The combination of these three principles creates a combined normative tool that must be strictly followed by controllers using data gathered through social networks. In general, controllers must make the purposes of the processing explicit: “disclosed, explained or expressed in an intelligible form”. In line with the principle of data minimization, they should also identify the minimum amount of personal data needed to achieve their objectives. In addition, in respect of the accountability principle, data controllers should be able to demonstrate that they only collect and hold the personal data needed, and that it is used solely for the specific purposes that have been informed under an adequate legal basis.
Summarising, setting clear objectives for the processing will help ensure that the personal data to process are:
- adequate: sufficient to fulfil the stated purpose;
- relevant: they should have a rational link to the purpose;
- limited to what is necessary: they should not hold more data than those needed for the stated purpose.
1it is important to identify who the “data controller” is; developers are rarely the “data controller”, since they are not responsible to take care of the business objective, this is a task for the management of the company. ↑