The combination of these three principles creates a combined normative tool that must be strictly followed by IoT developers. In general, data controllers must make the purposes of the processing explicit: “disclosed, explained or expressed in an intelligible form”. In line with the principle of data minimization, they should also identify the minimum amount of personal data needed to achieve their objectives. In addition, in respect of the accountability principle, data controllers should be able to demonstrate that they only collect and hold the personal data needed and that it is used solely for the specific purposes that have been informed under an adequate legal basis.
Summarizing, setting clear objectives of an IoT development will help ensure that the personal data to process be:
- adequate: sufficient to fulfil the stated purpose;
- relevant: as they should have a rational link to the purpose;
- limited to what is necessary: they should not hold more data than those needed for the stated purpose.
Controllers shall not forget that, if the devices will process data for purposes other than those for which they were collected, a legal basis that legitimizes such processing will be needed, unless the new use of data is compatible with the purpose for which the personal data were initially collected, according to article 6.4 GDPR. The possibility to make use of the exception to this rule linked to processing for research purposes should be carefully analyzed before any processing. Consultation with the DPO is highly recommended.
1It is important to identify who the “data controller” is; developers are rarely the “data controller”, since they are no responsible to take care of the business objective, this is a task for the management of the company. ↑