Article 5 GDPR: Difference between revisions
Line 209: | Line 209: | ||
===(1) Principles === | ===(1) Principles === | ||
The principles of Article 5 GDPR are (together with the need for a legal basis in [[Article 6 GDPR]]) the "bottleneck" for the legality of any processing operation. | The principles of Article 5 GDPR are (together with the need for a legal basis in [[Article 6 GDPR]]) the "bottleneck" for the legality of any processing operation. Any controller or processor must comply with all elements of Article 5 GDPR.<ref>However, the data processing principles can be restricted by Union or Member State law under the conditions set forth in Article 23 GDPR.</ref> | ||
====(a) Lawfulness, Fairness and Transparency==== | ====(a) Lawfulness, Fairness and Transparency==== | ||
=====Lawful===== | =====Lawful===== | ||
In order to be “lawful” a processing should surely comply with Article 6 GDPR (not coincidentally headed “Lawfulness of processing”) and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 22 April 2021).</ref> | |||
Lawfulness, however, is not limited to compliance with Article 6. The European Union Agency for Fundamental Rights has affirmed that “''the principle of lawful processing is also to be understood by reference to conditions for lawful limitations of the right to data protection or of the right to respect for private life in light of Article 52(1) of the Charter of Fundamental Rights of the European Union ('CPR') and of Article 8(2) ECHR''”.<ref>''de Terwagne'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 314 (Oxford University Press 2020).</ref> | |||
Therefore, any processing that violates the GDPR or any national provision would render the processing of data illegal | Therefore, any processing that violates the GDPR or any national provision would render the processing of data illegal. <ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 7 May 2021).</ref> | ||
=====Fair===== | =====Fair===== | ||
The fairness element is an overall requirement that is inherently vague. | The fairness element is an overall requirement that is inherently vague. Indeed, whether a certain processing operation is "fair" highly depends on the context. For these reasons, particularly welcomed are the recent EDPB Guidelines on data protection by design and by default.<ref>EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0).</ref> de Terwangne and Bygrave correctly point out that the "''guidelines not only provide advice on how Article 25 GDPR may be operationalised but cast light on how the core principles of Article 5 shall be understood and applied in various hypothetical scenarios. Especially noteworthy is the guidelines’ explanation of the criterion of ‘fairness’ in Article 5(1)(a)''".<ref>''de Terwangne, Bygrave'', in Kuner et al., The EU General Data Protection Regulation (GDPR) [Update of Selected Articles - May 2021] Article 5 GDPR, p. 68 (Oxford University Press 2020).</ref> | ||
In this perspective, the EDPB provides a ''non-exhaustive'' list of fairness elements which should always be respected while processing personal data. The list is particularly detailed and range from an high level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognized such as the data subjects' expectations to a reasonable use of their data, the right not be discriminated or exploited as a consequence of certain psychological weaknesses. Linked to the above seems also the controller-data subject (im)balance of power, often posed by certain intrusive profiling and processing operations. The EDPB also clarifies that no deception is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.<ref>EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0), p. 18.</ref> | |||
Deceptive forms of processing are clearly "unfair". For example, the CJEU held that secret processing can be unfair.<ref>CJEU, 1 October 2015, Bara, C-201/14 (available here <nowiki>https://curia.europa.eu/juris/document/document.jsf?text=&docid=168943&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=114422</nowiki>).</ref> In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness. | |||
=====Transparent===== | =====Transparent===== |
Revision as of 14:20, 23 September 2021
Legal Text
1. Personal data shall be:
- (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Relevant Recitals
Commentary
Article 5 GDPR lays down all the guiding principles to be observed during personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Some principles are further expressed or confirmed in other parts of the Regulation. For example, the transparency principle inspires Article 13 on the information provided before the processing. The principles of integrity and confidentiality principle are confirmed and specified by Articles 32 on security. Same discourse for one of the most innovative principles brought by the GDPR, the accountability principle, which is further developed in Articles 24 and 25.
(1) Principles
The principles of Article 5 GDPR are (together with the need for a legal basis in Article 6 GDPR) the "bottleneck" for the legality of any processing operation. Any controller or processor must comply with all elements of Article 5 GDPR.[1]
(a) Lawfulness, Fairness and Transparency
Lawful
In order to be “lawful” a processing should surely comply with Article 6 GDPR (not coincidentally headed “Lawfulness of processing”) and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.[2]
Lawfulness, however, is not limited to compliance with Article 6. The European Union Agency for Fundamental Rights has affirmed that “the principle of lawful processing is also to be understood by reference to conditions for lawful limitations of the right to data protection or of the right to respect for private life in light of Article 52(1) of the Charter of Fundamental Rights of the European Union ('CPR') and of Article 8(2) ECHR”.[3]
Therefore, any processing that violates the GDPR or any national provision would render the processing of data illegal. [4]
Fair
The fairness element is an overall requirement that is inherently vague. Indeed, whether a certain processing operation is "fair" highly depends on the context. For these reasons, particularly welcomed are the recent EDPB Guidelines on data protection by design and by default.[5] de Terwangne and Bygrave correctly point out that the "guidelines not only provide advice on how Article 25 GDPR may be operationalised but cast light on how the core principles of Article 5 shall be understood and applied in various hypothetical scenarios. Especially noteworthy is the guidelines’ explanation of the criterion of ‘fairness’ in Article 5(1)(a)".[6]
In this perspective, the EDPB provides a non-exhaustive list of fairness elements which should always be respected while processing personal data. The list is particularly detailed and range from an high level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognized such as the data subjects' expectations to a reasonable use of their data, the right not be discriminated or exploited as a consequence of certain psychological weaknesses. Linked to the above seems also the controller-data subject (im)balance of power, often posed by certain intrusive profiling and processing operations. The EDPB also clarifies that no deception is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.[7]
Deceptive forms of processing are clearly "unfair". For example, the CJEU held that secret processing can be unfair.[8] In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness.
Transparent
The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. In practice, other Articles of the GDPR (for example Article 13, 14 or 15 GDPR) ensure the concrete implementation of this principle.
Recital 39 GDPR contains a number of explanatory statements regarding the transparency principle. In particular, "it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed." Data subjects should be "made aware of risks, rules, safeguards, and rights in relation to the processing [...] and how to exercise their rights." All information communicated should be "accessible and easy to understand" and in "clear and plain language".
(b) Purpose Limitation
The purpose of any processing operation is the "backbone" of the GDPR. It defines the scope of any processing operation. One can think of the purpose as the river banks of any legal data flow. Many articles, requirements, and principles refer to the purpose to determine the legality of a specific processing operation.
The principle of purpose limitation shall ensure that controllers do not engage in "secondary use" ("further processing") of personal data.
- Example: A doctor may not suddenly use their patient's health data for marketing purposes (secondary use).
The purpose limitation principle extends to all recipients to whom the personal data have been disclosed. This is reflected in the notification obligation outlined in Article 19 GDPR.[9]
Power and Time to Define the Purpose
The controller has every freedom to choose one or more legal purpose for one or more processing operations. The controller may, however, not change the purpose when the data is already processed (for exceptions see Article 6(4) GDPR). A controller should therefore choose any purpose wisely.
Specific
Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.[10]
Explicit
The purpose may not only be defined internally, but must be explicitly stated.
Legitimate
The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).
(c) Data Minimisation
The principle of data minimisation is closely related to the purpose. Processing of personal data that is not necessary to achieve the purpose is per se illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.
- Example: An online shop may not ask for more personal details than what is necessary to deliver the product.
(d) Accuracy
All data that is processed by the controller must be objectively correct.
Duty to Keep Data Accurate
Personal data must be kept accurate insofar as being objectively correct for the purpose of the processing operation. In certain cases, the purpose of a processing operation is to keep certain records. In such cases, personal data would become inaccurate if they would be changed later. What is objectively accurate therefore depends on the purpose.
- Example: A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.
Duty to Erase or Rectify
The controller has a duty to actively erase or rectify inaccurate personal data.
If the controller does not comply with this legal obligation, the data subject may exercise the rights under Articles 16 to 19 GDPR.
(e) Storage Limitation
The principle of storage limitation ensures a temporary limit on any processing operation. Once all purposes of a processing operation are fulfilled, the processing operation must stop. The principle of storage limitation is an addition to the general principle of purpose limitation.
Deletion or Anonymisation
The data can be deleted or anonymised. The latter means that any link between the data and the relevant person must be removed. Once the data does not relate to an identifiable person, Article 5(1)(e) GDPR is complied with.
Duty to Delete Data
GDPR imposes an active duty on the controller to delete data. A controller may not wait for an action by the data subject (e.g. under Article 17 GDPR) but must proactively delete information. In practice, the principle required that the controller implements deletion routines or automatic deletion systems.
Deadlines
The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.
(f) Integrity and Confidentiality
The GDPR requires technical and organisational measures to ensure that data is neither lost nor destroyed.
Integrity
A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get incorrect treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may come from the controller, third parties or from an accident.
Confidentiality
The controller must also take technical and organisations measures to ensure that personal data is not falsely disclosed, hacked or lost. The requirements for data security are further defined in Article 32 GDPR.
→ See Article 32 GDPR
(2) Accountability
Responsibility
The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) GDPR as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. Article 24 GDPR.
Burden of Proof
In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. The provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organisation.
In most cases, written documentation will be used to demonstrate compliance. If applicable, a record of processing actives (see Article 30 GDPR) is a typical means to demonstrate compliance.
Decisions
→ You can find all related decisions in Category:Article 5 GDPR
References
- ↑ However, the data processing principles can be restricted by Union or Member State law under the conditions set forth in Article 23 GDPR.
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 22 April 2021).
- ↑ de Terwagne, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 314 (Oxford University Press 2020).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 7 May 2021).
- ↑ EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0).
- ↑ de Terwangne, Bygrave, in Kuner et al., The EU General Data Protection Regulation (GDPR) [Update of Selected Articles - May 2021] Article 5 GDPR, p. 68 (Oxford University Press 2020).
- ↑ EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0), p. 18.
- ↑ CJEU, 1 October 2015, Bara, C-201/14 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=168943&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=114422).
- ↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 5 GDPR, margin numbers 29-31, (Beck 2021, 3rd ed.) (accessed 7 May 21).
- ↑ WP29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 16.