Key principles of personal data processing

AuthorMichèle Finck
STOA | Panel for the Future of Science and Technology
6. Key principles of personal data processing
Article 5 GDPR announces a number of central and overarching principles that must be respected
whenever personal data is processed. First, the principles of lawfulness, fairness and transparency
require that 'personal data shall be 'processed lawfully, fairly and in a transparent manner in relation
to the data subject'.401 Second, the principle of purpose limitation requires that personal data be
'collected for specified, explicit and legitimate purposes and not further processed in a manner that
is incompatible with those purposes'.402 Third, the principle of data minimisation mandates that
personal data be 'adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed'.403
Fourth, the principle of accuracy establishes that personal data ought to be 'accurate and, where
necessary, kept up to date; every reasonable step must be taken to ensure that personal data that
are inaccurate, having regard to the purposes for which they are processed, are erased or rectified
without delay'.404 The principle of storage limitation provides that personal data must be 'kept in
a form which permits identification of data subjects for no longer than is necessary for the purposes
for which the personal data are processed'.405 Pursuant to the integrity and confidentiality
requirement, data ought to be 'processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational measures'.406
It is the responsibility of the data controller to comply with, but also to be able to demonstrate
compliance with these various requirements.407 This section examines how these key principles of
personal data processing can be met where DLT is the chosen processing technology by examining
the various components of Article 5 GDPR.
6.1. Legal grounds for processing personal data
Personal data processing can only be lawful where there is a legal ground that permits such
processing.408 In accordance with Article 6 GDPR, there are various different grounds of lawful
personal data processing that may be more or less suitable for a specific processing operation
depending on the given circumstances.409 Data controllers must thus make sure that one of these
grounds applies before they can proceed with any specific processing operation.410 The grounds of
lawful processing provided in this list are exhaustive, meaning that Member States cannot add
additional grounds or otherwise amend the scope of the six principles explicitly recognised by the
GDPR. Below, the various grounds of lawful personal data processing are introduced in turn.
401 Article 5(1)(a) GDPR.
402 Article 5(1)(b) GDPR.
403 Article 5(1)(c) GDPR.
404 Article 5(1)(d) GDPR.
405 Article 5(1)(e) GDPR.
406 Article 5(1)(f) GDPR.
407 Article 5(2) GDPR.
408 It is worth noting that different principles apply to instances where special categories of data are processed. These are
not examined here.
409 To illustrate, Article 6(1)(b) GDPR can only be relied on where there is a contractual relationship between the data
controller and the data subject.
410 Article 28(3) GDPR dispenses processors from independently verifying whether controllers have such a lawful ground.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT