Principles of personal data processing
When processing personal data, controllers are obliged to adhere to several principles, namely: legality, fairness, and transparency of processing, data minimization, data accuracy, limitation of data storage time, data security, and accountability.
Legality, fairness, and transparency of processing
Legality implies the existence of consent from the data subject or other legitimate legal basis that enables data processing (fulfillment of contract, fulfillment of legal obligations, essential interest of the data subject, public interest and legitimate interest). Fairness refers to the relationship between the controller and the personal data subject. It implies an obligation for the controllers to explain to the subjects the activities for personal data processing in an understandable and accessible way. Processing activities must not be carried out in secret and should not have unpredictable negative consequences. Transparency envisages an obligation for controllers to inform data subjects before starting their data processing, i.e. to inform them at least for the purposes of processing and the identity and address of the controller, whereby data subjects have the right to access their data no matter where they are processed and in what form.
Data minimization
Data minimization means the processing only of those data that are relevant and limited to what is necessary in relation to the legitimate purpose for which they are collected and / or further processed. Further processing of personal data for a purpose different than the original one can be considered legal only if it is compatible with the original purpose of the processing. In any case, the processing of personal data can be done only if the goal cannot be achieved otherwise.
Data accuracy
The controller is obliged to take measures in order to ensure with reasonable assurance that the data processed are accurate and up-to-date, and that the inaccurate data must be deleted or corrected without delay (at the request of the personal data subject).
Limitation of storage
This principle implies the necessary deletion or anonymization of data as soon as such data are no longer required for the purposes for which they were processed.
Data security
The processing of personal data must be carried out in a secure manner, which includes protection against unauthorized (illegal) processing, accidental loss, destruction or damage. For that purpose, the controller is obliged to take technical and / or organisational measures, in the conception of which it is desirable to engage a team of lawyers and technical persons. In case of violation of personal data, the controller is obliged to inform the competent authority (Personal Data Protection Agency) and the data subject. Pseudonymization is a technical and organisational measure that is recognized as an appropriate tool for the purpose of fulfilling data protection principles.
Accountability
Controllers should at all times be able to demonstrate that they comply with data protection principles, including having prepared documentation to prove to data subjects and regulators at all times what measures have been taken to ensure that personal data processing is complied with data protection rules.
If you need legal help regarding principles of data processing, click here to find out more.
