Principles relating to the processing of personal data
The GDPR (article 5) sets out seven key principles underpinning the processing of personal data by any entity, including micro-enterprises or SMEs.
Therefore, these principles are relevant guidelines for you to keep personal data of your customers, employees and suppliers safe.
GDPR Principles & Rights
1. Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the individual. Personal data can only be processed lawfully if it is covered by a “lawful basis”.
The processing of personal data must be fair, appropriate, reasonable and proportional in relation to the individuals concerned. This means that an enterprise processing personal data must weigh its own interests against those of the of the individuals concerned before starting the processing.
Transparency requires your enterprise to be open and clear about the processing of personal data. The person concerned should be made aware why their data is being processed, of the risks, of their rights and of other important aspects.
2. Purpose limitation
Personal data may only be collected when linked to a concrete purpose. According to the purpose limitation principle, the purpose(s) should be specific, explicit and legitimate (in accordance with the law). In addition, collected data must only be processed in a way that is compatible with the initial goal of collection.
Lawfully collected data for a given purpose cannot be used anew for purposes defined over time!
If you originally collected the data on the basis of legitimate interest, contract or vital interests, the personal data can only be used for another purpose after checking whether the new purpose is compatible with the original purpose.
Elements to take into account when assessing compatibility of purposes:
Is there a link between the original purpose and the new purpose?;
the context in which the data was collected (what is the relationship between your enterprise and the individual?);
What type and nature of data does it concern? (e.g. sensitive data?);
What are the possible consequences of further processing for the individual concerned?;
Are there any appropriate safeguards in place, e.g. encryption or pseudonymisation?
If your enterprise originally collected the data on the basis of consent or based on a legal obligation, you are not allowed to further process the data beyond what is allowed by the original consent or the legal provision(s). In this scenario, further processing requires obtaining new consent or a new legal basis.
A company manages a customer database storing personal data for the purpose of commercial communication. All individuals in this database have provided their consent to the use of their data for commercial purposes. Now, the company plans to make further use of the data stored to keep statics on customers’ buying behaviour, without asking for their consent. In principle, as this is a different purpose than marketing, the company would need to rely on another legal basis for this processing. However, the GDPR explicitly considers the keeping of statistics as a compatible purpose. The company will have to put in place appropriate safeguards to protect the individuals’ rights and freedoms (i.e. technical and organisational measures such as pseudonymisation).
3. Data minimisation
The data minimisation principle requires an enterprise to only collect personal data which is truly necessary for the specified processing purposes.
Therefore, it is useful to identify, in advance, the minimum amount of personal data needed to fulfil the enterprise’s purpose.
Example: To perform adelivery, a footwear manufacturer collects its customers’ addresses, though it must not collect, for example, customers’ age as they are not related to the initial purpose of data collection.
According to the GDPR’s accuracy principle, legal entities, including micro- enterprises, must ensure that personal data they keep is accurate and updated, to the extent that is reasonable. This is because, under certain circumstances, inaccurate data could cause significant negative effects to the individual, especially when dealing with special categories of data (e.g. heath or political believes).
E.g.: Inaccurate data provided to a credit information bureau on a person's debt can negatively affect that person’s future chances to obtain a loan.
The extent to which data should be kept accurate depends on the purpose of data processing. For example, in case of a medical record, every possible step must be taken to ensure that the records are up to date, while an enterprise should not take extreme actions (e.g. tracking customers) to update information in a less important context, such as marketing.
EG: The enterprise should update an employee’s payroll data if it gives the employee a pay rise, or a customer’s delivery address to ensure that the purchased products are delivered to the right place.
5. Storage limitation
The storage limitation principle requires that personal data must not be maintained for longer than is necessary to fulfil the goal of their collection. Data must be erased when the data processing purpose is achieved. This means that storing any data longer than necessary is not permitted.
6. Integrity and confidentiality
Protection of personal data against unauthorized or unlawful processing, accidental loss, destruction or damage is at the core of the principle of integrity and confidentiality. The GDPR requires to ensure that personal data is not available to everyone within an organisation, but only to those who actually have to work with the data. Personal data must also be protected against any external or third actors.
The intensity of security measures is directly linked to the potential risk of data processing operations. (The GDPR follows risk-based approach)
Note that before deciding what measures are appropriate to guarantee data security, your enterprise should assess potential information risks depending on the enterprise’s size, on the amount and nature of the processed personal data, as well as on how the data are used!
The principle of accountability anticipates two obligations: an obligation to ensure compliance and the ability to prove it.
All the necessary technical and organisational measures should be adopted and evidence thereof should be kept.
There is no list of specific means to prove GDPR compliance, but the GDPR does – under certain circumstances – require you to keep records of your data processing activities, to appoint a DPO and to conduct DPIAs . The foregoing could serve as proof of compliance.
Time for action!
What is your enterprise’s lawful basis for personal data collection?
If all your enterprise’s data processing operations are brought to the attention ofthe individuals concerned;
If personal data is only being collected for specific and currently existing processing purposes and not for unclear future needs;
If your enterprise only processes the minimum amount of data necessary to fulfil its processing purpose(s);
If the personal data held by your enterprise collected is accurate and updated;
If all personal data for which the purpose(s) of their collection is achieved or personal data which is not relevant anymore, is deleted;
If personal data is only accessible to individuals within the enterprise who actually need to have acces;
If your enterprise has made the necessary technical and organisational efforts to meet the GDPR principles;
If your enterprise keeps records of its processing activities