Principles of personal data processing

The General Data Protection Regulation shall be applied directly, thus entrepreneurs processing data will be directly obliged to follow all the rules concerning the protection of privacy. Entrepreneur! Prepare for evolution in personal data protection now.

What is “personal data processing”? According to the GDPR, processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2) of the GDPR).

This list is however only of exemplary nature – the catalogue of processing activities remains open, since it is impossible to determine in advance what activities can be potentially included in the processing. What’s important – and non-intuitive – collecting personal data as such is considered its processing.

The list of issues to be managed by any administrator is provided below:

1. Transparency, fairness and lawfullness (compliance with law) principles

Transparency.

The principle of transparency is strictly associated with the disclosure requirements imposed on the administrator. Compliance with this principle means that the data subject concerned will be informed about his/her rights in a concise, transparent, intelligible and easily accessible form.

Fairness.

The requirement of fairness means the obligation of processing data in compliance with the principles of social co-existence (i.e. following the principles underlying the legal order).

Lawfulness

One of the most common prerequisites for data processing is the consent expressed by the data subject. In view of this principle, it is of course necessary to follow all the provisions concerning personal data processing during processing (unlawfulness of processing means that the administrator processes data without legal basis).

2. Principle of purpose limitation

Personal data should be processed in line with specific, explicit and legitimate purpose. When specifying the purpose, general or vague descriptions of the processing purposes should be avoided.

This principle is linked to the disclosure requirement i.e. the administrator’s obligation to communicate the purpose of personal data processing to the data subject concerned.

3. Principle of data minimisation

Pursuant to this principle, the scope of processed data should be adequate, relevant and limited to what is necessary in relation to purposes, for which it is processed.

In practice, it means processing of only such data, which will be necessary to achieve the given purpose. Concluding a distance sales agreement serves as a good example here. Data necessary to execute such agreement includes:

• name and surname,
• residence address,
• phone number (in certain cases).

This data will be in most cases sufficient to execute such agreement. In the discussed case, requiring from the prospect to provide e.g. age, education or forms of leisure activities, seems to be unnecessary.

4. Principle of accuracy

This principle is linked with the obligation to ensure accuracy of data and updating it, if it was found inaccurate or incomplete as well as with the obligation to rectify data upon request of the data subject.

Personal data should be accurate, true and up-to-date.

5. Principle of storage limitation

Pursuant to this principle, personal data should be kept for no longer than is necessary for purposes, for which it is processed.

Keeping a bank account is a good example. Upon achieving the purpose (closing of the bank account) processing data of the bank account holder should be considered illegal.

6. Principle of integrity and confidentiality (data security)

Personal data controller is obliged to process data in a way ensuring appropriate security.

This includes primarily protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Data protection should be ensured using appropriate technical or organisational measures.

7. Principle of accountability

This is a new principle implemented by the GDPR. The administrator shall be responsible for compliance with all the aforementioned principles and, what’s crucial, must be able to demonstrate compliance with them. This principle imposes the obligation of recording and storing information enabling demonstration of legal compliance of the activities undertaken by the administrator.  

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW.