The second principle is that of purpose limitation. It means that personal data can be collected only for specified, explicit and legitimate purposes and it is not allowed to process them further in a way that is not compatible with those purposes.
One should bear in mind, however, that further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.
As the third principle, we need to refer to data minimisation. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Essentially, it means that data cannot be processed unless it is needed in order to achieve the above-mentioned purposes.
Accuracy is the fourth principle meaning that it is required to ensure that personal data is accurate and is kept up to date where it is necessary.
Personal data that is inaccurate – considering the purposes for its processing – must be deleted or rectified without any delay.
The fifth principle is storage limitation. It entails that personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.
Storing data for longer periods is allowed when the processing of the data will aim at achieving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Nevertheless, also in these cases rights and freedoms of data subjects must be safeguarded.
Integrity & Confidentiality
Finally, the sixth principle of integrity and confidentiality requires that in the processing of personal data, appropriate security of personal data is ensured.
This should include protection against unauthorised or unlawful processing, destruction and damage. Appropriate technical or organisational measures are to be taken in order to comply with this requirement.
Such data security measures can include the use of encryption and authentication and authorisation mechanisms.
Overview of individual rights
The GDPR extends a number of existing individual rights which individuals can exercise against controllers, as well as introducing a number of new rights.
The focus on individual rights, and on the transparency and accountability principles which underpin all of the GDPR, put individuals and their rights at the heart of the GDPR.
Controllers will need to consider all aspects of their processing activities in light of the rights afforded to individuals, so that they will ultimately be in a position to demonstrate compliance not only when individuals seek to exercise those rights, but with their overall obligations under the GDPR.
Right to be Informed
- The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice;
- It emphasises the need for transparency over how you use personal data;
- The GDPR sets out the information that you should supply and when individuals should be informed;
- The information you supply is determined by whether or not you obtained the personal data directly from individuals;
- The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child;
- free of charge.
Right of Access
- Individuals have the right to access their personal data and supplementary information;
- The right of access allows individuals to be aware of and verify the lawfulness of the processing;
- Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- right to a copy of personal data held by the data controller – within 30 days of their request;
- access to their personal data, and;
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
Right to Rectification
- The GDPR gives individuals the right to have personal data rectified;
- Personal data can be rectified if it is inaccurate or incomplete;
- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete;
- If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible;
- You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
Right of Erasure
- The right to erasure is also known as ‘the right to be forgotten’;
- The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- When the individual withdraws consent that was previously supplied;
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR);
- The personal data has to be erased in order to comply with a legal obligation;
- The personal data is processed in relation to the offer of information society services to a child.
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress.
However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
Right to Restrict Processing
- Individuals have a right to ‘block’ or suppress processing of personal data;
- When processing is restricted, you are permitted to store the personal data, but not further process it – without the express consent of the data subject before the processing takes place;
- You can retain just enough information about the individual to ensure that the restriction is respected in future.
Right to Data Portablity
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services;
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability;
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract, and;
- when processing is carried out by automated means.
Right to Object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling), and;
- processing for purposes of scientific/historical research and statistics.
Individuals must have an objection on “grounds relating to his or her particular situation”.
You must stop processing the personal data unless:
- you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or;
- the processing is for the establishment, exercise or defence of legal claims.
You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
Rights in relation to Automated Decision-making and Profiling
- The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement), and;
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
- The GDPR applies to all automated individual decision-making and profiling.
- You can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract, or;
- authorised by Union or Member state law applicable to the controller, or;
- based on the individual’s explicit consent.
- You must identify whether any of your processing falls under Article 22 – ‘Automated individual decision-making, including profiling’, and, if so, make sure that you:
- give individuals information about the processing;
- introduce simple ways for them to request human intervention or challenge a decision;
- carry out regular checks to make sure that your systems are working as intended.