Article 5 GDPR

← Article 5: Principles →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 5 - Principles relating to processing of personal data

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Relevant Recitals

Recital 39: Principles of Data Processing

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 74: Controller Responsibility and Liability

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

Commentary

Article 5 GDPR sets out all the guiding principles to be observed when processing personal data:

lawfulness, fairness and transparency;
purpose limitation;
data minimisation;
accuracy;
storage limitation;
integrity and confidentiality;
and accountability.

Many of these principles are the basis for more detailed Articles in different parts of the Regulation. For example:

The transparency principle is the basis for the requirement to provide information under Articles 13 and 14 GDPR.
The integrity and confidentiality principles are detailed by Article 32 GDPR on security.
The accountability principle finds its roots in Articles 24 and 25 GDPR.

(1) Principles

The principles specified by Article 5 GDPR are the main 'bottleneck' for the legality of any processing operation - together with the requirement to have a legal basis under Article 6 GDPR. Any controller or processor must comply with all elements of Article 5 GDPR for each processing operation.

(a) Lawfulness, Fairness and Transparency

Lawful

In order to be 'lawful', processing should comply with Article 6 GDPR, which requires that any processing operation must be based on at least one of the six legal bases it exhaustively lists.^[1] The principle of lawful processing is linked to the general prohibition to process personal data and is also enshrined in Article 8(2) of the Charta of Fundamental Rights ('...data ... must be processed ... on the basis of consent of the person concerned or some other legitimate basis laid down by law.'). For further details on the various legal basis for processing personal data the commentary on Article 6 GDPR.

Example: The newly appointed data protection officer asks his colleagues for the legal basis to record certain information in the system. They go through the six legal basis in Article 6(1) GDPR and realize that none of the provisions fit. The colleague argues that the controller always recorded this information and all other competitors do that too. The newly appointed data protection officer says: 'I am sorry, but 'everyone else does it' is not a legal basis'.

The principle of lawfulness does not mean that processing which violates other laws (environmental laws, tax law, employment laws), makes the processing not 'lawful' within the meaning of the GDPR, as this would for example trigger the fine of € 20 million under Article 83(4) GDPR.

Example: A controller is processing the pictures of data subjects. The controller complies with all requirements under the GDPR, but did not seek the agreement from the photographer, who is the copy right holder. The processing of data subjects' pictures is 'unlawful' under applicable copyright law, but not under the GDPR.

Fair

Fairness, is an overall requirement of the GDPR and also enshrined in Article 8(2) of the Charta of Fundamental Rights.

Concepts like 'fairness' are inherently vague, but can serve as a 'catch-all' provision for situations that may not be in violation of the letter of the law, but clearly not 'fair'. Similar 'catch-all' provisions can be found in other laws (e.g. the "Unfair" Terms Directive 93/13/EG) and are often the basis for existing case law.

Indeed, it is a highly contextual question whether a certain processing operation can be considered as fair. EDPB Guidelines 4/2019 provide a non-exhaustive list of certain elements of fairness which should always be respected while processing personal data. The list is particularly detailed and examples range from providing the data subject with a high level of autonomy in controlling the processing to the right to fair algorithms and human intervention. Other important elements of fairness are officially recognised, such as the data subjects' expectations to a reasonable use of their data, the right not be discriminated or exploited as a consequence of certain psychological weaknesses. The imbalance of power between the controller and data subject often existing in certain intrusive profiling and processing operations seems connected to these principles.^[2] The EDPB clarifies that, in order for the processing to be 'fair', no deception is allowed in data processing and that all options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.^[3]

Example: A controller only gets a 10% consent rate for the sharing of user data, as data subjects really do not want their personal data to be shared. The controller installs a task force to increase the consent rate. The controller decides to uses 'dark patterns' to trick users into giving consent, as their lawyer found not provision in the GDPR that explicitly prohibits such behavior. After making the interface more and more deceptive, the controller gets a 90% consent rate, being fully aware that data subjects just give up. The fairness principle could be used by the supervisory authority to end this practice.

Transparent

In general terms, the transparency principle requires that the data subject is fully aware of the processing of any personal data.

Recital 39 GDPR contains a number of explanatory statements regarding the transparency principle. In particular, 'it should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.' Data subjects should be 'made aware of risks, rules, safeguards, and rights in relation to the processing [...] and how to exercise their rights.' All information communicated should be 'accessible and easy to understand' and in 'clear and plain language'.

The transparency principle is closely linked to more detailed provisions. For example: Article 12(1) GDPR ensures that information must be provided in a 'concise, transparent, intelligible and easily accessible form, using clear and plain language'. Articles 13 and 14 GDPR provide for a right to get information about the planned processing, even before processing takes place. Article 15 GDPR provides for a right to access information about the actual processing of the individual's data.

(b) Purpose Limitation

The principle of purpose limitation ensures that personal data may only be processed for one or more specified purposes. Personal data that was collected for one purpose cannot freely be used for another purpose. The principle of purpose limitation is also enshrined in Article 8(2) of the Charta of Fundamental Rights.

Concepts of purpose limitation can be found in other laws as well, in relation to information obligations to ensure professional secrecy usually limit the use of information to certain contexts. Equally, many financial regulations define purposes for which funds may or may not be used.

Example: Lisa lives in a small town and visits the local doctor. Lisa tells him all details about a rush in an intimate area. The next day a friend of Lisa asks her about her rush. It turns out that the doctor spread the information at the local bar last night. The doctor violated (among other things) the purpose limitation principle, as Lisa only shared this information for treatment purposes, not for the entertainment of the local crowd.

While the controller is free to define any legitimate purpose, Article 5(1)(b) sets out the principle of purpose limitation in the processing of personal data. It requires that personal data be collected for specified, explicit and legitimate purposes and ensures that, after collection, data are not used for purposes that are incompatible with the original ones.

Collected

The purpose has to be specified in the moment the personal data is first 'collected' by the controller.^[4] Collection (see Article 4(2) GDPR) is to be understood as the first step in any processing operation. The purpose limitation principle extends to the 'further processing' by all recipients to whom the personal data have been disclosed.^[5]

Specific

The purpose is meant to limit processing operations to a specific, pre-defined, aim. Any overly broad purpose would defeat the aim of purpose limitation. A controller can however name multiple purposes.

Purposes that are too broad would undermine the protections that the purpose limitation principle tries to establish. Broad descriptions like 'improving the user experience', 'marketing', 'research' or 'IT security' are not sufficiently defined.^[6] For example, in its Guidelines on video surveillance, the EDPB clarified that monitoring purposes need to be specified for every surveillance camera in use and '[v]ideo surveillance based on the mere purpose of 'safety' or 'for your safety' is not sufficiently specific'.^[7] While a purpose may not be too broad, there is no limitation as to how specific a purpose may be. The exact level of specificity is not objectively defined in the GDPR. In many cases it is possible to split broad purposes into multiple, more specific purposes.

Example: A controller tells data subjects that their data will be used for "business purposes". To simulate a bit more specificity, the lawyers added a non-exhaustive list of more specific purpose. The clause now reads "business purposes, such as billing, fraud prevention and product improvement". Under this clause the controller can use data for basically any purpose, it is not specific enough.

Explicit

The purpose may not only be defined internally, but must be explicitly stated. Article 5(1)(b) does not foresee a certain form of documentation, but Articles 5(2) or 30(1)(a) GDPR require documentation and Articles 6(1)(a), 13(1)(c) or 14(1)(c) GDPR require to disclose the specific purpose(s) to the data subject.

Legitimate

The use of personal data for the stated purpose must be legal. This qualification includes laws beyond the GDPR and national data protection laws (like consumer or worker protection laws).

Example: An employer surveils its employees for 'efficiency reasons'. The local employment law prohibits video surveillance at the workplace without the agreement of the workers' council. The purpose is not legitimate.

Linked provisions

Many other provisions of the GDPR refer to the defined 'purpose', making the defined purpose to the 'backbone' of many steps of the legal analysis under the GDPR. Once the purpose changes, many other elements of the GDPR may lead to different results.

For example: Article 4(7) defines the controller as the natural and legal person which, alone or jointly with others, determines the 'purpose' of the processing. Article 5(1)(b) GDPR itself stipulates that personal data shall be collected only for specified, explicit and legitimate 'purposes'. Article 5(1)(d) determines the time data may be kept by referring to the purpose, Article 6(1)(a) GDPR allows consent for one or more 'specific purposes'. This makes the proper definition of purposes a crucial step for compliance with the GDPR.

Example: Peter asks customers to participate in a raffle. They can enter their email on his website. The drawing is on the 10th anniversary of his business. The purpose ('participation in a raffle') does not only have to specified for the consent to be valid, but is also determines that Peter may not process the data for any other purpose and determines that the personal data must be deleted after the 10th anniversary raffle is over. If Peter would have added another purpose (e.g. signing up to his newsletter) another consent clause may need to be added and the deletion period may be extended until such time that a customer unsubscribes from the newsletter.

Compatible further processing

The principle of purpose limitation shall ensure that controllers do not engage in 'secondary use' ('further processing') of personal data when such processing is incompatible with the original purpose(s).

Example: A doctor may not suddenly use their patient's health data for marketing purposes, as this would be a 'secondary use' that goes beyond the original purpose. However a doctor may use his records in a court procedure to proof that a patient has not paid medical bills.

The uses of the word 'incompatible' in Article 6(1)(s) of Directive 95/46/EC has however raised questions if there would also be 'compatible' purposes. Article 8(2) of the Charta of Fundamental Rights does not use the word 'incompatible', hence any departure from the principle of purpose limitation must be seen as a limitation of Charta rights under Article 52(1) of the Charta and must therefore be provided by law and are subject to a proportionality test.

The GDPR introduced the following exceptions to the principle of purpose limitation in Articles 5(1)(c) and 6(4) GDPR:

further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,
further processing allowed or required by Union or Member State law,
further processing for a compatible purpose under Article 6(4) GDPR and
further processing based on the data subject's consent.

See the commentary on Article 6(4) GDPR for details on the compatibility assessment.

(c) Data Minimisation

The principle of data minimization indirectly flows from Article 8 of the Charta, given that any interference with the fundamental right to data protection must be proportionate. The principle of proportionality, requires that any processing of personal data is 'necessary'. Unlike the previous Directive 95/46/EC, under which data processing did not have to be 'excessive', the GDPR specifies that it must be 'limited to what is necessary' to achieve the purpose. This principle of data minimization is therefore closely related to the principle of purpose limitation and only leads to accurate results if the specific purpose is well defined by the controller.

Example: An online shop requires all customers to fill out their exact birth date, to confirm that they are 18 or older. Given that the online shop cannot verify the birth dates, a simple 'yes/no' question would fulfill the same purpose, without collecting exact birth dates.

The three elements in Article 5(1)(c) GDPR are somewhat redundant and overlapping:

Personal data is 'adequate' if it is appropriate to use such data for the purpose (for example, the address of a person is not an appropriate information for credit ranking).
Personal data is 'relevant' if it leads to a different outcome in relation to the purpose (for example, the address of a customer is relevant to deliver a product).
Personal data is 'limited to what is necessary' when the purpose cannot reasonably be achieved without the processing of that personal data.

The principle of data minimization does however not mean that any processing of large data quantities is always illegal. If the use of larger quantities of personal data is the only way to achieve a purpose, a controller may use any 'necessary' data. The processing of personal data that is not necessary to achieve the purpose, is per se illegal. A controller must review each step of a processing operation and also each data element towards the necessity to achieve the purpose.

Case Law: In C-708/18 - TK v Asociaţia de Proprietari bloc M5A-ScaraA the CJEU had to provide some guidance on how to assess whether a certain processing (in that case, a video surveillance system) could be considered ‘necessary’ for the purposes of the legitimate interests pursued by the controller. The Court held that the the necessity of a processing operation must be examined in conjunction with the data minimisation principle which restricts the controller's options to those 'adequate, relevant and not excessive in relation to the purposes for which they are collected'. In conclusion, the Court clarified that the controller must, amongst other things, examine 'whether it is sufficient that the video surveillance operates only at night or outside normal working hours, and block or obscure the images taken in areas where surveillance is unnecessary'.^[8]

(d) Accuracy

Article 5(1)(d) requires that data be accurate and, where necessary, kept up to date, and that all reasonable steps be taken to delete or rectify inaccurate data promptly (Recital 39).

Accuracy of data expresses a more general principle of the correct representation of the person at the most diverse levels and in the most diverse contexts and is one of the essential prerequisites of the right to informational self-determination.^[9] The WP29 points out that the principle of accuracy applies not only to facts that are processed about a person, but also to value judgments, in particular forecasts and correlations.^[10] This is particularly relevant for modern forms of automated profiling, artificial intelligence-powered processing and machine-learning systems. Indeed, value judgements can also be wrong if they are based on an erroneous factual basis, assume wrong premises or are the result of incorrect conclusions (e.g. that there is a correlation between a date and a person's solvency).^[11] Which way to ensure that the data is accurate depends greatly on the circumstances of the case and the type of processing being done.

Example: A public protocol is meant to record an incident of a certain day. If elements of the protocol are inaccurate, they must be corrected. At the same time, the age of the persons may not be changed every time a person turns a year older.

Some provisions of the Regulation provide precise indications on which types of intervention are possible. For example, Article 16 GDPR establishes the right of the data subject to obtain the integration of incomplete data. Article 17 allows the erasure of the data if certain conditions are met, including, for example, where the processing of that personal data is no longer necessary, or in case of revocation of consent or even if the data has been collected in an unlawful manner. However, in these cases Article 19 GDPR provides that the exercise of rights is also communicated (with similar consequences) to all those who have received the data previously.

(e) Storage Limitation

The principle of storage limitation imposes a time limit on any processing operation. It follows that once all purposes of a processing operation are fulfilled, the operation must stop. The controller must inform the data subject about the storage period (or the criteria to define it, Article 13(2)(a) and Article 14(2)(a) GDPR) as well as ensure and demonstrate compliance with this principle (Article 5(2) GDPR). Storage periods should therefore be defined internally before the processing begins.^[12]

Example: XXX

Deletion or Anonymisation

Data can be deleted or anonymised by controllers. The latter means that any link between the data and the relevant person must be removed. Controllers have complied with Article 5(1)(e) once the data does not relate to an identifiable person. The GDPR imposes an active duty on the controller^[13] to delete data. The controller may not wait for an action by the data subject (e.g. under Article 17 GDPR) but must proactively delete information. In practice, the principle requires that the controller implements deletion practices or automatic deletion systems. The time by which any deletion has to be executed depends on the purpose. In many cases there are fixed legal deadlines, like record keeping duties or the statute of limitations that determine the need to retain data. In other cases, the deadline depends on other factual elements (e.g. when a customer cancels a contract) that make continuous processing irrelevant for the purpose.

Exception

An exception to the principle of storage limitation is contained in the last part of Article 5(1)(e) in favour of processing for archiving, statistical, scientific and historical research purposes. In these cases, the GDPR allows 'longer periods' of storage, and in so doing takes into account the social interest in research and the preservation of the collective memory. However, in order for the exception to apply, technical and organizational measures must be put in place, as set out in Article 89(1).

(f) Integrity and Confidentiality

The GDPR requires technical and organisational measures to ensure that data is neither lost nor destroyed.

Integrity

A data subject may not only be harmed by the illegitimate processing of their personal data but also as a result of the loss of data. For example, if a hospital loses the personal data of a patient, they may get an incorrect treatment. The controller must also ensure that data is not falsely deleted or altered. Threats to the integrity of personal data may come from the controller, third parties or from an accident.

Confidentiality

Confidentiality aims to protect data against unauthorised access and thus against unauthorised processing. The controller must therefore also implement technical and organisational measures to ensure that personal data is not falsely disclosed, hacked or lost. This includes that unauthorised persons neither have access to the data nor to the devices on which they are processed (Recital 39). The requirements for data security are further defined in Article 32 GDPR.

(2) Accountability

The first part of Article 5(2) highlights that the controller is responsible for complying with Article 5(1) GDPR as well as with all other relevant provisions of the GDPR. More detailed provisions about the responsibilities of the controller can be found throughout the GDPR, e.g. Article 24 GDPR. In addition to being responsible, the controller also has to be able to demonstrate compliance with the law. However, the provision does not further specify how a controller has to demonstrate compliance, as this is highly dependent on the processing operation and the type of organisation carrying it out. In most cases, written documentation will be used to demonstrate compliance. If applicable, a record of processing activities (see Article 30 GDPR) is also typically sufficient.

Decisions

→ You can find all related decisions in Category:Article 5 GDPR

References

↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).
↑ EDPB, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’, 20 October 2020 (Version 2.0), p. 18 (available here). See also CJEU, Case C-201/14, Bara, 1 October 2015, margin numbers 32, 34 (available here).
↑ EDPB, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’, 20 October 2020 (Version 2.0), p. 18 (available here).
↑ de Terwangne, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 5 GDPR, p. 315 (Oxford University Press 2020).
↑ Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 5 GDPR, margin numbers 29 (C.H. Beck 2018, 3rd Edition).
↑ WP29, ‘Opinion 03/2013 on purpose limitation’, 00569/13/EN WP 203, 2 April 2013, p. 16 (available here).
↑ EDPB, ‘Guidelines 3/2019 on processing of personal data through video devices’, 29 January 2020 (Version 2.0), p. 9 (available here).
↑ CJEU, Case C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019 (rectified 13 February 2020), margin number 51 (available here).
↑ Resta, in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article 5 GDPR (Wolters Kluwer 2018), p. 59.
↑ WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251rev.01, 3 October 2017 (available here).
↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 27 (C.H. Beck 2020, 36th Edition).
↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 32 (C.H. Beck 2020, 38th Edition); Herbst in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 66 (C. H. Beck 2021, 3rd ed.).
↑ Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 34 (C.H. Beck 2020, 36th Edition).

[1] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).

[2] EDPB, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’, 20 October 2020 (Version 2.0), p. 18 (available here). See also CJEU, Case C-201/14, Bara, 1 October 2015, margin numbers 32, 34 (available here).

[3] EDPB, ‘Guidelines 4/2019 on Article 25 Data Protection by Design and by Default’, 20 October 2020 (Version 2.0), p. 18 (available here).

[4] de Terwangne, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 5 GDPR, p. 315 (Oxford University Press 2020).

[5] Frenzel, in Paal, Pauly, DS-GVO BDSG, Article 5 GDPR, margin numbers 29 (C.H. Beck 2018, 3rd Edition).

[6] WP29, ‘Opinion 03/2013 on purpose limitation’, 00569/13/EN WP 203, 2 April 2013, p. 16 (available here).

[7] EDPB, ‘Guidelines 3/2019 on processing of personal data through video devices’, 29 January 2020 (Version 2.0), p. 9 (available here).

[8] CJEU, Case C-708/18, TK v Asociaţia de Proprietari bloc M5A-ScaraA, 11 December 2019 (rectified 13 February 2020), margin number 51 (available here).

[9] Resta, in Riccio, Scorza, Belisario, GDPR e Normativa Privacy - Commentario, Article 5 GDPR (Wolters Kluwer 2018), p. 59.

[10] WP29, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’, 17/EN WP251rev.01, 3 October 2017 (available here).

[11] Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 27 (C.H. Beck 2020, 36th Edition).

[12] Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 32 (C.H. Beck 2020, 38th Edition); Herbst in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 66 (C. H. Beck 2021, 3rd ed.).

[13] Schantz, in Wolff, Brink, BeckOK Datenschutzrecht, Article 5 GDPR, margin number 34 (C.H. Beck 2020, 36th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]