Under the EU general data protection regulation (GDPR), any data processing activities must be compliant with six privacy principles, which are the cornerstone of the european privacy regulation and most international privacy laws.
The privacy principles are set out in article 5 GDPR and are as follows :
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
Being familiar with the privacy principles helps better understand the other GDPR requirements/concepts as most of them stems from the privacy principles (e.g., data protection by design and by default , the data protection impact assessment or the requirement to provide an information notice to individuals etc.).
Each privacy principle is set out below along with more detailed explanations and examples.
Principle 1: Lawfulness, fairness and transparency
“Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
In practice, processing personal data lawfully means that the collection of personal data is based on a legal ground (e.g. consent, legitimate interest, the performance of a contract etc.)
For personal data to be processed fairly and in a transparent manner, data subjects should be informed about the processing of their data unless an exemption applies (for more information about the content of the privacy notice controllers must provide to individuals, click here).
Principle 2: Purpose limitation
“Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Prior to collecting personal data, the purpose(s) of processing should be identified. This means answering the question “what do we need the data for? And/or what are we going to do with it?”
Each reason why personal data is collected is a purpose of processing that must be set out in the privacy notice provided to the data subjects.
These purposes must be legitimate. There is not much information about what legitimate purpose exactly means. However, the definition of “legitimate” is conforming to the law. Therefore we can construe “legitimate purpose” as purposes being in accordance with applicable law.
In the case where controllers would like to use personal data for a new purpose not intended at the time of their collection, it must ensure this new purpose is compatible with the initial ones.
In this regard, data subject’s expectations should be taken into account when performing this assessment as only scientific and historical research, archiving in the public interest and statistic are the only new purposes explicitly considered as compatible under the GDPR.
However, if consent is required and obtained, it seems very unlikely the new purpose would be considered as incompatible with the initial ones.
In the other cases and more particularly where the controller intends to rely on its legitimate interest, the incompatibility test should be carried out very carefully, as the likelihood of incompatibility is higher.
Principle 3: Data minimisation
“data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Once the purposes of processing are defined, only the personal data necessary to achieve these purposes should be collected (e.g. payment card data is not necessary to provide a free service and therefore should not be collected).
However, drawing a distinction between necessary and optional/unnecessary data may prove difficult in some cases.
For example, most businesses want to collect as much data about their customers or prospects as possible in order to carry out profiling activities and better target their customers or improve their services. Security or recruitment services may want to collect as much information as possible to improve their recruitment process, prevent or detect any security incident/fraud etc.
However, controllers should be able to justify why data was necessary to achieve the purposes of processing and whether it was proportionate, in particular, when using new technologies. This is an analysis to be carried out on a case by case basis.
Principle 4: Accuracy
“personal data must be accurate and where necessary kept up-to-date”
Though Controller must process accurate personal data, the latter often rely on individuals providing information that may be inaccurate. It is not expressly set out in the GDPR but one’s cannot expect controllers to detect all individual’s lies or mistakes. However in some circumstances (e.g. high risk etc.) and in particular, where required by law, controllers should implement adequate measures in order to ensure the accuracy of the information.
In any event, if a controller is made aware that personal data is not accurate, it should no longer use it and in most circumstances it should either delete it or update it (e.g. if a mail is returned because of a change of address, the address should not be used any longer to send mail to this individual).
Data subjects also have a right to ask for the deletion and/or correction of inaccurate data (see individual’s right overview here)
In addition, if it is necessary to update the information because of the purpose of the data processing or where required by a specific law, personal data should be kept up-to-date.
In practice, data subjects may be required to update their information as and when necessary (e.g. HR information) or to confirm its accuracy before using it (e.g. asking for confirmation of the address before sending a parcel)
However and unless otherwise required by law, “keeping personal data up-to-date where necessary” should not be construed as an obligation for controllers to carry out research and collect data anywhere in order to ensure its database is up-to-date.
For example, a recruitment company is not supposed to update its candidates’ profile by browsing Linkedin or any equivalent professional network in order to keep its own candidate database up-to-date. Prior information and candidate’s consent would be strongly recommended in this case (FYI, personal data, even made publicly available remains personal data and is still subject to the GDPR).
Principle 5: Storage limitation
“data should not be kept longer than necessary”
Before starting any data processing and once all the purposes thereof are defined, a data retention period must be determined in order to retain data no longer than it is necessary to achieve these purposes.
Determining a data retention period may prove difficult as it is sometimes subjective and may vary depending on the circumstances. However, law (in particular those relating to limitation period) and authorities’ guidelines help define data retention periods for various purposes.
Furthermore, when determining a data retention period, a distinction should be drawn between active database and archive.
For example, if a customer decided to close an online account he had opened with an online retailer to purchase its products or services, the online account should be deleted from the retailer’s customers database.
However, the retailer should keep most of the information about this individual in an archive as long as it is necessary to comply with any legal obligation or as long as any limitation period is running.
Principle 6: Security
Security is the easiest principle to define but the hardest principle to comply with.
Indeed, personal data must be considered as confidential data and sometimes as sensitive data (e.g. payment card information, special categories of data (sexual orientation, race etc.) given the risk taken if it were lost.
Depending on the amount of data, their sensitivity etc. appropriate security measures should be implemented in order to keep the data secure.
If data were lost, controllers must be able to demonstrate it had taken appropriate security measures or otherwise it may be fined by the authority (up to 4% of the annual global turnover).
Security attack being one of the biggest threat today, it is more and more difficult to ensure personal data will be kept confidential. Therefore it is at least expected the controller has implemented security measure proportionate to the risks.
The Principle of Accountability
The privacy principles set out above have not changed with the new data protection regulation but controllers must now be able to demonstrate its processing activities comply with each of them. This is the principle of accountability. Implementing appropriate policies and procedures will help comply with this new obligation.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.