Processing of personal data for legitimate and lawful purposes is thus allowed, but only under certain conditions on its implementation. The following describes these conditions in more detail.
The basic rationale of these conditions is to limit and balance the power gained by the organization who processes personal data (so called controllers) over the affected individuals (so called data subjects).
As an overview, this is achieved in the following ways:
- Accountability of the controller,
- empowerment of data subjects,
- power balance through a supervisory authority,
- restricting the controllers to use the gained power solely for reaching the declared legitimate purposes,
- limitation of the gained power to what is minimally necessary to fulfill the legitimate purposes,
- protection of the data subjects investments and assets,
- prohibition of processing that fails to be fit for purpose.
- The individual bullet points are discussed in more detail in the sequel.
Controllers are fully accountable
A first measure to limit the power of controllers is to hold them fully accountable for the whole processing activity. This is one of the key principles of the GDPR (see Art. 5(2)). It goes beyond just mandating controllers to make their processing transparent (to data subjects and supervisory authorities) by obliging controllers to be able to actually demonstrate compliance with the GDPR. Evidently, this opens the processing to oversight. Also, it clearly assigns the “burden of proof”: It is not the data subjects or supervisory authorities who need to demonstrate a violation of the GDPR; non-transparency that hides non-compliance is in itself a violation.
To practically achieve this, in a first step, the GDPR makes sure that the full responsibility is clearly in the hands of the (joint) controller(s) who determine(s) the purposes and means of processing. This is done, for example, by mandating controllers to exercise control over their employees and stipulating contracts with possible external computing services (so called processors) that guarantee control up to the right of on-premise audits by the controller.
Once the responsibility is clarified, controllers are obliged to be fully transparent about the processing. This includes to proactively inform data subjects about the existence and major characteristics of the processing and provide other kinds of information upon request. For the latter purpose, controllers usually also have to designate a Data Protection Officer whose contact details are part of the mandatory information and who serves as contact point for data subjects.
Controllers further have to notify data breaches to both, the competent supervisory authority and (if likely exposed to high risk) the data subjects. In addition, for supervisory authorities, controllers have to maintain records of all processing activities that concern personal data and be able to present a Data Protection Impact Assessment for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. The latter is a prime instrument to demonstrate compliance with the GDPR.
Empowerment of data subjects
Since there is a power imbalance in data processing, the GDPR empowers the weaker party, i.e., the data subjects. This transforms data subjects from powerless observers of processing to stakeholders who can defend their rights and freedoms through intervention.
The GDPR empowers data subjects mostly through so-called data subject rights. They include the following:
- The right of access to the data about the data subjects that is processed,
- the right to rectification that permits to correct inaccurate personal data and supplement incomplete data,
- the right to erasure that is also called the right to be forgotten,
- the right to restriction of processing that permits data subjects to demand the suspension of processing of their data in certain circumstances.
- the right to object that permits data subjects to demand the termination of processing of their data in certain circumstances.
- the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them which includes the right to obtain human intervention on the part of the controller.
Beyond these rights, data subjects also have:
- the right to withdraw consent at any time in the case where the legal basis of processing is consent,
- the right to be informed by the controller about the propagation of data subject right invocations to all recipients.
Balancing power through the institution of supervisory authorities
While data subjects are empowered by the above rights, their resources may be insufficient to enforce them. In particular, they may seem unable to make use of their right to an effective judicial remedy against a controller or processor on their own. For this reason, the GDPR grants data subjects the right to lodge a complaint with a supervisory authority.
In other words, the GDPR provides data subjects with an ally whose power is comparable to or above that of the controller and thus sufficient for enforcing the data subjects’ rights.
The GDPR therefore grants according powers to supervisory authorities. These range from investigative powers , such as on-premise audits to corrective powers , such as imposing administrative fines, ordering the suspension of data flows to recipients, and banning the processing altogether.
Restricting the controllers to use the power solely for reaching the declared legitimate purposes
By demonstrating that the purposes are legitimate and lawful, a controller has justified the gain of power that comes with the processing activity. It is evident that using this power for any other purposes would lack justification. In other words, the permission to process is limited to the declared purposes for which the data is collected.
The GDPR calls this principle “purpose limitation” (see Art. 5(1)(b)).
The way to technically and organizationally implement this principle is through separation of distinct processing activities.
As a second line of defense, even if data from different processing activities came together anyhow, measures such as pseudonymization can render it more difficult to actually combine them by linking data records pertaining to the same person.
Note that this rule also prevents the accumulation of power by combining the data from different processing activities. Such a combination would typically lead to a deeper insight in the life of data subjects, covering more aspects, or in a wider coverage of knowledge comprising a larger number of data subjects. In both cases, it can be argued that the combined power is greater than the sum of its parts.
Minimization of power to what is necessary to fulfill the declared purposes
While the demonstration of legitimacy and lawfulness of purposes has justified the processing as such, it has to be implemented in a way to minimize the power gain to what is minimally necessary to fulfill these purposes. This minimization of power concerns the following three aspects:
- Information content of the personal data,
- degree of association of the data with the data subject, and
- limitation of recipients who have access to power.
These are described in further detail in the following.
Minimization of information content (i.e., power)
Since knowledge is power, the minimization of power means that the personal data that are collected have to be minimized. Only the data that can be shown to be necessary for fulfilling the declared purposes can be legitimately collected.
The GDPR calls this principle “data minimization” (see Art. 5(1)(c)). Specifically, it requires the collected data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. When looking at it over time, it also requires to store the data no longer than necessary for the purposes. In the case of more complex processing with multiple phases, every phase should have only the data that is really necessary and information content shall be reduced between phases.
Minimizing the association to the data subject
The ease with which power over the data subject can be exercised depends on the degree to which the data subject can be associated with the data. The strength of the association between data and its data subject should therefore be minimized.
The GDPR distinguishes three kinds of data with different degrees of association:
- Fully identifying data,
- pseudonymized data, and
- anonymized data.
The first permits “direct identification” of the data subject by use of “an “identifier” such as a name, an identification number, location data, [or] an online identifier”; pseudonymized data permits identification only with the use of “additional information”; and anonymous data where “the data subject is not or no longer identifiable”.
In analogy to data minimization, the data shall be collected with the minimal degree of association with the data subject. Considering the temporal aspect, “personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes”. In the case of more complex processing with multiple phases, every phase should have only the minimal degree of association that is really necessary and pseudonymization or anonymization should be used between phases.
The GDPR calls this principle “storage limitation” (see Art. 5(1)(e)).
Limitation of the access to power
Power is in the hands of persons and organizations. If knowledge is power, this power is available only to parties to whom the personal data is disclosed. The GDPR calls such parties recipients. They can be either employees of the controller or processor, intended third party recipients, or unintended parties such as attackers.
The access to power has to be limited to what is necessary to fulfill the declared purposes. The GDPR calls this principle “confidentiality”.
Confidentiality has two aspects:
- Preventing access by unauthorized parties, and
- restricting access by authorized parties.
The former protects to a large degree against external attackers with measures such as encryption of data at rest or communications and firewalls. The latter is usually called access control. It makes sure that the party accessing the data is indeed authorized (authentication), restricts the access to data that is needed (access rights) and may restrict access to the times when it is necessary.
Protection of the data subject’s assets
In many kinds of processing activities, the personal data stored by the controller are also of significant value to the data subject. Prime examples are cloud-based photo collections and office suites and document management systems but also medical data residing with a patients physician. We call such data assets.
These assets may be of much lower value to the controller who may be reluctant to investing significantly in their protection. Also, one way a controller can exert power over a data subject is to make access to a data subject’s assets dependent on certain conditions.
To prevent such exertion of power, the GDPR mandates controllers to protect data subjects’ assets. In particular, it requires to protect these assets against:
- accidental loss, destruction or damage, and
- refusal to let the data subject use the assets independently of the controller.
The former kind or protection is also known as availability and resilience. The latter is called data portability and is one of the data subject’s rights.
Prohibition of processing that fails to be fit for purpose
Gaining power through any processing that is unfit to fulfill the declared purposes is evidently illegitimate.
The GDPR uses two principles to enforce fitness for purpose:
- Integrity (see Art. 5(1)(f)) and
- accuracy (see Art. 5(1)(d)).
The former mandates to protect data against accidental damage and unauthorized modification; the latter mandates that data are kept up to date and accurate and that where this is not the case the data are erased or rectified without delay.
1Note that transparency is also a principle of the GDPR as stated in Art. 5(1)(a). ↑
2See Art. 4(7) GDPR. ↑
3See Art. 29 and 32(4) GDPR. ↑
4See Art. 28(3) GDPR. ↑
5See Art. 28(3)(h) GDPR. ↑
6See Art. 13 and 14 GDPR. ↑
7See for example Art. 15 12(3) and 19 GDPR. ↑
8See Art. 37 GDPR. ↑
9See Art. 13(1)(b) and 14(1)(b) GDPR. ↑
10See Art. 38(4) GDPR. ↑
11See Art. 33 GDPR. ↑
12See Art. 34 GDPR. ↑
13See Art. 30 GDPR. ↑
14See Art. 35 GDPR. ↑
15See Chapter 3 GDPR that comprises Articles 12 through 23. ↑
16Note that the right to data portability is discussed in the section on the protection of the data subject’s assets. ↑
17See Art. 15 GDPR. ↑
18See Art. 16 GDPR. ↑
19See Art. 17 GDPR. ↑
20See Art. 18 GDPR. ↑
21These circumstances are listed in Art. 18(1) GDPR. ↑
22See Art. 21 GDPR. ↑
23See Art. 22 GDPR. ↑
24See Art. 22(3) GDPR. ↑
25See Art. 7(3) GDPR. ↑
26See Art. 6(1)(a) and 9(2)(a) GDPR. ↑
27See Art. 19 GDPR, second sentence. ↑
28See Art. 79 GDPR. ↑
29See Art. 77 GDPR. ↑
30See Art. 58 GDPR. ↑
31See Art. 58(1) GDPR. ↑
32See Art. 58(1)(b) and (f) GDPR. ↑
33See Art. 58(2) GDPR. ↑
34See Art. 58(2)(i) GDPR. ↑
35See Art. 58(2)(j) GDPR. ↑
36See Art. 58(2)(f) GDPR. ↑
37This term is introduced in Art. 4(1) GDPR. ↑
38This wording is extracted from Art. 4(1) GDPR. ↑
39Note that this term is used in Art. 4(5) GDPR that provides the definition for pseudonymization. ↑
40This wording is extracted from the 5th sentence of Recital 26 GDPR. ↑
41This wording is extracted from Art. 5(1)(e) GDPR. ↑
42See Art. 4(9). ↑
43See Art. 5(1)(f). ↑
44See Art. 5(1)(f) GDPR. ↑
45See Art. 32(1)(b) and (c) GDPR. ↑
46See Art. 20 GDPR. ↑