Article 5 GDPR: Difference between revisions

From GDPRhub
(24 intermediate revisions by 4 users not shown)
Line 202: Line 202:


==Relevant Recitals==
==Relevant Recitals==
<span id="r57">
{{Recital/39 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 39'''</div>
{{Recital/74 GDPR}}
<div class="mw-collapsible-content">
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
</div></div>


==Commentary==
==Commentary==
===Principles===
Article 5 GDPR lays down all the guiding principles to be observed during personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Some principles are further expressed or confirmed in other parts of the Regulation. For example, the transparency principle inspires Article 13 on the information provided before the processing. The principles of integrity and confidentiality principle are confirmed and specified by Articles 32 on security. Same discourse for one of the most innovative principles brought by the GDPR, the accountability principle, which is further developed in Articles 24 and 25.
The principles of Article 5 are (together with the need for a legal basis in [[Article 6 GDPR|Article 6]]) the "bottleneck" for the legality of any processing operation.  


The data subject cannot "waive" these principles, as compliance with these principles is required by law. Any controller must comply with all elements of Article 5.
===(1) Principles ===
The principles of Article 5 GDPR are the "bottleneck" for the legality of any processing operation. Any controller or processor must comply with all elements of Article 5 GDPR.<ref>However, the data processing principles can be restricted by Union or Member State law under the conditions set forth in Article 23 GDPR.</ref>


The principles are written in a "''tech neutral''" way and are meant to apply independent of technological change. Accordingly, the principles can be traced back to the first data protection laws in the 70ies and 80ies.
==== Principles as interpretation tools ====


===(a) Lawfulness, fairness and transparency===
====(a) Lawfulness, Fairness and Transparency====


====Lawful====
=====Lawful=====
In a narrow understanding of the lawfulness requirement, it is understood to be a mere reference to [[Article 6 GDPR#1|Article 6(1)]] and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.<ref>''Herbst'' in Kühling, Buchner, GDPR BDSG, Article 5 GDPR, margin numbers 8-12(Beck 2020, 3rd ed.) (accessed 7.05.2021).</ref>
In order to be “lawful” a processing should comply with Article 6 GDPR (not coincidentally headed “Lawfulness of processing”) and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 22 April 2021).</ref>  


In a broader understanding of the lawfulness requirement, any processing that violates the GDPR or any national provision would render the processing of data illegal. For example, this would include the lack of information under [[Article 13 GDPR|Articles 13]] or [[Article 14 GDPR|14]].  
Lawfulness, however, is not limited to compliance with Article 6. The European Union Agency for Fundamental Rights has affirmed that “''the principle of lawful processing is also to be understood by reference to conditions for lawful limitations of the right to data protection or of the right to respect for private life in light of Article 52(1) of the Charter of Fundamental Rights of the European Union ('CPR') and of Article 8(2) ECHR''”.<ref>''de Terwagne'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 314 (Oxford University Press 2020).</ref>


====Fair====
Therefore, any processing that violates the GDPR or any national provision would render the processing of data illegal. <ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 7 May 2021).</ref>
The fairness element is an overall requirement that is inherently vague. What is fair and what is not highly depends on the context. Deceptive forms of processing are clearly "unfair". In CJEU in C-201/14 ''Bara'', the CJEU held that secret processing can be unfair. In practice, this element allows the flexibility to prohibit processing operations that violate the societal perception of overall fairness.


====Transparent====
=====Fair=====
The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. In practice, other Articles of the GDPR (for example [[Article 13 GDPR|Article 13]], [[Article 14 GDPR|14]] or [[Article 15 GDPR|15]]) ensure the concrete implementation of this principle.
The fairness element is an overall requirement that is inherently vague. Indeed, whether a certain processing operation is "fair" highly depends on the context. For these reasons, particularly welcomed are the recent EDPB Guidelines on data protection by design and by default.<ref>EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0).</ref> de Terwangne and Bygrave correctly point out that the "''guidelines not only provide advice on how Article 25 GDPR may be operationalised but cast light on how the core principles of Article 5 shall be understood and applied in various hypothetical scenarios. Especially noteworthy is the guidelines’ explanation of the criterion of ‘fairness’ in Article 5(1)(a)''".<ref>''de Terwangne, Bygrave'', in Kuner et al., The EU General Data Protection Regulation (GDPR) [Update of Selected Articles - May 2021] Article 5 GDPR, p. 68 (Oxford University Press 2020).</ref>


===(b) Purpose limitation===
In this perspective, the EDPB provides a ''non-exhaustive'' list of fairness elements which should always be respected while processing personal data. The list is particularly detailed and range from an high level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognized such as the data subjects' expectations to a reasonable use of their data, the right not be discriminated or exploited as a consequence of certain psychological weaknesses. Linked to the above seems also the controller-data subject (im)balance of power, often posed by certain intrusive profiling and processing operations. The EDPB also clarifies that no deception is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.<ref>EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0), p. 18. Along the same lines, CJEU, 1 October 2015, Bara, C-201/14 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=168943&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=114422 here]).</ref>
The purpose of any processing operation is the "backbone" of the GDPR. It defines the scope of any processing operation. One can think of the purpose as the ''river banks of any legal data flow''. Many articles, requirements, and principles refer to the purpose to determine the legality of a specific processing operation.
=====Transparent=====
The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. Recital 39 GDPR contains a number of explanatory statements regarding the transparency principle. In particular, "''it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.''" Data subjects should be "''made aware of risks, rules, safeguards, and rights in relation to the processing [...] and how to exercise their rights.''" All information communicated should be "''accessible and easy to understand''" and in "''clear and plain language''".


The principle of purpose limitation shall ensure that controllers do not engage in "secondary use" ("further processing") of personal data.
====(b) Purpose Limitation====
While the controller is free to achieve any legitimate purpose, Article 5(1)(b) sets out the principle of purpose limitation in the processing of personal data. It requires that personal data be collected for specified, explicit and legitimate purposes and ensures that, after collection, data are not used for purposes that are incompatible with the original ones.


::<u>Example:</u> A doctor may not suddenly use their patient's health data for marketing purposes (secondary use)
===== Specific =====
Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "''improving the user experience''", "''marketing''", "''research''" or "''IT security''" are not sufficient if they are not further defined.<ref>WP29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 16 (Available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf here])</ref> The EDPB recently confirmed the above interpretation in its Guidelines on video surveillance. According to the EDPB, these monitoring purposes need to be specified for every surveillance camera in use and “[v]ideo surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific”.<ref>EDPB, Guidelines 3/2019 on processing of personal data through video devices, 29 January 2020 (Version 2.0).</ref>


====Power and time to define the purpose====
===== Explicit =====
The controller has every freedom to choose one or more legal purpose for one or more processing operations. The controller may, however, not change the purpose when the data is already processed (exceptions, see [[Article 6 GDPR#4|Article 6(4)]] GDPR). A controller should therefore choose any purpose wisely.
The purpose may not only be defined internally, but must be explicitly stated. This requirement is inextricably linked to the principle of transparency analysed in the previous paragraph. Indeed, a processing purpose that is made explicit (i.e. in a transparent manner) seems to be the only way to allow the data subject both a prior control (whether to accept a certain processing) and a subsequent one (hypothetically, following a request for access under Article 15 GDPR).


====Specific====
===== Legitimate =====
Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.<ref>Article 29 Working Party, Opinion 3/2013, WP 203</ref>
The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).


=====Explicit=====
===== Further processing =====
The purpose may not only be defined internally, but must be explicitly stated.
The principle of purpose limitation shall ensure that controllers do not engage in "secondary use" ("further processing") of personal data when such processing is incompatible with the original purpose(s). For this reason, “[p]''urposes for processing personal data should be determined from the very beginning, at the time of the collection of the personal data''”<ref>''de Terwagne'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 315 (Oxford University Press 2020). See also above, Section “''Specific''”.</ref>.


====Legitimate====
According to the WP29 opinion, the compatibility of the further processing must be assessed taking into account various parameters such as the relationship between the original and the further purposes, the context of the data collection, the reasonable expectation of the data subject with regard to future processing, also considering the relationship between the data subject and the controller, the impact of further processing, the necessity of further processing and the existence of adequate safeguards for the data subject.<ref>Working Party 29, Opinion 03/2013 on purpose limitation, 2 April 2013 (Version 2.0), p. 21.</ref> For example, a doctor may not suddenly use their patient's health data for marketing purposes (secondary use).
The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).


===(c) Data minimisation===
Failure to comply with the compatibility requirement set forth in Article 5(1)(b) of the GDPR has serious consequences: the processing of personal data in a way incompatible with the purposes specified at collection is unlawful and therefore not permitted.  
The principle of data minimisation is closely related to the purpose. Processing of personal data that is not necessary to achieve the purpose is ''per se'' illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.


::<u>Example:</u> An online shop may not ask for more personal details than what is necessary to deliver the product.
The above is true except than in three cases. In particular, the compatibility requirement is not needed if the further processing is (i) authorized by the data subject with their consent (Article 6(4) GDPR), (ii) based on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR or, finally, is meant for (iii) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 5(1)(b) GDPR).


===(d) Accuracy===
The purpose limitation principle extends to all recipients to whom the personal data have been disclosed. This is reflected in the notification obligation outlined in [[Article 19 GDPR]].<ref>''Frenzel'', in Paal, Pauly, DS-GVO BDSG, Article 5 GDPR, margin numbers 29-31, (Beck 2021, 3rd ed.) (accessed 7 May 21).</ref>
All data that is processed by the controller must be ''objectively'' correct.
====(c) Data Minimisation====
Unlike the previous Directive 95/46/EC, under which data processing did not have to be “excessive”, the GDPR specifies that it must be “''limited to what is necessary''” to achieve the purpose. This principle is therefore closely related to the concept of purpose and only makes sense if the latter is well defined by the controller. Once the two parameters are defined (processing and purpose), then it is possible to assess whether the processing is limited to what is necessary to achieve the purpose. If the outcome is negative (i.e. processing is excessive), the the operations are ''per se'' illegal. A controller must then review each step of a processing operation and also each data element towards the necessity to achieve the purpose. For instance, an online shop may not ask for more personal details than what is necessary to deliver the product.


====Duty to keep data accurate====
In a recent decision, the CJEU had to provide some guidance on how to assess whether a certain processing (in that case, a video surveillance system) could be considered ‘necessary’ for the purposes of the legitimate interests pursued by the controller. The Court held that the the necessity of a processing operation must be examined in conjunction with the data minimisation principle which restricts the controller's options to those "''adequate, relevant and not excessive in relation to the purposes for which they are collected''". In conclusion, the Court clarified that the controller must, amongst other things, examine "''whether it is sufficient that the video surveillance operates only at night or outside normal working hours, and block or obscure the images taken in areas where surveillance is unnecessary''".<ref>CJEU, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019 (rectified 13 February 2020), § 51 (Available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=4A9F71BCDFB6F507CC5D0302FA1AE329?text=&docid=221465&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=35786932 here])</ref>
Personal data must be kept accurate insofar as being objectively correct for the purpose of the processing operation. In certain cases, the purpose of a processing operation is to keep certain records. In such cases, personal data would become ''inaccurate'' if they would be changed later. What is objectively accurate therefore depends on the purpose.
====(d) Accuracy====
Article 5(1)(d) requires that data be accurate and, where necessary, kept up to date, and that all reasonable steps be taken to delete or rectify inaccurate data promptly (Recital 39).


::<u>Example:</u> A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.
Accuracy of data expresses a more general principle of the correct representation of the person at the most diverse levels and in the most diverse contexts and is one of the essential prerequisites of the right to informational self-determination.<ref>''Resta'', in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article 5 GDPR (Wolters Kluwer 2018), p. 59.</ref> The WP29 points out that the principle of accuracy applies not only to facts that are processed about a person, but also to value judgments, in particular forecasts and correlations.<ref>WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) (Available [https://ec.europa.eu/newsroom/article29/items/612053 here])</ref> This is particularly relevant for modern forms of automated profiling, artificial intelligence processing and self-learning systems. Indeed, value judgments can also be wrong if they are based on an erroneous factual basis, assume wrong premises or are the result of incorrect conclusions (e.g. that there is a correlation between a date and a person's solvency.<ref>''Schantz,'' in BeckOK DatenschutzR, Article 5 GDPR, margin number 27 (Beck 2020, 36th ed.) (accessed 30 September 2021).</ref>


====Duty to erase or rectify====
Which way to ensure that the data is accurate depends greatly on the circumstances of the case and the type of processing being done. Example: A public protocol is meant to record an incident of a  certain day. If elements of the protocol are inaccurate, they must be  corrected. At the same time, the age of the persons may not be changed  every time a person turns a year older.
The controller has a duty to actively erase or rectify inaccurate personal data.


If the controller does not comply with this legal obligation, the data subject may exercise the rights under [[Article 16 GDPR|Articles 16]] to [[Article 19 GDPR|19]].
Some provisions of the Regulation provide precise indications in relation to the type of intervention possible. Article 16 GDPR, for example, establishes the right of the data subject to obtain the integration of incomplete data. The following Article 17 allows the cancellation of the data in the presence of certain conditions including, for example, where the processing of that personal data is no longer necessary, or in case of revocation of consent or even if the data has been collected in an unlawful manner. In these cases, however, Article 19 GDPR provides that the exercise of rights is also communicated (with similar consequences) to all those who have received the data previously.


===(e) Storage limitation===
====(e) Storage Limitation====
The principle of storage limitation ensures a temporary limit on any processing operation. Once all purposes of a processing operation are fulfilled, the processing operation must stop. The principle of storage limitation is an addition to the general principle of purpose limitation.
The principle of storage limitation ensures a temporary limit on any processing operation. It follows that once all purposes of a processing operation are fulfilled, the processing must stop, either by deleting the data or by making it anonymous. The controller must inform the data subject about the storage period (or the criteria to define it, Article 13(2)(a) and Article 14(2)(a) GDPR) as well as ensure and demonstrate compliance with this principle (Article 5(2) GDPR). Therefore, storage periods should be defined internally before the processing begins.<ref>''Schantz,'' in BeckOK DatenschutzR, Article 5 GDPR, margin number 32 (Beck 2020, 36th ed.) (accessed 30 September 2021).</ref>


====Deletion or anonymisation====
=====Deletion of Data=====
The data can be deleted or anonymised, which means that any link between the data and the relevant person must be removed. Once the data does not relate to an identifiable person, Article 5(1)(e) is complied with.
Once the purpose has been achieved, the data must be deleted. According to Recital 39, in order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. This means that the GDPR imposes an active duty on the controller to delete data. Thus, a controller may not wait for an action by the data subject (e.g. under [[Article 17 GDPR]]) but must proactively delete information (in practice, the principle required that the controller implements deletion routines or automatic deletion systems).


====Duty to delete data====
=====Anonymization of Data=====
GDPR imposes an active duty on the controller to delete data. A controller may not wait for an action by the data subject (e.g. under [[Article 17 GDPR]]) but must proactively delete information. In practice, the principle required that the controller implements deletion routines or automatic deletion systems.  
Article 5(1)(e) prevents the controller from keeping the personal data in a form which permits identification. It follows that if the data does no longer allow for identification, the principle does not apply. This is the case of the data anonymization which consists in all the operations by which a personal data does no longer refer to a specific individual. This can be done, for example, by deleting the characteristics that identify the person from the relevant data records. In any case, the data must be changed in such a way that the identification of the data subjects is no longer possible.<ref>''Herbst'' in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 66 (Beck 2021, 3rd ed.) (accessed 5 November 21).</ref>


====Deadlines====  
=====Deadlines=====  
The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.
The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.


===(e) Integrity and confidentiality===
===== Exception =====
The GDPR requires technical and organisational measures to ensure that data is neither lost nor destroyed.
An exception to the principle of storage limitation is contained in the last part of Article 5(1)(d) in favor of processing for archiving, statistical, scientific and historical research purposes. In these cases, the GDPR allows "longer periods" of storage and in so doing takes into account the social interest in a functioning research and the preservation of the collective memory. In order for the exception to apply, however, technical and organizational measures must be put in place, as set out in Article 89(1).<ref>''Schantz, i''n BeckOK DatenschutzR, Article 5 GDPR, margin number 34 (Beck 2020, 36th ed.) (accessed 30 September 2021).</ref>


====Integrity====
====(f) Integrity and Confidentiality====
The integrity and confidentiality principle reflects the interest of personal data being processed in a manner that ensures their appropriate security, "''including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage''". The GDPR requires "''appropriate technical and organisational measures''" to ensure that data is neither lost nor destroyed. Chapter IV of the GDPR develops this duty of security in more detail, including the new requirement of notifying personal data breaches to the competent data protection and, where applicable, to the data subjects.
 
=====Integrity=====
A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get incorrect treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may come from the controller, third parties or from an accident.  
A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get incorrect treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may come from the controller, third parties or from an accident.  


====Confidentiality====
=====Confidentiality=====
The controller must also take technical and organisations measures to ensure that personal data is not falsely disclosed, hacked or lost. The requirements for data security are further defined in [[Article 32 GDPR]].
Confidentiality aims to protect the data against unauthorized access and thus against unauthorized processing. The controller must therefore also implement technical and organizational measures to ensure that personal data is not falsely disclosed, hacked or lost. This includes that unauthorized persons have neither access to the data nor to the devices with which they are processed (Recital 39). The requirements for data security are further defined in [[Article 32 GDPR]].
 
→ See [[Article 32 GDPR]]
 
===Accountability===


====Responsibility====
===(2) Accountability ===
The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. [[Article 24 GDPR]].
The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) GDPR as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. [[Article 24 GDPR]].


====Burden of proof====
In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. The provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organization.
In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. The provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organization.



Revision as of 13:49, 5 November 2021

Article 5: Principles
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 5 - Principles relating to processing of personal data

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 74: Controller Responsibility and Liability
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Commentary

Article 5 GDPR lays down all the guiding principles to be observed during personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Some principles are further expressed or confirmed in other parts of the Regulation. For example, the transparency principle inspires Article 13 on the information provided before the processing. The principles of integrity and confidentiality principle are confirmed and specified by Articles 32 on security. Same discourse for one of the most innovative principles brought by the GDPR, the accountability principle, which is further developed in Articles 24 and 25.

(1) Principles

The principles of Article 5 GDPR are the "bottleneck" for the legality of any processing operation. Any controller or processor must comply with all elements of Article 5 GDPR.[1]

Principles as interpretation tools

(a) Lawfulness, Fairness and Transparency

Lawful

In order to be “lawful” a processing should comply with Article 6 GDPR (not coincidentally headed “Lawfulness of processing”) and its requirement to base any processing operation on at least one of the six legal bases it exhaustively lists.[2]

Lawfulness, however, is not limited to compliance with Article 6. The European Union Agency for Fundamental Rights has affirmed that “the principle of lawful processing is also to be understood by reference to conditions for lawful limitations of the right to data protection or of the right to respect for private life in light of Article 52(1) of the Charter of Fundamental Rights of the European Union ('CPR') and of Article 8(2) ECHR”.[3]

Therefore, any processing that violates the GDPR or any national provision would render the processing of data illegal. [4]

Fair

The fairness element is an overall requirement that is inherently vague. Indeed, whether a certain processing operation is "fair" highly depends on the context. For these reasons, particularly welcomed are the recent EDPB Guidelines on data protection by design and by default.[5] de Terwangne and Bygrave correctly point out that the "guidelines not only provide advice on how Article 25 GDPR may be operationalised but cast light on how the core principles of Article 5 shall be understood and applied in various hypothetical scenarios. Especially noteworthy is the guidelines’ explanation of the criterion of ‘fairness’ in Article 5(1)(a)".[6]

In this perspective, the EDPB provides a non-exhaustive list of fairness elements which should always be respected while processing personal data. The list is particularly detailed and range from an high level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognized such as the data subjects' expectations to a reasonable use of their data, the right not be discriminated or exploited as a consequence of certain psychological weaknesses. Linked to the above seems also the controller-data subject (im)balance of power, often posed by certain intrusive profiling and processing operations. The EDPB also clarifies that no deception is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.[7]

Transparent

The transparency principle shall ensure the that data subject is fully aware of the processing of any personal data. Recital 39 GDPR contains a number of explanatory statements regarding the transparency principle. In particular, "it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed." Data subjects should be "made aware of risks, rules, safeguards, and rights in relation to the processing [...] and how to exercise their rights." All information communicated should be "accessible and easy to understand" and in "clear and plain language".

(b) Purpose Limitation

While the controller is free to achieve any legitimate purpose, Article 5(1)(b) sets out the principle of purpose limitation in the processing of personal data. It requires that personal data be collected for specified, explicit and legitimate purposes and ensures that, after collection, data are not used for purposes that are incompatible with the original ones.

Specific

Because the purpose is meant to limit processing operations to a specific, pre-defined, aim, the purpose cannot be overly broad. Broad but meaningless purposes like "improving the user experience", "marketing", "research" or "IT security" are not sufficient if they are not further defined.[8] The EDPB recently confirmed the above interpretation in its Guidelines on video surveillance. According to the EDPB, these monitoring purposes need to be specified for every surveillance camera in use and “[v]ideo surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific”.[9]

Explicit

The purpose may not only be defined internally, but must be explicitly stated. This requirement is inextricably linked to the principle of transparency analysed in the previous paragraph. Indeed, a processing purpose that is made explicit (i.e. in a transparent manner) seems to be the only way to allow the data subject both a prior control (whether to accept a certain processing) and a subsequent one (hypothetically, following a request for access under Article 15 GDPR).

Legitimate

The use of personal data for the purpose must be legal. This may also include laws beyond GDPR and national data protection laws (like consumer or worker protection laws).

Further processing

The principle of purpose limitation shall ensure that controllers do not engage in "secondary use" ("further processing") of personal data when such processing is incompatible with the original purpose(s). For this reason, “[p]urposes for processing personal data should be determined from the very beginning, at the time of the collection of the personal data[10].

According to the WP29 opinion, the compatibility of the further processing must be assessed taking into account various parameters such as the relationship between the original and the further purposes, the context of the data collection, the reasonable expectation of the data subject with regard to future processing, also considering the relationship between the data subject and the controller, the impact of further processing, the necessity of further processing and the existence of adequate safeguards for the data subject.[11] For example, a doctor may not suddenly use their patient's health data for marketing purposes (secondary use).

Failure to comply with the compatibility requirement set forth in Article 5(1)(b) of the GDPR has serious consequences: the processing of personal data in a way incompatible with the purposes specified at collection is unlawful and therefore not permitted.

The above is true except than in three cases. In particular, the compatibility requirement is not needed if the further processing is (i) authorized by the data subject with their consent (Article 6(4) GDPR), (ii) based on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR or, finally, is meant for (iii) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 5(1)(b) GDPR).

The purpose limitation principle extends to all recipients to whom the personal data have been disclosed. This is reflected in the notification obligation outlined in Article 19 GDPR.[12]

(c) Data Minimisation

Unlike the previous Directive 95/46/EC, under which data processing did not have to be “excessive”, the GDPR specifies that it must be “limited to what is necessary” to achieve the purpose. This principle is therefore closely related to the concept of purpose and only makes sense if the latter is well defined by the controller. Once the two parameters are defined (processing and purpose), then it is possible to assess whether the processing is limited to what is necessary to achieve the purpose. If the outcome is negative (i.e. processing is excessive), the the operations are per se illegal. A controller must then review each step of a processing operation and also each data element towards the necessity to achieve the purpose. For instance, an online shop may not ask for more personal details than what is necessary to deliver the product.

In a recent decision, the CJEU had to provide some guidance on how to assess whether a certain processing (in that case, a video surveillance system) could be considered ‘necessary’ for the purposes of the legitimate interests pursued by the controller. The Court held that the the necessity of a processing operation must be examined in conjunction with the data minimisation principle which restricts the controller's options to those "adequate, relevant and not excessive in relation to the purposes for which they are collected". In conclusion, the Court clarified that the controller must, amongst other things, examine "whether it is sufficient that the video surveillance operates only at night or outside normal working hours, and block or obscure the images taken in areas where surveillance is unnecessary".[13]

(d) Accuracy

Article 5(1)(d) requires that data be accurate and, where necessary, kept up to date, and that all reasonable steps be taken to delete or rectify inaccurate data promptly (Recital 39).

Accuracy of data expresses a more general principle of the correct representation of the person at the most diverse levels and in the most diverse contexts and is one of the essential prerequisites of the right to informational self-determination.[14] The WP29 points out that the principle of accuracy applies not only to facts that are processed about a person, but also to value judgments, in particular forecasts and correlations.[15] This is particularly relevant for modern forms of automated profiling, artificial intelligence processing and self-learning systems. Indeed, value judgments can also be wrong if they are based on an erroneous factual basis, assume wrong premises or are the result of incorrect conclusions (e.g. that there is a correlation between a date and a person's solvency.[16]

Which way to ensure that the data is accurate depends greatly on the circumstances of the case and the type of processing being done. Example: A public protocol is meant to record an incident of a  certain day. If elements of the protocol are inaccurate, they must be  corrected. At the same time, the age of the persons may not be changed  every time a person turns a year older.

Some provisions of the Regulation provide precise indications in relation to the type of intervention possible. Article 16 GDPR, for example, establishes the right of the data subject to obtain the integration of incomplete data. The following Article 17 allows the cancellation of the data in the presence of certain conditions including, for example, where the processing of that personal data is no longer necessary, or in case of revocation of consent or even if the data has been collected in an unlawful manner. In these cases, however, Article 19 GDPR provides that the exercise of rights is also communicated (with similar consequences) to all those who have received the data previously.

(e) Storage Limitation

The principle of storage limitation ensures a temporary limit on any processing operation. It follows that once all purposes of a processing operation are fulfilled, the processing must stop, either by deleting the data or by making it anonymous. The controller must inform the data subject about the storage period (or the criteria to define it, Article 13(2)(a) and Article 14(2)(a) GDPR) as well as ensure and demonstrate compliance with this principle (Article 5(2) GDPR). Therefore, storage periods should be defined internally before the processing begins.[17]

Deletion of Data

Once the purpose has been achieved, the data must be deleted. According to Recital 39, in order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. This means that the GDPR imposes an active duty on the controller to delete data. Thus, a controller may not wait for an action by the data subject (e.g. under Article 17 GDPR) but must proactively delete information (in practice, the principle required that the controller implements deletion routines or automatic deletion systems).

Anonymization of Data

Article 5(1)(e) prevents the controller from keeping the personal data in a form which permits identification. It follows that if the data does no longer allow for identification, the principle does not apply. This is the case of the data anonymization which consists in all the operations by which a personal data does no longer refer to a specific individual. This can be done, for example, by deleting the characteristics that identify the person from the relevant data records. In any case, the data must be changed in such a way that the identification of the data subjects is no longer possible.[18]

Deadlines

The time of any deletion depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to keep data. In other cases the deletion depends on other factual elements (for example when a customer cancels a contract) that make continuous processing irrelevant for the purpose.

Exception

An exception to the principle of storage limitation is contained in the last part of Article 5(1)(d) in favor of processing for archiving, statistical, scientific and historical research purposes. In these cases, the GDPR allows "longer periods" of storage and in so doing takes into account the social interest in a functioning research and the preservation of the collective memory. In order for the exception to apply, however, technical and organizational measures must be put in place, as set out in Article 89(1).[19]

(f) Integrity and Confidentiality

The integrity and confidentiality principle reflects the interest of personal data being processed in a manner that ensures their appropriate security, "including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage". The GDPR requires "appropriate technical and organisational measures" to ensure that data is neither lost nor destroyed. Chapter IV of the GDPR develops this duty of security in more detail, including the new requirement of notifying personal data breaches to the competent data protection and, where applicable, to the data subjects.

Integrity

A data subject may not only be harmed by processing of personal data but also from loss of data. If a hospital, for example, loses personal data of a patient, the patient may get incorrect treatment. The controller must ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may come from the controller, third parties or from an accident.

Confidentiality

Confidentiality aims to protect the data against unauthorized access and thus against unauthorized processing. The controller must therefore also implement technical and organizational measures to ensure that personal data is not falsely disclosed, hacked or lost. This includes that unauthorized persons have neither access to the data nor to the devices with which they are processed (Recital 39). The requirements for data security are further defined in Article 32 GDPR.

(2) Accountability

The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) GDPR as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. Article 24 GDPR.

In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. The provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organization.

In most cases, written documentation will be used to demonstrate compliance. If applicable, a record of processing actives (see Article 30 GDPR) is a typical means to demonstrate compliance.

Decisions

→ You can find all related decisions in Category:Article 5 GDPR

References

  1. However, the data processing principles can be restricted by Union or Member State law under the conditions set forth in Article 23 GDPR.
  2. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 22 April 2021).
  3. de Terwagne, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 314 (Oxford University Press 2020).
  4. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin numbers 8-12 (Beck 2020, 3rd ed.) (accessed 7 May 2021).
  5. EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0).
  6. de Terwangne, Bygrave, in Kuner et al., The EU General Data Protection Regulation (GDPR) [Update of Selected Articles - May 2021] Article 5 GDPR, p. 68 (Oxford University Press 2020).
  7. EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, 20 October 2020 (Version 2.0), p. 18. Along the same lines, CJEU, 1 October 2015, Bara, C-201/14 (available here).
  8. WP29, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 16 (Available here)
  9. EDPB, Guidelines 3/2019 on processing of personal data through video devices, 29 January 2020 (Version 2.0).
  10. de Terwagne, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 5 GDPR, p. 315 (Oxford University Press 2020). See also above, Section “Specific”.
  11. Working Party 29, Opinion 03/2013 on purpose limitation, 2 April 2013 (Version 2.0), p. 21.
  12. Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 5 GDPR, margin numbers 29-31, (Beck 2021, 3rd ed.) (accessed 7 May 21).
  13. CJEU, C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019 (rectified 13 February 2020), § 51 (Available here)
  14. Resta, in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article 5 GDPR (Wolters Kluwer 2018), p. 59.
  15. WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01) (Available here)
  16. Schantz, in BeckOK DatenschutzR, Article 5 GDPR, margin number 27 (Beck 2020, 36th ed.) (accessed 30 September 2021).
  17. Schantz, in BeckOK DatenschutzR, Article 5 GDPR, margin number 32 (Beck 2020, 36th ed.) (accessed 30 September 2021).
  18. Herbst in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 66 (Beck 2021, 3rd ed.) (accessed 5 November 21).
  19. Schantz, in BeckOK DatenschutzR, Article 5 GDPR, margin number 34 (Beck 2020, 36th ed.) (accessed 30 September 2021).