Article 5 of the General Data Protection Regulation (GDPR) sets out key principles which lie at the heart of the regulation for the lawful processing of personal data. In essence, processing means anything that is done to, or with, personal data (including simply collecting, storing, sharing, viewing or deleting those data). The GDPR is likely to apply wherever an organisation does anything that involves or affects personal data.
The principles should inform every step to ensuring compliance with the regulation.
During this 2023 Privacy Week, we will explore each of the GDPR principles daily, and provide examples of how they should fit within an organisation’s GDPR compliance practices.
Click on the tabs below for more information and re-familiarise yourself with these principles …
#1 – PRINCIPLE OF LAWFULNESS, FAIRNESS & TRANSPARENCY
LAWFULNESS
Processing of personal data is lawful only if, and to the extent that, it is permitted under the GDPR. Article 6 of the GDPR lists six lawful bases for processing:
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
FAIRNESS
In general, fairness means that personal data should be handled in ways that data subjects would reasonably expect and data should not be used in ways that have unjustified adverse effects on the data subjects.
This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. In other words, users wouldn’t be surprised if they knew how you were using their data.
Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
TRANSPARENCY
The requirement to process personal data fairly and lawfully is extensive. It includes the transparency obligation to tell data subjects what their personal data will be used for. Transparency is about informing data subjects about how their data is collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.
Transparency is inherently linked to the data subject’s ‘right to be informed’ (Article 12), which requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
PENALTIES
Google fined 50 million euros by the French Supervisory Authority in 2019, for a breach of the GDPR rules. CNIL levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”
That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads. Additionally, CNIL found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy collectively.
#2 – PRINCIPLE OF PURPOSE LIMITATION
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. This means processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
However, it should be noted that in accordance with Article 89(1), further processing if for the following purposes, should be considered to be compatible with the initial purposes:
The GDPR does not totally ban the use of data for other purposes, not specified, but there are restrictions.
For example, if your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you may go ahead if:
In essence, all processing must also be ‘lawful’, so you do need to rely on a lawful basis appropriate for the new processing. The original basis you used to collect the data may not always be appropriate for your new use of that data.
You need to make sure that you update your privacy notices to ensure that your processing is ‘transparent’.
It is important to regularly review your processing, documentation and privacy information to avoid non-compliance as a result of ‘function creep’ – ensure your purposes have not evolved over time beyond those you originally specified.
PENALTIES
The Dutch Data Protection Authority (DPA) imposed a fine of 525,000 euro against the Royal Dutch Lawn Tennis Association (KNLTB), over violations of the GDPR ‘Purpose Limitation’ principle. The DPA found the association unlawfully shared the personal information of its members with two sponsors for tennis and unrelated promotions.
#3 – PRINCIPLE OF DATA MINIMISATION
‘Data Minimisation’ is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. Under the GDPR, data minimisation requires that personal data be:
In practice, data minimisation requires limiting the collection and processing of personal information to what is directly relevant and necessary to accomplish a specified purpose. This specifically requires ensuring that the period for which the personal data are stored is limited to a strict minimum (see also #Principle of ‘Storage Limitation’).
In essence, choose Quality over Quantity!
PENALTIES
Airbnb was issued with a reprimand by the Irish Data Protection Commissioner and was ordered to revise its internal policies and procedures for handling erasure requests to ensure that individuals are no longer required to provide a copy of photographic ID when making erasure requests unless Airbnb can demonstrate a valid legal basis for doing so. Airbnb’s requirement that a data subject verified their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of ‘data minimisation’. This infringement occurred in circumstances where less data-driven and less intrusive solutions to verify identity were available to Airbnb. In essence, the legitimate interest pursued by Airbnb does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.
The DPC’s draft decision was submitted to the GDPR Article 60 cooperation mechanism and no objections were raised by the other concerned supervisory authorities.
The decision is available here
Accuracy
Storage Limitation
Integrity and Confidentiality (Security)
Accountability
The EU General Data Protection Regulation (GDPR) is among the world’s most stringent data protection laws and is designed to apply to all types of businesses, from small businesses to multi-nationals.
Article 83 of the GDPR highlights the two-tier penalty structure which are flexible and scale with the organisation. Any organisation that is not GDPR compliant, regardless of its size, faces a significant liability. Data protection authorities can impose fines of:
Non-compliance of the GDPR Principles falls under the higher tier penalty.
Let’s take a look at some of the penalties over the last 4 years. Consider how you can avoid being fined for similar violations of the GDPR Principles.
Principle of Lawfulness, Fairness and Transparency
Google fined 50 million euros by the French Supervisory Authority in 2019, for a breach of the GDPR rules. CNIL levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”
That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads. Additionally, CNIL found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy collectively.
Principle of Purpose Limitation
The Dutch Data Protection Authority (DPA) imposed a fine of 525,000 euro against the Royal Dutch Lawn Tennis Association (KNLTB), over violations of the GDPR ‘Purpose Limitation’ principle. The DPA found the association unlawfully shared the personal information of its members with two sponsors for tennis and unrelated promotions.
Principle of Data Minimisation
Airbnb was issued with a reprimand by the Irish Commissioner and was ordered to revise its internal policies and procedures for handling erasure requests to ensure that individuals are no longer required to provide a copy of photographic ID when making erasure requests unless Airbnb can demonstrate a valid legal basis for doing so.
Airbnb’s requirement that a data subject verified their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of ‘data minimisation’. This infringement occurred in circumstances where less data-driven and less intrusive solutions to verify identity were available to Airbnb. In essence, the legitimate interest pursued by Airbnb does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.
The DPC’s draft decision was submitted to the GDPR Article 60 cooperation mechanism and no objections were raised by the other concerned supervisory authorities.
The decision is available here
Principle of Integrity and Confidentiality (Security)
Interserv Group was penalised by the UK Supervisory Authority in 2022. The penalty of £4,400,000 was issued because of contraventions by Interserve of the GDPR Principle of Integrity and Confidentiality – Article 5(l)(f)
Between 18 March 2019 and 1 December 2020 Interserve Limited (“Interserve”) failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. This rendered Interserve vulnerable to a cyber-attack which took place in the period 30 March 2020 to 2 May 2020 and affected the personal data of up to 113,000 employees of Interserve.
The decision is available here.