Processing<\/span> of personal data for legitimate and lawful purposes is thus allowed, but only under certain conditions on its implementation. The following describes these conditions in more detail.<\/p>\n The basic rationale of these conditions is to limit and balance the power<\/strong> gained by the organization who processes personal data (so called controllers<\/strong>) over the affected individuals (so called data subjects<\/strong>).<\/p>\n As an overview, this is achieved in the following ways:<\/p>\n A first measure to limit the power of controllers is to hold them fully accountable for the whole processing activity. This is one of the key principles of the GDPR (see Art. 5(2)). It goes beyond just mandating controllers to make their processing transparent<\/strong>[1]<\/a><\/sup> (to data subjects and supervisory authorities) by obliging controllers to be able to actually demonstrate compliance<\/strong> with the GDPR. Evidently, this opens the processing to oversight. Also, it clearly assigns the “burden of proof”: It is not the data subjects or supervisory authorities who need to demonstrate a violation of the GDPR; non-transparency that hides non-compliance is in itself a violation.<\/p>\n To practically achieve this, in a first step, the GDPR makes sure that the full responsibility<\/strong> is clearly in the hands of the (joint) controller(s) who determine(s) the purposes and means of processing[2]<\/a><\/sup>. This is done, for example, by mandating controllers to exercise control over their employees<\/strong>[3]<\/a><\/sup> and stipulating contracts[4]<\/a><\/sup> with possible external computing services (so called processors<\/strong>) that guarantee control up to the right of on-premise audits by the controller[5]<\/a><\/sup>.<\/p>\n Once the responsibility is clarified, controllers are obliged to be fully transparent<\/strong> about the processing. This includes to proactively inform data subjects<\/strong> about the existence and major characteristics of the processing[6]<\/a><\/sup> and provide other kinds of information upon request[7]<\/a><\/sup>. For the latter purpose, controllers usually also have to designate a Data Protection Officer[8]<\/a><\/sup> whose contact details are part of the mandatory information[9]<\/a><\/sup> and who serves as contact point for data subjects[10]<\/a><\/sup>.<\/p>\n Controllers further have to notify data breaches to both, the competent supervisory authority<\/strong>[11]<\/a><\/sup> and (if likely exposed to high risk) the data subjects[12]<\/a><\/sup>. In addition, for supervisory authorities, controllers have to maintain records of all processing activities that concern personal data[13]<\/a><\/sup> and be able to present a Data Protection Impact Assessment for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects[14]<\/a><\/sup>. The latter is a prime instrument to demonstrate compliance with the GDPR.<\/p>\n Since there is a power imbalance in data processing, the GDPR empowers the weaker party, i.e., the data subjects. This transforms data subjects from powerless observers of processing to stakeholders who can defend their rights and freedoms through intervention.<\/p>\n The GDPR empowers data subjects mostly through so-called data subject rights<\/strong>[15]<\/a><\/sup>. They include the following[16]<\/a><\/sup>:<\/p>\n Beyond these rights, data subjects also have:<\/p>\n While data subjects are empowered by the above rights, their resources may be insufficient to enforce them. In particular, they may seem unable to make use of their right to an effective judicial remedy against a controller or processor[28]<\/a><\/sup> on their own. For this reason, the GDPR grants data subjects the right to lodge a complaint with a supervisory authority<\/strong>[29]<\/a><\/sup>.<\/p>\n In other words, the GDPR provides data subjects with an ally whose power is comparable to or above that of the controller and thus sufficient for enforcing the data subjects’ rights.<\/p>\n The GDPR therefore grants according powers to supervisory authorities[30]<\/a><\/sup>. These range from investigative powers[31]<\/a><\/sup> , such as on-premise audits[32]<\/a><\/sup> to corrective powers[33]<\/a><\/sup> , such as imposing administrative fines[34]<\/a><\/sup>, ordering the suspension of data flows to recipients[35]<\/a><\/sup>, and banning the processing altogether[36]<\/a><\/sup>.<\/p>\n By demonstrating that the purposes are legitimate and lawful, a controller has justified the gain of power that comes with the processing activity. It is evident that using this power for any other purposes would lack justification. In other words, the permission to process is limited to the declared purposes for which the data is collected.<\/p>\n The GDPR calls this principle “purpose limitation”<\/strong> (see Art. 5(1)(b)).<\/p>\n The way to technically and organizationally implement this principle is through separation<\/strong> of distinct processing activities.<\/p>\n As a second line of defense, even if data from different processing activities came together anyhow, measures such as pseudonymization can render it more difficult to actually combine them by linking data records pertaining to the same person.<\/p>\n Note that this rule also prevents the accumulation of power<\/strong> by combining the data from different processing activities. Such a combination would typically lead to a deeper insight in the life of data subjects, covering more aspects, or in a wider coverage of knowledge comprising a larger number of data subjects. In both cases, it can be argued that the combined power is greater than the sum of its parts.<\/p>\n While the demonstration of legitimacy and lawfulness of purposes has justified the processing as such, it has to be implemented in a way to minimize the power gain to what is minimally necessary to fulfill these purposes. This minimization of power concerns the following three aspects:<\/p>\n These are described in further detail in the following.<\/p>\n Since knowledge is power, the minimization of power means that the personal data that are collected have to be minimized. Only the data that can be shown to be necessary for fulfilling the declared purposes can be legitimately collected.<\/p>\n The GDPR calls this principle “data minimization”<\/strong> (see Art. 5(1)(c)). Specifically, it requires the collected data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. When looking at it over time, it also requires to store the data no longer than necessary for the purposes. In the case of more complex processing with multiple phases, every phase should have only the data that is really necessary and information content shall be reduced between phases.<\/p>\n The ease with which power over the data subject can be exercised depends on the degree to which the data subject can be associated with the data. The strength of the association between data and its data subject should therefore be minimized.<\/p>\n The GDPR distinguishes three kinds of data with different degrees of association:<\/p>\n The first permits \u201cdirect identification<\/strong>\u201d[37]<\/a><\/sup> of the data subject by use of \u201can \u201cidentifier\u201d<\/strong> such as a name, an identification number, location data, [or] an online identifier\u201d[38]<\/a><\/sup>; pseudonymized data<\/strong> permits identification only with the use of \u201cadditional information\u201d<\/strong>[39]<\/a><\/sup>; and anonymous data<\/strong> where \u201cthe data subject is not or no longer identifiable<\/strong>\u201d[40]<\/a><\/sup>.<\/p>\n In analogy to data minimization, the data shall be collected with the minimal degree of association with the data subject. Considering the temporal aspect, \u201cpersonal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes\u201d[41]<\/a><\/sup>. In the case of more complex processing with multiple phases, every phase should have only the minimal degree of association that is really necessary and pseudonymization or anonymization should be used between phases.<\/p>\n The GDPR calls this principle “storage limitation”<\/strong> (see Art. 5(1)(e)).<\/p>\n Power is in the hands of persons and organizations. If knowledge is power, this power is available only to parties to whom the personal data is disclosed. The GDPR calls such parties recipients[42]<\/a><\/sup>. They can be either employees of the controller or processor, intended third party recipients, or unintended parties such as attackers.<\/p>\n The access to power has to be limited to what is necessary to fulfill the declared purposes. The GDPR calls this principle “confidentiality”<\/strong>[43]<\/a><\/sup>.<\/p>\n Confidentiality<\/span> has two aspects:<\/p>\n The former protects to a large degree against external attackers with measures such as encryption of data at rest or communications and firewalls. The latter is usually called access control<\/strong>. It makes sure that the party accessing the data is indeed authorized (authentication), restricts the access to data that is needed (access rights) and may restrict access to the times when it is necessary.<\/p>\n In many kinds of processing activities, the personal data stored by the controller are also of significant value to the data subject. Prime examples are cloud-based photo collections and office suites and document management systems but also medical data residing with a patients physician. We call such data assets.<\/p>\n These assets may be of much lower value to the controller who may be reluctant to investing significantly in their protection. Also, one way a controller can exert power over a data subject is to make access to a data subject\u2019s assets dependent on certain conditions.<\/p>\n To prevent such exertion of power, the GDPR mandates controllers to protect data subjects’ assets. In particular, it requires to protect these assets against:<\/p>\n The former kind or protection is also known as availability<\/strong> and resilience<\/strong>[45]<\/a><\/sup>. The latter is called data portability<\/strong> and is one of the data subject’s rights[46]<\/a><\/sup>.<\/p>\n Gaining power through any processing that is unfit to fulfill the declared purposes is evidently illegitimate.<\/p>\n The GDPR uses two principles to enforce fitness for purpose:<\/p>\n The former mandates to protect data against accidental damage and unauthorized modification; the latter mandates that data are kept up to date and accurate and that where this is not the case the data are erased or rectified without delay. 1<\/sup>Note that transparency is also a principle of the GDPR as stated in Art. 5(1)(a). \u2191<\/a><\/p>\n 2<\/sup>See Art. 4(7) GDPR. \u2191<\/a><\/p>\n 3<\/sup>See Art. 29 and 32(4) GDPR. \u2191<\/a><\/p>\n 4<\/sup>See Art. 28(3) GDPR. \u2191<\/a><\/p>\n 5<\/sup>See Art. 28(3)(h) GDPR. \u2191<\/a><\/p>\n 6<\/sup>See Art. 13 and 14 GDPR. \u2191<\/a><\/p>\n 7<\/sup>See for example Art. 15 12(3) and 19 GDPR. \u2191<\/a><\/p>\n 8<\/sup>See Art. 37 GDPR. \u2191<\/a><\/p>\n 9<\/sup>See Art. 13(1)(b) and 14(1)(b) GDPR. \u2191<\/a><\/p>\n 10<\/sup>See Art. 38(4) GDPR. \u2191<\/a><\/p>\n 11<\/sup>See Art. 33 GDPR. \u2191<\/a><\/p>\n 12<\/sup>See Art. 34 GDPR. \u2191<\/a><\/p>\n 13<\/sup>See Art. 30 GDPR. \u2191<\/a><\/p>\n 14<\/sup>See Art. 35 GDPR. \u2191<\/a><\/p>\n 15<\/sup>See Chapter 3 GDPR that comprises Articles 12 through 23. \u2191<\/a><\/p>\n 16<\/sup>Note that the right to data portability is discussed in the section on the protection of the data subject’s assets. \u2191<\/a><\/p>\n 17<\/sup>See Art. 15 GDPR. \u2191<\/a><\/p>\n 18<\/sup>See Art. 16 GDPR. \u2191<\/a><\/p>\n 19<\/sup>See Art. 17 GDPR. \u2191<\/a><\/p>\n 20<\/sup>See Art. 18 GDPR. \u2191<\/a><\/p>\n 21<\/sup>These circumstances are listed in Art. 18(1) GDPR. \u2191<\/a><\/p>\n 22<\/sup>See Art. 21 GDPR. \u2191<\/a><\/p>\n 23<\/sup>See Art. 22 GDPR. \u2191<\/a><\/p>\n 24<\/sup>See Art. 22(3) GDPR. \u2191<\/a><\/p>\n 25<\/sup>See Art. 7(3) GDPR. \u2191<\/a><\/p>\n 26<\/sup>See Art. 6(1)(a) and 9(2)(a) GDPR. \u2191<\/a><\/p>\n 27<\/sup>See Art. 19 GDPR, second sentence. \u2191<\/a><\/p>\n\n
Controllers are fully accountable<\/h2>\n
Empowerment of data subjects<\/h2>\n
\n
\n
Balancing power through the institution of supervisory authorities<\/h2>\n
Restricting the controllers to use the power solely for reaching the declared legitimate purposes<\/h2>\n
Minimization of power to what is necessary to fulfill the declared purposes<\/h2>\n
\n
Minimization of information content (i.e., power)<\/h3>\n
Minimizing the association to the data subject<\/h3>\n
\n
Limitation of the access to power<\/h3>\n
\n
Protection of the data subject\u2019s assets<\/h2>\n
\n
Prohibition of processing that fails to be fit for purpose<\/h2>\n
\n
\nReferences<\/strong><\/p>\n
\n