_edited.png)
The GDPR is a legal text that can be difficult to understand if you are not familiar with the legal language or terms used. It is all the more complex because it is a single text intended for very heterogeneous organisations, working in very different sectors of activity and for very different purposes.
However, a good understanding of this regulation and its objectives is essential for a proper interpretation of this text and in order to put in place the appropriate measures.
In this third blog post aimed at popularising the GDPR, we propose to take a closer look at Article 5 of Chapter 2 concerning the fields of principles relating to the processing of personal data.
And if you haven't read them yet, you can find the first two articles in this series at the end of the article!
Article 5 of the General Data Protection Regulation (GDPR) is a key piece of EU data protection legislation. This regulation, as explained in our previous blog posts, has prompted a lot of thinking about how companies and organisations handle personal data. As a reminder, the GDPR aims to protect the fundamental rights and freedoms of data subjects by ensuring that the processing of personal data is ethically responsible and compliant with the law.
To be compliant, the processing of personal data must therefore respect certain strict principles.
In this article we will explore the various principles set out in Article 5 of the GDPR, including the principles of lawfulness, fairness and transparency, purpose, minimisation, accuracy, retention period, and data security.
We will therefore examine the importance of these principles which are at the heart of the GDPR and their influence on organisations and businesses that process personal data.
1. The principles of legality, fairness and transparency
The principles of fairness and lawfulness of processing are complemented by a principle of transparency. In other words, processing must be carried out in accordance with the law, in an ethical and transparent manner. [1]
The 'lawfulness principle' means that data processing must be carried out in accordance with the law. Data processing is therefore carried out on an appropriate legal basis, for example: the performance of a contract, an employer's legal obligation, a public interest task, legitimate interest or by a request for consent.
The principle of 'fairness' means that personal data must be collected and processed fairly and strictly in accordance with what the data subject has been informed of and consented to, in order to avoid prejudicing the data subject.
The principle of 'transparency' means that data subjects must be informed in a clear and comprehensible manner of all stages of the processing of their personal data. The person whose personal data is concerned by data processing must be clearly informed of the processing of their personal data, the purpose of the data processing, the types of data collected, the applicable legal basis, the potential recipients of the data, their rights with regard to data processing and freedoms, the possibility of lodging a complaint with the CNIL, etc. They must be able to exercise their rights in accordance with the law. They must be able to exercise their data protection rights such as the right of access, rectification, deletion, limitation and portability of their data.
Let's take the example of a company that wishes to set up a newsletter to promote its offers and products to its current customers and potential prospects. In order to comply with the principles of lawfulness, fairness and transparency, the company should take the following steps
Obtain the consent of the persons concerned before sending them the newsletter. This consent must be explicit and collected in a non-binding manner. For example, the company can add a checkbox (unchecked by default) offering anyone who submits a contact form to also subscribe to communications.
Inform data subjects of the reason for the data processing, the data collected, the business partners with whom the data will be shared, and the opportunity to unsubscribe or exercise their rights. This can be done directly next to the checkbox or in a privacy policy that is made easily accessible.
Allow subscribers to withdraw their consent at any time (via a working unsubscribe link).
2. The principle of finality
Personal data must be collected and processed for specific, explicit and legitimate purposes. Thus, organisations and companies must inform data subjects of the purposes for which their data are collected and they are not allowed to use them for purposes other than those presented to the data subject.
Let's go back to the example of the marketing and communication team. The purpose of collecting personal data is to manage the sending of newsletters. The purpose must not be misused: the marketing team cannot use this same data to send satisfaction surveys following a purchase, for example. This is because if the people concerned have consented to leave their email address to receive your communications, they have not explicitly consented to being asked for satisfaction surveys.
Similarly, email addresses collected for the purpose of sending satisfaction surveys cannot be used to send newsletters or other unsolicited communications!
3. The principle of data minimisation
Data minimisation is a fundamental principle of data protection. Only data that are strictly necessary to achieve the specific purposes for which they are processed should be collected. The data collected must be limited and proportionate to the purpose for which it is collected. Thus, it is strictly forbidden to collect data "just in case".
Let's go back to our previous example: the company wants to collect personal data for sending monthly newsletters. In order to respect the principle of data minimisation, the company is therefore not allowed to collect any information other than an email address (the only information really needed to send an email). Thus, the collection of name, first name, telephone number, date of birth in the context of sending a newsletter is too much!
4. The accuracy principle
Personal data must be correct and kept up to date. Companies and organisations must therefore take adequate measures to ensure that the data collected is always accurate and, if necessary, to correct or delete it. Compliance with the accuracy principle may require regular contact with data subjects to ask them to confirm the accuracy of their data or automatic checks using specialised software.
In the context of our example of newsletters, inaccuracy of the e-mail address would only prevent the data subject from receiving the newsletters. On the other hand, the inaccuracy of certain data may have a greater impact on the persons concerned: the inaccuracy of an employee's bank account number (a bank account number being personal data) could jeopardise the proper receipt of his salary.
5. The principle of limiting data retention
Personal data must be kept for a limited period of time. It may not be kept longer than is necessary to fulfil the specific purposes for which it was collected.
Failure to respect the retention period of personal data may constitute a breach of the privacy of the data subjects. Indeed, when personal data are kept for longer than intended, the risk of a breach of the privacy of individuals increases. Moreover, keeping unnecessary personal data can also make companies and organisations more vulnerable to security breaches that can lead to data breaches.
The length of time that data is retained depends on the purposes for which it was collected. It may also vary depending on the type of data processed (sensitive or not) and other factors such as legal obligations, requests from competent authorities, potential litigation.
For example, in the context of the newsletter mentioned as an example above, the data are kept until the data subject withdraws his/her consent. On the other hand, if the data have been collected for the management of a contract, they may be kept for the effective duration of the contract (and even if the data subject withdraws his/her consent from the newsletter).
Beware that limiting data retention does not necessarily mean immediate deletion of personal data: a distinction must be made between the active database (personal data in the active database are actively processed) and archived and stored data (which are no longer actively processed and are waiting to be deleted).
Thus, a certain retention period in the active database is requested, and then a new retention period is defined for archiving or intermediate storage.
Indeed, there may be situations where data must be retained for legal reasons, even if the original purposes for which the data were collected are no longer relevant. In such cases, companies and organisations must put in place appropriate security measures to ensure the protection of personal data during their retention period.
6. The principles of integrity and confidentiality
These two principles ensure that personal data are protected against unauthorised access and unauthorised modification, so that they are used only for the purposes for which they were collected.
The 'integrity principle' means that data must be accurate, complete and up-to-date. Organisations must therefore take the necessary measures to prevent unauthorised modification, alteration or destruction of data. To ensure that data is reliable and usable, data protection measures should be put in place to ensure that data is protected against viruses, hacking attacks and other potential threats.
The 'confidentiality principle' means that data should not be disclosed to unauthorised third parties. To this end, organisations must ensure that only authorised persons have access to the data and that the data is not used for purposes other than those for which it was collected. Security measures should be put in place to control access to data, such as the use of strong passwords, two-factor authentication and data encryption.
Companies and organisations must therefore take appropriate technical and organisational measures to protect the personal data they process.
7. The responsibility of the controller
Article 5 does not only set out the principles relating to the processing of personal data, but also addresses the principle of responsibility of the controller. Thus, the controller is the person in charge (responsible) of compliance with the various principles mentioned above, and it is his or her responsibility that may be engaged in the event of non-compliance with his or her regulatory obligations.
Compliance with these principles implies that the data controller must put in place control documents (inventory of fixtures, register of processing operations, PIA, IT charter, etc.) within his company in order to guarantee the compliance of his data processing operations and in order to be able to demonstrate the compliance of his organisation with the GDPR in the event of an inspection by the CNIL.
The responsibilities of the controller will be further explained in Article 24 of the GDPR (and therefore in a future blog post).
To conclude
These principles set out in Article 5 are not just legal obligations, but also have ethical significance in ensuring that personal data is processed responsibly. Organisations and companies that fail to comply with these principles may be subject to significant financial penalties, but also to reputational and brand damage.
Thus, strict compliance with all these principles relating to the processing of personal data allows organisations to strengthen their brand image and inspire confidence, in an environment where data protection has become a growing concern for citizens.
Other articles written to make the GDPR easier for you:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our outsourced timeshare DPO services!
We need your answers !
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!