GDPR provisions
Home » AI » General exposition » Privacy and data governance » GDPR provisions

GDPR refers to the processing of data subjects’ personal data. There are some provisions that are particularly relevant to privacy and data governance. Since the quality and integrity of data and access to data are analyzed in the previous section, our focus here is on four concepts that are extremely relevant to guaranteeing adequate data governance. These are: (1) purpose limitation; (2) lawfulness; (3) data minimization; and (4) fairness, a broad principle that requires protecting data subjects’ rights.

It is pointless to talkabout data protection if the processing is not lawful, and a specified and explicit purpose is a prerequisite for lawful processing. However, even if the processing is permissible (i.e. lawful and legitimate), data protection remains impossible to implement if the purposes of processing are unclear. Moreover, processing is not lawful if it is not related to the purposes for which the data were collected. Therefore, the purpose limitation principle is directly connected with data governance.

Meanwhile, data minimization is key to protecting privacy. The best way to ensure that “data collected about [the data subjects] will not be used to unlawfully or unfairly discriminate against them”[1] is to minimize the amount and range of personal data collected. Lastly, adequate implementation of data subjects’ rights, as embedded in the GDPR, is essential to empower them and strengthen the data governance framework.



1High-Level Expert Group on AI (2019) Ethics guidelines for trustworthy AI, p.17. European Commission, Brussels. Available at: (accessed 28 May 2020).
Ibid., p.15 and ff.

Skip to content