Chapter 2 of the GDPR lays out the core principles that organizations must follow when processing personal data. These principles are designed to protect the privacy of individuals and ensure their personal information is handled lawfully.
Figure 1: 7 main principles of GDPR
Article 5: Principles relating to the processing of personal data
Article 5 of the GDPR has significantly influenced data privacy legislation around the globe, sparking widespread discussions on the importance of safeguarding individuals' personal data. Many countries and regions have revised or implemented new data protection laws, taking cues from the fundamental principles outlined in Article 5.
This article lays down seven key principles that must be followed when processing personal data:
Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently in relation to the data subject. Example: An online platform collects user data for account creation but clearly explains, in simple terms, how the data will be used and obtains users' consent through a checkbox.
Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Example: A social media app collects user data to improve user experience but refrains from using it for targeted advertising without explicit permission.
Data minimization: Data collected should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Example: A travel booking website requests only essential information like name and contact details for booking confirmation, avoiding unnecessary details like personal preferences.
Accuracy: Personal data should be accurate and kept up to date. Inaccurate data should be rectified or erased without delay. Example: An online retailer regularly updates customer addresses based on recent purchases to ensure timely delivery and prevent shipping errors.
Storage limitation: Data should be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which it is processed. Example: A cloud storage service automatically deletes inactive user files after a specified period, reducing storage costs and minimizing security risks.
Integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security, protecting against unauthorized or unlawful processing and accidental loss, destruction, or damage. Example: A company secures customer information with encryption, ensuring that even if unauthorized individuals access the data, they cannot decipher it without the decryption key. This practice safeguards data integrity and confidentiality.
Accountability: The controller will be responsible for making sure they comply with the GDPR by having proper documents for technical and organizational controls and also maintaining records related to data processing activities. Example: An e-commerce platform maintains a detailed log of user consent for data processing activities and conducts regular audits to ensure compliance with data protection regulations.
Implications
- Informed consent: Organizations must obtain explicit and informed consent from individuals when required. This involves providing clear explanations and obtaining active, unambiguous consent.
- Defined purposes: The purpose for collecting personal data needs to be clearly defined and documented. This data can only be used for those specific purposes and not for any unrelated activities.
- Limit data collection: By collecting only the minimum necessary personal data, organizations limit the attack surface for potential data breaches. This not only protects user privacy but also reduces the burden of data security and compliance.
- Regular audits: Organizations must regularly conduct audits to ensure data collection practices adhere to the principle of data minimization. These audits verify that only essential data is being collected and processed.
- Retention policies: Organizations must develop and enforce data retention policies that specify how long different types of personal data are kept.
- Automated deletion: Organizations must implement systems for the automatic deletion of data that is no longer needed, ensuring compliance with retention schedules.
- Security measures: Organizations must implement implement robust security measures to protect personal data, including encryption, access controls, and regular security assessments.
- Documentation and records: Organizations must maintain comprehensive records of data processing activities, including the purposes of processing, data categories, and security measures in place.
Log360 provides out-of-the-box audit reports to ensure authorized access to personal data. It sends alerts when unauthorized access attempts are made and also generates instant notifications whenever critical file changes happen. Log360 aids in detecting database attacks such as SQL injection and denial-of-service attacks, while also pinpointing data breaches such as unauthorized database backups. Further, Log360 provides detailed information on who did the unauthorized change, when, and from where. This helps in submitting an incident report if necessary.
Pro tip: A highly effective strategy for preventing unauthorized or unlawful processing of personal data involves vigilant monitoring for network intrusions. Given that a significant portion of security breaches target personal data theft, it's imperative to intercept and thwart these attacks at their intrusion stage. By promptly identifying and halting intrusion attempts, you can effectively safeguard personal data from exploitation and maintain robust data protection measures.
Article 6: Lawfulness of processing
This article defines the conditions under which processing of personal data is lawful. Data controllers must establish a legal basis to lawfully process personal data. Identifying the suitable legal basis is crucial, as it may entail specific obligations and impact individuals' rights.
Processing is lawful only if at least one of the specified conditions is met by data controllers. These include:
- Consent from the data subject: Individuals should give consent to data controllers for processing their personal information. However, the consent must be given freely, with full awareness, for a specific purpose, and without ambiguity. Example: A user opts in to receive promotional emails from an online retailer.
- Necessity for the performance of a contract : Processing personal data for the performance of a contract is a valid legal basis. This means using personal data to provide a service or fulfill contractual obligations, such as responding to a client's request for a service quote. Example: A bank processes customer data to facilitate transactions and manage accounts.
- Compliance with legal obligations : This means organizations can process data when required by EU or national laws. For this basis to apply, certain conditions must be met: the law must be applicable to the controller, specify the need to process personal data, define the purpose of processing, and place the obligation on the controller rather than the data subjects. Example: A tax authority processes taxpayer data to fulfill legal reporting requirements.
- Protection of vital interests : Processing is necessary to protect someone's life or health. Example: A hospital processes patient data in an emergency to provide life-saving treatment.
- Public interest: Processing is necessary for a task carried out in the public interest or official authority. Example: A government agency processes citizen data for public safety initiatives.
- Pursuit of legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the individual's rights. Example: An insurance company processes customer data to prevent fraud and ensure fair pricing.
Public authorities may have additional legal bases for processing data for the public interest or official authority. The purpose and legal basis for processing must be clear and determined in advance.
Implication
- Explicit consent: Organizations must obtain explicit, informed consent from individuals for specific purposes. This consent must be documented to demonstrate compliance.
- Legal basis: Every data processing activity must have a documented legal justification aligned with the conditions outlined in Article 6 of the GDPR.
- Policy development: To comply with data regulations, organizations must create procedures for handling data based on the specific legal reason for collecting it.
- Training and awareness: Organizations must provide training for staff to understand the legal bases for data processing and the specific requirements associated with each.
- Regular audits: Regularly conducting audits of data processing activities will ensure organizations adhere to the GDPR and proper use of legal bases.
- Data subject rights: Organizations must ensure mechanisms are in place to respect and facilitate the exercise of data subject rights, such as access, rectification, and erasure, in relation to the legal basis for processing.
Article 7: Conditions for consent
This article specifies the conditions for obtaining and withdrawing consent for processing personal data. When processing is based on consent, the controller (the entity processing the data) must be able to demonstrate that the data subject has consented to the processing of their personal data. Conditions for consent include:
- Consent presentation: If consent is part of a written declaration covering other matters, it must be presented clearly and separately, in an easily accessible form, using clear and plain language.
- Right to withdraw consent: The data subject has the right to withdraw consent at any time, and this withdrawal should not affect the lawfulness of processing based on consent prior to withdrawal.
- Prior information: The data subject must be informed before giving consent, and the process of withdrawing consent should be as easy as giving it. Recital 32 of the GDPR emphasizes that consent should be given through a clear affirmative act, establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. It should cover all processing activities for the same purpose or purposes.
When assessing whether consent is freely given, consideration should be given to whether the provision of a service is conditional on consent to processing data that is not necessary for fulfilling the contract.
Implications
- Cookie consent : Organizations should implement cookie banners on websites that allow users to choose which types of cookies they accept.
- Easy opt-out mechanism : Consent should be easy to withdraw, with clear instructions provided on how individuals can revoke their consent at any time. This could involve providing an unsubscribe link in marketing emails or an opt-out mechanism on data processing consent forms.
- Regular review and updates : Organizations should periodically review consent requests to ensure they remain clear, specific, and compliant with the GDPR, making any necessary updates based on regulatory guidance or changes in processing activities.
Article 8: Conditions applicable to child's consent
This article deals with obtaining consent for processing personal data of children. Here's a breakdown of the key points from the article and the related recitals:
- Age requirement for consent: If information society services are offered directly to a child, and the processing of personal data of that child falls under Article 6(1)(a), the processing shall be lawful if the child is at least 16 years old.
- Parental consent for children below 16: If the child is below 16 years old, the processing of their personal data is lawful only if consent is given or authorized by the holder of parental responsibility over the child. Parental consent is not necessary in the context of preventive or counseling services offered directly to a child.
- Lower age limit by Member States: Member States have the option to set a lower age limit for consent, but it cannot be lower than 13 years.
- Verification of parental consent: The controller should make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility. This verification should consider available technology.
- Exception for general contract law: This article doesn't affect the general contract law of Member States concerning the validity, formation, or effect of a contract in relation to a child.
Implications
- Age verification :Organizations should consider adding an age verification system on their websites before collecting customer information.
- Clear disclosures for children's data : Organizations should update privacy notices to include clear information about how children’s data is processed, the age requirements for consent, and the process for obtaining parental consent.
- Transparency for children and guardians : Organizations should ensure transparent communication with both children and guardians about data processing activities, the necessity of consent, and the rights of data subjects.
Article 9: Processing of special categories of personal data
This article outlines conditions for processing special categories of personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, etc.
Prohibition on processing: Processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, data concerning health, or data concerning a person's sex life or sexual orientation is prohibited. However, there are exceptions to this prohibition:
- Explicit consent: Processing is allowed if the data subject has given explicit consent for one or more specified purposes.
- Legal obligations: Processing is necessary for fulfilling legal obligations or exercising specific rights related to employment, social security, and social protection, provided appropriate safeguards are in place.
- Vital interests: Processing is necessary to protect the vital interests of the data subject or another person if the data subject is unable to give consent.
- Non-profit organizations: Processing is carried out by a non-profit organization with political, philosophical, religious, or trade union aims, solely relating to its members or persons having regular contact with it, and with appropriate safeguards.
- Public interest: Processing is necessary for reasons of substantial public interest, provided it is proportionate, respects the essence of data protection rights, and includes suitable safeguards.
- Health-related purposes: Processing is necessary for various health-related purposes, such as preventive or occupational medicine; medical diagnosis; provision of health or social care; public health;and archival, scientific, historical, or statistical research.
- Professional secrecy: Personal data may be processed when under the responsibility of professionals subject to professional secrecy obligations.
Member States may impose further conditions or limitations on the processing of certain sensitive data categories.
Implications
- Limited processing with strict controls :These special categories of data can be processed by the organizations if these conditions are met, including explicit consent, vital interest, or data made public by the data subject. Organizations should have the policies and security measures in place and should also have performed aData Protection Impact Assessment (DPIA).
- Safeguard sensitive data : Organizations should implement robust safeguards, such as data minimization, anonymization, and ensuring processing is aligned with public interest purposes.
Article 10: Processing of personal data relating to criminal convictions and offenses
This article addresses the processing of personal data relating to criminal convictions and offenses. Processing of personal data relating to criminal convictions and offenses is only allowed under the control of official authority or when authorized by Union or Member State law, with appropriate safeguards for data subjects' rights and freedoms. Any comprehensive registers of criminal convictions should be kept under official authority.
What should organizations do to comply?
Organizations might need to carry out a DPIA if they plan to process criminal offense data, or to determine access to a product, service, opportunity or benefit. They should also keep records while processing criminal offense data and figure out if they need an "appropriate policy document" under the Data Protection Act 2018.
Article 11: Processing which does not require identification
This article outlines situations where a controller is not required to identify data subjects for processing purposes. This provision is particularly relevant for processing activities that do not require direct identification, such as certain types of anonymized or pseudonymous data processing.
Processing without identification: If the purposes for which a controller processes personal data do not require the identification of the data subject (identification may include digital identification methods, such as authentication mechanisms used by the data subject to access the controller's online services), the controller is not obligated to maintain, acquire, or process additional information solely for the purpose of complying with the GDPR.
Informing the data subject: If the controller is unable to identify the data subject in such cases, they must inform the data subject accordingly, if possible. In these situations, certain GDPR articles (i.e., Articles 15–20) do not apply, except if the data subject provides additional information enabling their identification for the purpose of exercising their rights under those articles.
Implication
- Privacy by design: Organizations should incorporate the principle of privacy by design by minimizing the collection and use of identifying information wherever possible. This aligns with broader GDPR principles of data minimization and purpose limitation.
- Limited applicability: In situations where identification is not possible, certain GDPR rights (such as access, rectification, erasure, restriction of processing, data portability, and objection) may not be enforceable unless the data subject provides additional information enabling their identification.
Disclaimer: This guide has been created using information provided by official GDPR documents.
Take the lead in data protection best practices with our unified SIEM solution!