2018 in the EU and EEA countries. GDPR is a comprehensive regulatory framework that includes a lot for companies to think about. The consequences for companies that violate GDPR can be devastating. In the worst case scenario, a company may be fined up to €20 million or 4% of its global annual turnover (whichever is higher).
The Seven Data Protection Principles of the GDPR forms the heart of the GDPR
The basic data protection principles form the core of the GDPR and set the framework for the processing of personal data. Article 5 of the GDPR states the principles. Companies therefore need to be aware of all of them in order to know what they need to do to comply with the regulation.
Please note that the company should not only follow the principles when collecting personal data. The company must follow the principles throughout the life cycle of the processing.
Summary of The Seven Data Protection Principles of the GDPR of the GDPR
Below you can read a summary of the seven basic data protection principles, which the articles of the GDPR are based upon.
Principle of Lawfulness, Fairness and Transparency
This principle consists of three sub-principles. First, a company may not to process personal data without a legal basis, also called a legal ground. Examples of legal basis under GDPR are consent, contract with data subjects, legal obligation and legitimate interests. Article 6 of the GDPR states the legal bases. Secondly, the processing must be fair, reasonable and proportionate in relation to the data subject. Thirdly, the processing must be transparent and the data subjects must be aware of the processing.
Article 5(1)(a) of the GDPR regulate the data protection principle of lawfulness, fairness and transparency.
Principle of Purpose Limitation
Companies must have a purpose for the processing. In other words, a predetermined and specific purpose. In addition, the company must be clearly indicate and communicate the purpose to the data subjects. The company may not process personal data for a possible future purpose that is not specified.
Keep in mind that it is not enough to specify a broad purpose, for example, that the purpose of the processing is to “improve the user experience”, “IT security” or “future research”. These are not allowed, as data subjects are not able to assess what the processing could entail as it is too vaguely described.
Article 5(1)(b) of the GDPR regulate the data protection principle of purpose limitation.
Principle of Data Minimisation
Companies may not process more personal data than what is necessary for the purpose. In short, this principle means that the company may not process unnecessary personal data that is not needed to achieve the purpose of the processing. A company may only process relevant and adequate personal data to achieve the purpose.
If the company wants to process more personal data for any other purpose, they need a new legal basis for that processing. In short, this principle means that a company must not process unnecessary personal data “just because it may be useful to have in the future” for a purpose that has not yet been determined.
Article 5(1)(c) of the GDPR regulate The data protection principle of data minimisation.
Principle of Accuracy
Companies need to ensure that personal data is accurate, correct and if necessary updated. Incorrect personal data shall either be rectified or erased, without undue delay. Therefore, it is important that the company establishes internal procedures for checking and correcting personal data. As well as handling data subjects’ requests for rectification of their personal data under Article 16 of the GDPR.
Article 5(1)(d) of the GDPR regulate the data protection principle of accuracy.
Principle of Storage Limitation
Personal data may be processed as long as it is necessary for the purpose for which it was collected. When personal data is no longer necessary to process, the company shall delete or anonymise it. However, the company may need to save the personal data longer, due to requirements in some other legislation. In such cases, the company shall continue to save the personal data, so as not to violate the law. For example, companies need to save receipts for a certain number of years according to the applicable accounting law.
In order to comply with this principle of storage limitation under the GDPR, companies need to establish and implement internal procedures for erasure and/or anonymisation of personal data. Companies also need to develop internal procedures that employees must follow when a data subject requests the deletion of their personal data in accordance with Article 17 of the GDPR.
Article 5(1)(e) of the GDPR regulate the data protection principle of storage limitation.
Principle of Integrity and Confidentiality
Companies must implement adequate technical and organizational measures to protect the personal data they process. The more sensitive the personal data is, the more security is required. No unauthorized person shall be able to access them and they shall also be protected against unauthorized use.
If the personal data is unlawfully disclosed or used, it is considered a personal data breach pursuant to the GDPR. Companies must have internal procedures in place to ensure that personal data breaches are handled correctly in accordance with the rules of the GDPR. In addition, certain personal data breaches must be notified to the supervisory authority within 72 hours.
Examples of technical security measures are anti-virus software, backup files and encryption of personal data. Examples of organizational measures are internal education and training of employees, establishment of internal procedures and/or data processing agreements.
Article 5(1)(f) of the GDPR regulate the data protection principle of integrity and confidentiality.
Principle of Accountability
Companies must be able to prove both that they comply with GDPR rules and also how it made in practice. For example, by having written internal procedures for handling personal data breaches and handling data subjects’ requests for their rights.It is also useful to draw up written checklists to be followed by employees, as well as summaries of the legal bases and data protection principles, in order to train the employees on how to properly process personal data. Companies also need to enter into data processing agreements with data processors pursuant to Article 28 of the GDPR and maintain a record of processing activities pursuant to Article 30 of the GDPR.
Furthermore, it is important that companies document all decisions and justifications and carry out different types of impact assessments where necessary, such as data transfer impact assessments for data transfers to third countries.
Article 5(2) of the GDPR regulate the data protection principle of accountability.
More information about the seven data protection principles of the GDPR
The principle of Lawfulness, Fairness and Transparency
This data protection principle consists of three sub-principles; Lawfulness, fairness and transparency, and is regulated in is regulated in Article 5(1)(a) of the GDPR. It is important to lawfully process personal data, to make sure that the processing is reasonable, fair and proportionate and that the data subjects are aware of the processing. Companies must conduct different actions in order to comply with the principle of lawfulness, fairness and transparency.