Bud P. Bruegger (ULD)
|Acknowledgements: The author thankfully acknowledges the review and suggestions by Giuseppe D’Acquisto, Senior Technology Advisor, Italian Data Protection Authority (Garante per la ProtezionedeiDatiPersonali).|
This section of the Guidelines has been validated by José Luis Piñar, former president of the Spanish Data Protection Agency and currently Cátedra Google on Privacy, Society and Innovation Universidad CEU-San Pablo, Madrid.
The Section Understanding data protection: the EU regulation in a nutshell above has given an overview of the GDPR. It has thus also introduced the principles of data protection, as contained in Chapter 2 “Principles” of the GDPR and there in particular in Art. 5 “Principles relating to processing of personal data”. While Understanding data protection: the EU regulation in a nutshell has chosen a structure that motivates the content of the GDPR in terms of power, the present section follows the structure of Art. 5 GDPR. It discusses each principle in further detail.
The principles express the following structure:
- Conditions on the purposes of processing: What kind ofpurposes pursued by the processing of personal data are allowed is described in Art. 5(1)(a) and 5(1)(b) GDPR. Processing of personal data for purposes that fail to satisfy these conditions is not allowed. The conditions are:
- Lawfulness(Art. 5(1)(a) GDPR);
- Legitimacy(Art. 5(1)b) GDPR).
- Conditions on the implementation of processing: Where the purpose meets the above criteria, to be permitted, the implementationof the processingmust in addition meet certainconditions. These are described in Art. 5(1)(a) though 5(1)(f); namely the implementation :
- must be fair (Art. 5(1)(a) GDPR);
- must be transparent (Art. 5(1)(a) GDPR);
- must be limited to the stated purposes (Art. 5(1)(b) GDPR);
- must use the minimum of data that is necessary for the purposes (Art. 5(1)(c) GDPR);
- must use only accurate data (Art. 5(1)(d) GDPR);
- must use the minimum degree of identification of data subjects that is necessary for the purposes (Art. 5(1)(e) GDPR);
- must be secure (Art. 5(1)(f) GDPR).
In addition, according to Art. 5(2) GDPR, for controllers to comply with the GDPR means that their processing:
- satisfies all the above conditions and
- the controllers are able to demonstrate it.
To aid readers to understand the GDPR, the detailed discussion of the above principles uses the structure provided by the law. This means, that one point of the GDPR is discussed at a time. Each point of Art. 5(1) and Art. 5(2) are then called a principle. The name of the principle that is provided by the GDPR corresponds to the titles use for the following sections. In some cases, several of the above stated conditions fit into a single principle.
There are two exceptions to structuring the following discussion by paragraph of Art. 5 GDPR. They are motivated by increased clarity and discuss statements provided in one paragraph of the GDPR under the principle (i.e., main meaning) provided in another paragraph. Namely, the exceptions are that:
- the requirement that purposes must be specified, explicit and legitimate (provided in Ar. 5(1)(b) GDPR) is discussed together with lawfulness, fairness, and transparency (of Art. 5(1)(a) GDPR), and
- the statement about the storage period pertaining to certain kinds of processing (provided in Art. 5(1)(e) GDPR) is discussed together with data minimization (of Art. 5(1)(c) GDPR) since arguably, the storage period is pertinent to the data being (temporarily) “limited to what is necessary in relation to the purposes”.
The following table gives an overview of how principles relate to letters of Article 5 GDPR.
|Legitimacy and Lawfulness|
|Storage limitation (minimization of identification potential)|
|Integrity and Confidentiality|
The discussion of each principle is structured as follows:
- An abstract description of the principle,
- a brief discussion of related articles and recitals of the GDPR suited to provide a deeper understanding of the principle, and
- examples of concrete technical or organizational measures that can be used to implement the principle.
The description attempts to capture the essence of the principle. The section on related articles and recitals points to places in the GDPR that describe in more detail how the principle needs to be concretely applied. This section may be worth a first reading and consulted when a deeper understanding is desired. The section on measures provides a non-exhaustive list of examples of how each principle can be implemented in practice.
The remainder of this chapter describes the principles listed in Art. 5 GDPR using the described structure.