Key principles of personal data processing

• Author: Michèle Finck
• Pages: 60-70

STOA | Panel for the Future of Science and Technology

60

6. Key principles of personal data processing

Article 5 GDPR announces a number of central and overarching principles that must be respected

whenever personal data is processed. First, the principles of lawfulness, fairness and transparency

require that 'personal data shall be 'processed lawfully, fairly and in a transparent manner in relation

to the data subject'.401 Second, the principle of purpose limitation requires that personal data be

'collected for specified, explicit and legitimate purposes and not further processed in a manner that

is incompatible with those purposes'.402 Third, the principle of data minimisation mandates that

personal data be 'adequate, relevant and limited to what is necessary in relation to the purposes for

which they are processed'.403

Fourth, the principle of accuracy establishes that personal data ought to be 'accurate and, where

necessary, kept up to date; every reasonable step must be taken to ensure that personal data that

are inaccurate, having regard to the purposes for which they are processed, are erased or rectified

without delay'.404 The principle of storage limitation provides that personal data must be 'kept in

a form which permits identification of data subjects for no longer than is necessary for the purposes

for which the personal data are processed'.405 Pursuant to the integrity and confidentiality

requirement, data ought to be 'processed in a manner that ensures appropriate security of the

personal data, including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational measures'.406

It is the responsibility of the data controller to comply with, but also to be able to demonstrate

compliance with these various requirements.407 This section examines how these key principles of

personal data processing can be met where DLT is the chosen processing technology by examining

the various components of Article 5 GDPR.

6.1. Legal grounds for processing personal data

Personal data processing can only be lawful where there is a legal ground that permits such

processing.408 In accordance with Article 6 GDPR, there are various different grounds of lawful

personal data processing that may be more or less suitable for a specific processing operation

depending on the given circumstances.409 Data controllers must thus make sure that one of these

grounds applies before they can proceed with any specific processing operation.410 The grounds of

lawful processing provided in this list are exhaustive, meaning that Member States cannot add

additional grounds or otherwise amend the scope of the six principles explicitly recognised by the

GDPR. Below, the various grounds of lawful personal data processing are introduced in turn.

401 Article 5(1)(a) GDPR.

402 Article 5(1)(b) GDPR.

403 Article 5(1)(c) GDPR.

404 Article 5(1)(d) GDPR.

405 Article 5(1)(e) GDPR.

406 Article 5(1)(f) GDPR.

407 Article 5(2) GDPR.

408 It is worth noting that different principles apply to instances where special categories of data are processed. These are

not examined here.

409 To illustrate, Article 6(1)(b) GDPR can only be relied on where there is a contractual relationship between the data

controller and the data subject.

410 Article 28(3) GDPR dispenses processors from independently verifying whether controllers have such a lawful ground.