Data governance: minimization, purpose limitation and storage limitation principles
Home » Social networks » Data governance: minimization, purpose limitation and storage limitation principles

The minimization principle (see the “Data minimization” subsection of the Main Principles section of the General Part of these Guidelines) states that personal data shall be adequate, relevantand limited to what is necessary in relation to the purposes for which they are processed. On the other hand, according to Article 5(1) (e) of the GDPR, personal data should be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. Finally, purpose limitation means that personal data cannot be processed for purposes other than the ones stipulated in the privacy policy when the data were collected, unless these further purposes are compatible with the original purposes and pursuant to appropriate safeguards (art. 6.4 GDPR). For instance, the further processing corresponds to archiving activities of public interest, purposes of scientific and historical research or statistical purposes (see the “Data processing and scientific research” subsection of the Main Concepts section of the General Part of these Guidelines).

The combination of these three principles creates a combined normative tool that must be strictly followed by controllers using data gathered through social networks. In general, controllers[1] must make the purposes of the processing explicit: “disclosed, explained or expressed in an intelligible form”. In line with the principle of data minimization, they should also identify the minimum amount of personal data needed to achieve their objectives. In addition, in respect of the accountability principle, data controllers should be able to demonstrate that they only collect and hold the personal data needed, and that it is used solely for the specific purposes that have been informed under an adequate legal basis.

Summarising, setting clear objectives for the processing will help ensure that the personal data to process are:

  • adequate: sufficient to fulfil the stated purpose;
  • relevant: they should have a rational link to the purpose;
  • limited to what is necessary: they should not hold more data than those needed for the stated purpose.




1it is important to identify who the “data controller” is; developers are rarely the “data controller”, since they are not responsible to take care of the business objective, this is a task for the management of the company.

Skip to content