Difference between revisions of "Article 5 GDPR"

From GDPRhub
Line 215: Line 215:
  
 
==Commentary==
 
==Commentary==
 
 
===Principles===
 
===Principles===
 
The principles of Article 5 are (together with the need for a legal basis in [[Article 6 GDPR|Article 6]]) the "bottleneck" for the legality of any processing operation.  
 
The principles of Article 5 are (together with the need for a legal basis in [[Article 6 GDPR|Article 6]]) the "bottleneck" for the legality of any processing operation.  
Line 223: Line 222:
 
The principles are written in a "''tech neutral''" way and are meant to apply independent of technological change. Accordingly, the principles can be traced back to the first data protection laws in the 70ies and 80ies.
 
The principles are written in a "''tech neutral''" way and are meant to apply independent of technological change. Accordingly, the principles can be traced back to the first data protection laws in the 70ies and 80ies.
  
====(a) Lawfulness, fairness and transparency====
+
===(a) Lawfulness, fairness and transparency===
  
=====Lawful=====
+
====Lawful====
 
In a narrow understanding of the lawfulness requirement, it is understood to be a mere reference to [[Article 6 GDPR#1|Article 6(1)]] and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.
 
In a narrow understanding of the lawfulness requirement, it is understood to be a mere reference to [[Article 6 GDPR#1|Article 6(1)]] and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.
  
 
In a broader understanding of the lawfulness requirement, any processing that violates the GDPR or any national provision would render the processing of data illegal. For example, this would include the lack of information under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14]].  
 
In a broader understanding of the lawfulness requirement, any processing that violates the GDPR or any national provision would render the processing of data illegal. For example, this would include the lack of information under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14]].  
  
=====Fair=====
+
====Fair====
 
The fairness element is an overall requirement that is inherently vague. What is fair and what is not highly depends on the context. Deceptive forms of processing are clearly "unfair". In [[CJEU - C-201/14 - Bara]], the CJEU held that secret processing can be unfair. In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness.
 
The fairness element is an overall requirement that is inherently vague. What is fair and what is not highly depends on the context. Deceptive forms of processing are clearly "unfair". In [[CJEU - C-201/14 - Bara]], the CJEU held that secret processing can be unfair. In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness.
  
=====Transparent=====
+
====Transparent====
 
The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. In practice, other Articles of the GDPR (for example [[Article 13 GDPR|Article 13]], [[Article 14 GDPR|14]] or [[Article 15 GDPR|15]]) ensure the concrete implementation of this principle.
 
The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. In practice, other Articles of the GDPR (for example [[Article 13 GDPR|Article 13]], [[Article 14 GDPR|14]] or [[Article 15 GDPR|15]]) ensure the concrete implementation of this principle.
  
====(b) Purpose limitation====
+
===(b) Purpose limitation===
 
The purpose of any processing operation is the "backbone" of the GDPR. It defines the scope of any processing operation. One can think of the purpose as the ''river banks of any legal data flow''. Many articles, requirements, and principles refer to the purpose to determine the legality of a specific processing operation.
 
The purpose of any processing operation is the "backbone" of the GDPR. It defines the scope of any processing operation. One can think of the purpose as the ''river banks of any legal data flow''. Many articles, requirements, and principles refer to the purpose to determine the legality of a specific processing operation.
  
Line 243: Line 242:
 
::<u>Example:</u> A doctor may not suddenly use their patient's health data for marketing purposes (secondary use)
 
::<u>Example:</u> A doctor may not suddenly use their patient's health data for marketing purposes (secondary use)
  
=====Power and time to define the purpose=====
+
====Power and time to define the purpose====
 
The controller has every freedom to choose one or more legal purpose for one or more processing operations. The controller may, however, not change the purpose when the data is already processed (exceptions, see [[Article 6 GDPR#4|Article 6(4)]] GDPR). A controller should therefore choose any purpose wisely.
 
The controller has every freedom to choose one or more legal purpose for one or more processing operations. The controller may, however, not change the purpose when the data is already processed (exceptions, see [[Article 6 GDPR#4|Article 6(4)]] GDPR). A controller should therefore choose any purpose wisely.
  
=====Specific=====
+
====Specific====
 
Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.<ref>Article 29 Working Party, Opinion 3/2013, WP 203</ref>
 
Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.<ref>Article 29 Working Party, Opinion 3/2013, WP 203</ref>
  
Line 252: Line 251:
 
The purpose may not only be defined internally, but must be explicitly stated.
 
The purpose may not only be defined internally, but must be explicitly stated.
  
=====Legitimate=====
+
====Legitimate====
 
The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).
 
The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).
  
====(c) Data minimisation====
+
===(c) Data minimisation===
 
The principle of data minimisation is closely related to the purpose. Processing of personal data that is not necessary to achieve the purpose is ''per se'' illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.
 
The principle of data minimisation is closely related to the purpose. Processing of personal data that is not necessary to achieve the purpose is ''per se'' illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.
  
 
::<u>Example:</u> An online shop may not ask for more personal details than what is necessary to deliver the product.
 
::<u>Example:</u> An online shop may not ask for more personal details than what is necessary to deliver the product.
  
====(d) Accuracy====
+
===(d) Accuracy===
 
All data that is processed by the controller must be ''objectively'' correct.
 
All data that is processed by the controller must be ''objectively'' correct.
  
=====Duty to keep data accurate=====
+
====Duty to keep data accurate====
 
Personal data must be kept accurate insofar as being objectively correct for the purpose of the processing operation. In certain cases, the purpose of a processing operation is to keep certain records. In such cases, personal data would become ''inaccurate'' if they would be changed later. What is objectively accurate therefore depends on the purpose.
 
Personal data must be kept accurate insofar as being objectively correct for the purpose of the processing operation. In certain cases, the purpose of a processing operation is to keep certain records. In such cases, personal data would become ''inaccurate'' if they would be changed later. What is objectively accurate therefore depends on the purpose.
  
 
::<u>Example:</u> A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.
 
::<u>Example:</u> A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.
  
=====Duty to erase or rectify=====
+
====Duty to erase or rectify====
 
The controller has a duty to actively erase or rectify inaccurate personal data.
 
The controller has a duty to actively erase or rectify inaccurate personal data.
  
 
If the controller does not comply with this legal obligation, the data subject may exercise the rights under [[Article 16 GDPR|Articles 16]] to [[Article 19 GDPR|19]].
 
If the controller does not comply with this legal obligation, the data subject may exercise the rights under [[Article 16 GDPR|Articles 16]] to [[Article 19 GDPR|19]].
  
====(e) Storage limitation====
+
===(e) Storage limitation===
 
The principle of storage limitation ensures a temporary limit on any processing operation. Once all purposes of a processing operation are fulfilled, the processing operation must stop. The principle of storage limitation is an addition to the general principle of purpose limitation.
 
The principle of storage limitation ensures a temporary limit on any processing operation. Once all purposes of a processing operation are fulfilled, the processing operation must stop. The principle of storage limitation is an addition to the general principle of purpose limitation.
  
=====Deletion or anonymization=====  
+
====Deletion or anonymization====
 
The data can be deleted or anonymized, which means that any link between the data and the relevant person must be removed. Once the data does not relate to an identifiable person, Article 5(1)(e) is complied with.
 
The data can be deleted or anonymized, which means that any link between the data and the relevant person must be removed. Once the data does not relate to an identifiable person, Article 5(1)(e) is complied with.
  
=====Duty to delete data=====  
+
====Duty to delete data====
 
GDPR imposes an active duty on the controller to delete data. A controller may not wait for an action by the data subject (e.g. under [[Article 17 GDPR]]) but must proactively delete information. In practice, the principle required that the controller implements deletion routines or automatic deletion systems.  
 
GDPR imposes an active duty on the controller to delete data. A controller may not wait for an action by the data subject (e.g. under [[Article 17 GDPR]]) but must proactively delete information. In practice, the principle required that the controller implements deletion routines or automatic deletion systems.  
  
=====Deadlines=====  
+
====Deadlines====  
 
The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.
 
The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.
  
====(e) Integrity and confidentiality====
+
===(e) Integrity and confidentiality===
 
GDPR requires technical and organizational measures to ensure that data is neither lost nor destroyed.
 
GDPR requires technical and organizational measures to ensure that data is neither lost nor destroyed.
  
=====Integrity=====
+
====Integrity====
 
A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get wrong treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may be coming from the controller, third parties or from an accident.  
 
A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get wrong treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may be coming from the controller, third parties or from an accident.  
  
=====Confidentiality=====
+
====Confidentiality====
 
The controller must also take technical and organizations measures that personal data is not falsely disclosed, hacked or lost. The requirements for data security are further defined in [[Article 32 GDPR]].
 
The controller must also take technical and organizations measures that personal data is not falsely disclosed, hacked or lost. The requirements for data security are further defined in [[Article 32 GDPR]].
  

Revision as of 07:50, 7 May 2021

Article 5: Principles
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 5 - Principles relating to processing of personal data

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Relevant Recitals

Recital (50)

The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. 8In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

Recital (157)

By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.

Commentary

Principles

The principles of Article 5 are (together with the need for a legal basis in Article 6) the "bottleneck" for the legality of any processing operation.

The data subject cannot "waive" these principles, as compliance with these principles is required by law. Any controller must comply with all elements of Article 5.

The principles are written in a "tech neutral" way and are meant to apply independent of technological change. Accordingly, the principles can be traced back to the first data protection laws in the 70ies and 80ies.

(a) Lawfulness, fairness and transparency

Lawful

In a narrow understanding of the lawfulness requirement, it is understood to be a mere reference to Article 6(1) and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.

In a broader understanding of the lawfulness requirement, any processing that violates the GDPR or any national provision would render the processing of data illegal. For example, this would include the lack of information under Articles 13 or 14.

Fair

The fairness element is an overall requirement that is inherently vague. What is fair and what is not highly depends on the context. Deceptive forms of processing are clearly "unfair". In CJEU - C-201/14 - Bara, the CJEU held that secret processing can be unfair. In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness.

Transparent

The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. In practice, other Articles of the GDPR (for example Article 13, 14 or 15) ensure the concrete implementation of this principle.

(b) Purpose limitation

The purpose of any processing operation is the "backbone" of the GDPR. It defines the scope of any processing operation. One can think of the purpose as the river banks of any legal data flow. Many articles, requirements, and principles refer to the purpose to determine the legality of a specific processing operation.

The principle of purpose limitation shall ensure that controllers do not engage in "secondary use" ("further processing") of personal data

Example: A doctor may not suddenly use their patient's health data for marketing purposes (secondary use)

Power and time to define the purpose

The controller has every freedom to choose one or more legal purpose for one or more processing operations. The controller may, however, not change the purpose when the data is already processed (exceptions, see Article 6(4) GDPR). A controller should therefore choose any purpose wisely.

Specific

Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.[1]

Explicit

The purpose may not only be defined internally, but must be explicitly stated.

Legitimate

The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).

(c) Data minimisation

The principle of data minimisation is closely related to the purpose. Processing of personal data that is not necessary to achieve the purpose is per se illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.

Example: An online shop may not ask for more personal details than what is necessary to deliver the product.

(d) Accuracy

All data that is processed by the controller must be objectively correct.

Duty to keep data accurate

Personal data must be kept accurate insofar as being objectively correct for the purpose of the processing operation. In certain cases, the purpose of a processing operation is to keep certain records. In such cases, personal data would become inaccurate if they would be changed later. What is objectively accurate therefore depends on the purpose.

Example: A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.

Duty to erase or rectify

The controller has a duty to actively erase or rectify inaccurate personal data.

If the controller does not comply with this legal obligation, the data subject may exercise the rights under Articles 16 to 19.

(e) Storage limitation

The principle of storage limitation ensures a temporary limit on any processing operation. Once all purposes of a processing operation are fulfilled, the processing operation must stop. The principle of storage limitation is an addition to the general principle of purpose limitation.

Deletion or anonymization

The data can be deleted or anonymized, which means that any link between the data and the relevant person must be removed. Once the data does not relate to an identifiable person, Article 5(1)(e) is complied with.

Duty to delete data

GDPR imposes an active duty on the controller to delete data. A controller may not wait for an action by the data subject (e.g. under Article 17 GDPR) but must proactively delete information. In practice, the principle required that the controller implements deletion routines or automatic deletion systems.

Deadlines

The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.

(e) Integrity and confidentiality

GDPR requires technical and organizational measures to ensure that data is neither lost nor destroyed.

Integrity

A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get wrong treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may be coming from the controller, third parties or from an accident.

Confidentiality

The controller must also take technical and organizations measures that personal data is not falsely disclosed, hacked or lost. The requirements for data security are further defined in Article 32 GDPR.

→ See Article 32 GDPR

Accountability

Responsibility

The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. Article 24 GDPR.

Burden of proof

In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. The provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organization.

In most cases, written documentation will be used to demonstrate compliance. If applicable, a record of processing actives (see Article 30 GDPR) is a typical means to demonstrate compliance.

Decisions

→ You can find all related decisions in Category:Article 5 GDPR

References

  1. Article 29 Working Party, Opinion 3/2013, WP 203