The Principle of Data Minimization
Article 5(1)(C) of the GDPR
Summary of the GDPR Principle
The Data Protection Principle of Data Minimization
The principle of data minimization means that a company may not process more personal data than necessary for the purpose of the processing. In addition, a company must delete or anonymise personal data when they are no longer necessary. This principle of data minimization is one of the seven basic data protection principles. A company must adhere to all principles under the GDPR. The controller is responsible for ensuring compliance with data protection principles in its processing of personal data.
The Principle of Data Minimization
Article 5(1)(c) of the GDPR states the principle of data minimization. Please note that the company must also comply with the other basic data protection principles, such as the Data Protection Principle of Purpose Limitation.
What does the Principle of Data Minimization mean?
According to this principle, all personal data that a company process must be:
- Adequate: The personal data collected by the company shall be accurate. Including adequate and relevant to the specific stated purpose of the processing. A company may therefore not process multiple personal data “just because they may be useful in the future”.
- Relevant: There must be a connection between the personal data the company processes and the purpose of use. This means that the personal data processed must be essential. They must also have a clear link to the purpose of the processing.
- Necessary: A Company shall only process personal data that is limited and necessary. This means that the personal data in question must actually be needed to fulfill the purpose of the processing. When assessing whether it is necessary to process certain personal data, a company shall rely on all data subjects. In addition, in some cases, the company must also rely on individual data subjects. A practical example is if a company, in connection with serving food, needs information about the data subjects potential food allergy.
Reduce the risk of processing personal data
Companies can reduce the risk associated with the processing of personal data, for example by anonymizing personal data. The same applies by pseudonymisation of personal data.
Companies must delete personal data regularly. A company may also take other types of technical and organizational security measures to protect the personal data the company processes.
How long companies should process personal data
Companies shall not process personal data longer than necessary. Companies shall endeavor to process personal data for as short a period of time as possible. This means that a company may not store personal data any longer “for safety’s sake”. This applies for the period following the achievement of the purpose of the processing.
In some cases, companies want to process the same personal data but for a different purpose. In such cases, they shall use a new legal basis for the new processing. However, a company can make an assessment of whether the processing of the same personal data for another purpose is compatible with the original purpose of use and it might thus be permitted.
Other data protection principles
The Principle of Accuracy under the GDPR
All personal data that companies process must be correct and accurate. In addition, companies should try to update them on their own initiative. If personal data is inaccurate or incorrect, the company shall either correct or delete them. Please note that a correction may also be in the form of a supplement. For example, if something is missing from the personal data. The company must conduct the correction without undue delay. A data subject has the right to contact the company if they believe that the personal data is incorrect and request rectification.