Key principles of personal data processing

• Author: Michèle Finck
• Pages: 60-70

STOA| Panel for the Future of Science and Technology

60

6.Key principles of personal data processing

Article 5GDPRannounces a number of central and overarching principles that must be respected

whenever personal data is processed. First, the principles of lawfulness, fairness and transparency

require that 'personal data shall be 'processed lawfully, fairly and in a transparent manner in relation

to the data subject'.401Second, the principle of purpose limitation requires that personal data be

'collected for specified, explicit and legitimate purposes and not further processed in a manner that

is incompatible with those purposes'.402Third, the principle of data minimisationmandates that

personal data be 'adequate, relevant and limited to what is necessary in relation to the purposes for

which they are processed'.403

Fourth, the principle of accuracyestablishes that personal data ought to be 'accurate and, where

necessary, kept up to date; every reasonable step must be taken to ensure that personal data that

are inaccurate, having regard to the purposes for which they are processed, are erased or rectified

without delay'.404The principle of storage limitationprovides that personal data must be 'kept in

a form which permits identification of data subjects for no longer than is necessary for the purposes

for which the personal data are processed'.405Pursuant to the integrity and confidentiality

requirement, data ought to be 'processed in a manner that ensures appropriate security of the

personal data, including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational measures'.406

It is the responsibility of the data controllerto comply with, but also to be able to demonstrate

compliance with these various requirements.407This section examines how these key principles of

personal data processing can be met where DLT is the chosen processing technology by examining

the various componentsof Article 5GDPR.

6.1.Legal grounds for processing personal data

Personal data processing can only be lawful where there is a legal ground that permits such

processing.408In accordance with Article 6GDPR, there are various different grounds of lawful

personal data processing that may be more or less suitable for a specific processing operation

depending on the given circumstances.409Data controllers must thus make sure that one of these

grounds applies before they can proceed with any specific processing operation.410The grounds of

lawful processing provided in this list are exhaustive, meaning that Member States cannot add

additional grounds or otherwise amend the scope of the six principles explicitly recognisedby the

GDPR. Below, the various grounds of lawful personal data processing are introduced in turn.

401Article 5(1)(a) GDPR.

402Article 5(1)(b) GDPR.

403Article 5(1)(c) GDPR.

404Article 5(1)(d) GDPR.

405Article 5(1)(e) GDPR.

406Article 5(1)(f) GDPR.

407Article 5(2) GDPR.

408It is worth noting that different principles apply to instances where special categories of data are processed. These are

not examined here.

409To illustrate, Article 6(1)(b) GDPR can only be relied on where there is a contractual relationship between the data

controller and the data subject.

410Article 28(3) GDPR dispenses processors from independently verifying whether controllers have such a lawful ground.