Data governance: minimization, purpose limitation and storage limitation principles
Home » IoT » Data governance: minimization, purpose limitation and storage limitation principles

The minimization principle states that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. On the other hand, according to Article 5(1) (e) of the GDPR, personal data should be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. Finally, purpose limitation means that personal data cannot be processed for purposes other than the ones stipulated in the privacy policy when the data were collected, unless these purposes correspond to archiving activities of public interest, purposes of scientific and historical research or statistical purposes.

The combination of these three principles creates a combined normative tool that must be strictly followed by IoT developers. In general, data controllers[1] must make the purposes of the processing explicit: “disclosed, explained or expressed in an intelligible form”. In line with the principle of data minimization, they should also identify the minimum amount of personal data needed to achieve their objectives. In addition, in respect of the accountability principle, data controllers should be able to demonstrate that they only collect and hold the personal data needed and that it is used solely for the specific purposes that have been informed under an adequate legal basis.

Summarizing, setting clear objectives of an IoT development will help ensure that the personal data to process be:

  • adequate: sufficient to fulfil the stated purpose;
  • relevant: as they should have a rational link to the purpose;
  • limited to what is necessary: they should not hold more data than those needed for the stated purpose.

Controllers shall not forget that, if the devices will process data for purposes other than those for which they were collected, a legal basis that legitimizes such processing will be needed, unless the new use of data is compatible with the purpose for which the personal data were initially collected, according to article 6.4 GDPR. The possibility to make use of the exception to this rule linked to processing for research purposes should be carefully analyzed before any processing. Consultation with the DPO is highly recommended.


1It is important to identify who the “data controller” is; developers are rarely the “data controller”, since they are no responsible to take care of the business objective, this is a task for the management of the company.

Skip to content