Principles relating to processing of personal data
(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.
Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.
(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.
(22) Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful; whereas in particular Article 5, in conjunction with Articles 7 and 8, allows Member States, independently of general rules, to provide for special processing conditions for specific sectors and for the various categories of data covered by Article 8;
(28) Whereas any processing of personal data must be lawful and fair to the individuals concerned; whereas, in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; whereas such purposes must be explicit and legitimate and must be determined at the time of collection of the data; whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified;
(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual;
Article 5 of the Regulation contains and reinforces the principles relating to the personal data processing that are set out in Article 6 of the Directive.
We see first that the principle of fairness and lawfulness of the data processing is supplemented by a principle of transparency.
Transparency requires that any information addressed to the public or the data subject must be easily accessible and easy to understand, and be formulated in simple and clear terms, particularly with regard to the information on the identity of the controller and the purposes of processing (see recital 39 ). The obligations for information of the controller resulting from the principle of transparency are detailed in Article 12 and seq of the Regulation.
A new exception is recognized to the prohibition for pursuing purposes that are incompatible with the initial purpose (Art. 5, paragraph 1, b): archiving in the public interest as long as - as for historical, statistical and scientific purposes - this processing meets the conditions set by Article 89 of the Regulation. The principle of prohibition is maintained despite an attempt to make it a bit more flexible, given the difficulties it poses in case of changing the purposes (see the commentary on Article 6).
Article 5, paragraph 1, c) of the Regulation states that data must be ”adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, while the Directive required the controllers to process only “not excessive data” in view of the processing purposes. So, the Regulation accepts the principle of data minimisation whereby only the personal data which appear necessary for achieving the purpose can be processed (Art. 5, 1, c). A classic application of a proportionality rule is actually found here.
Concerning the principle of limited period of data storage, item e) recalls that the data allowing for the identification of individuals must not be kept beyond the time required for achieving the processing goals. In other words, the data for the identification of the data subjects must be erased as soon as they are no longer needed for processing, except for archiving purposes in the public interest and for scientific research, statistical or historical services, provided that the rights of safeguards (see Article 89 , paragraph 1).
Initially, the first proposed provision of the Regulation required the controller to periodically check the need for further storage. This element was not retained.
The Regulation also establishes the principle of the obligation of security and confidentiality of processing (integrity and confidentiality), already contained in Articles 16 and 17 of the Directive (Art. 5, paragraph 1, f), which requires the controller to ensure appropriate security and confidentiality, including to prevent unauthorised access to the data and equipment used in their processing as well as the unauthorised use of such data and such equipment (see recital 39 ).
The Regulation finally establishes a principle of responsibility, pursuant to which the controller is responsible for compliance with processing principles defined in Article 5. It is therefore controller’s responsibility to ensure and demonstrate that the processing is consistent with the principles referred to in Article 5, paragraph 1 for the duration of the processing. Compliance means that the controller shall implement mechanisms and control systems (audit measures, internal policies...) within their entity to ensure compliance of processing throughout its duration and to keep the relevant evidence. This obligation for accountability is further developed by Article 24 of the Regulation (see also, G29, Opinion 3/2010 of 13 July 2010 on the principle of accountability).
Article 6 of the Directive determined the terms and conditions under which the processing of data was lawful. Through this provision, the EU legislature had implemented several basic principles that underlie any processing of personal data. These were included into Article 4 of the act of 8 December 1992 and into Article 6 of the Computers and Freedoms Act.
The principle of fairness and lawfulness of the data collection assumes that the data subjects must be in a position to be aware of the existence of a processing operation and, when data is collected from them, must be given accurate and full information on the circumstances of the collection; In addition, the data cannot be obtained by use of unlawful or unfair means (Art. 6, paragraph 1, a).
Pursuant to the principle of purpose, the purpose must be determined, explicit and legitimate. Any purpose that is incompatible with the announced purpose is therefore prohibited, except for historical, statistical or scientific purposes (Article 6, paragraph 1, b).
Pursuant to the principle of proportionality, the processing of personal data to be performed must be adequate, relevant and not excessive for the purpose pursued, which assumes that the means used shall be appropriate and necessary to achieve the objective sought (Article 6, paragraph 1, c)).
According to the principle of data quality, data must be accurate, complete and, if necessary, updated; appropriate measures must be taken to ensure that inaccurate or incomplete data in terms of the purposes for which they are collected or processed are erased or rectified.
Finally, the data can not be stored indefinitely. Data must be erased when their storage exceeds the time necessary for the purposes for which they are collected and processed (see Article 6, paragraph 1, e) of the Directive; (Article 6, 5° of the Computers and Freedoms Act), as well as Article 4, paragraph 1, 5 ° of the Act of 8 December 1992).
The basic principles are not dislocated, just refined.
Strengthening the principles of transparency and accountability will involve a review of current processing processes in the organization of the controller and the implementation of control measures and internal or external audit of the compliance of the processing with the Regulation.
Unfortunately, the principle of compatibility has not been made more flexible given the difficulties in terms of the evolution of purposes (see the comments on Article 6).
Guidelines on Personal data breach notification under Regulation 2016/679 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
Obligations to notify in cases of breaches presently exist for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States may have relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities currently encourage controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaces, does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR now makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role to play and they must notify any breach to their controller.
The Article 29 Working Party (WP29) considers that the new notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 a possible sanction is applicable to the controller.
Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.
The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.
In its Opinion 03/2014 on personal data breach notification, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.
The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.
Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.
Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.
The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.
Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:
- increased efficiencies; and
- resource savings.
They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.
However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.
These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.
Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.
The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.
This document covers:
- Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
- General provisions on profiling and automated decision-making – Chapter III
- Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
- Children and profiling – Chapter V
- Data protection impact assessments and data protection officers– Chapter VI
The Annexes provide best practice recommendations, building on the experience gained in EU Member States.
The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.
Guidelines on transparency under Regulation 2016/679 (11 April 2018)
(Endorsed by the EDPB)
These guidelines provide practical guidance and interpretative assistance from the Article 29 Working Party (WP29) on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation1 (the “GDPR”). Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Insofar as compliance with transparency is required in relation to data processing under Directive (EU) 2016/680, these guidelines also apply to the interpretation of that principle. These guidelines are, like all WP29 guidelines, intended to be generally applicable and relevant to controllers irrespective of the sectoral, industry or regulatory specifications particular to any given data controller. As such, these guidelines cannot address the nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area. However, these guidelines are intended to enable controllers to understand, at a high level, WP29’s interpretation of what the transparency obligations entail in practice and to indicate the approach which WP29 considers controllers should take to being transparent while embedding fairness and accountability into their transparency measures.
Transparency is a long established feature of the law of the EU. It is about engendering trust in the processes which affect the citizen by enabling them to understand, and if necessary, challenge those processes. It is also an ex
In accordance with Recital 171 of the GDPR, where processing is already under way prior to 25 May 2018, a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018 (along with all other obligations under the GDPR). This means that prior to 25 May 2018, data controllers should revisit all information provided to data subjects on processing of their personal data (for example in privacy statements/ notices etc.) to ensure that they adhere to the requirements in relation to transparency which are discussed in these guidelines. Where changes or additions are made to such information, controllers should make it clear to data subjects that these changes have been effected in order to comply with the GDPR. WP29 recommends that such changes or additions be actively brought to the attention of data subjects but at a minimum controllers should make this information publically available (e.g. on their website). However, if the changes or additions are material or substantive, then in line with paragraphs 29 to 32 below, such changes should be actively brought to the attention of the data subject.
Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles. The practical (information) requirements are outlined in Articles 12 - 14 of the GDPR. However, the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects.
The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. This is clear from Article 12 which provides that transparency applies at the following stages of the data processing cycle:
- before or at the start of the data processing cycle, i.e. when the personal data is being collected either from the data subject or otherwise obtained;
- throughout the whole processing period, i.e. when communicating with data subjects about their rights; and
- at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing.
European Data Protection Board
Guidelines 3/2019 on processing of personal data through video devices (29 January 2020)
The intensive use of video devices has an impact on citizen’s behaviour. Significant implementation of such tools in many spheres of the individuals’ life will put an additional pressure on the individual to prevent the detection of what might be perceived as anomalies. De facto, these technologies may limit the possibilities of anonymous movement and anonymous use of services and generally limit the possibility of remaining unnoticed. Data protection implications are massive.
While individuals might be comfortable with video surveillance set up for a certain security purpose for example, guarantees must be taken to avoid any misuse for totally different and – to the data subject – unexpected purposes (e.g. marketing purpose, employee performance monitoring etc.). In addition, many tools are now implemented to exploit the images captured and turn traditional cameras into smart cameras. The amount of data generated by the video, combined with these tools and techniques increase the risks of secondary use (whether related or not to the purpose originally assigned to the system) or even the risks of misuse. The general principles in GDPR (Article 5), should always be carefully considered when dealing with video surveillance.
Video surveillance systems in many ways change the way professionals from the private and public sector interact in private or public places for the purpose of enhancing security, obtaining audience analysis, delivering personalized advertising, etc. Video surveillance has become high performing through the growing implementation of intelligent video analysis. These techniques can be more intrusive (e.g. complex biometric technologies) or less intrusive (e.g. simple counting algorithms). Remaining anonymous and preserving one’s privacy is in general increasingly difficult. The data protection issues raised in each situation may differ, so will the legal analysis when using one or the other of these technologies.
In addition to privacy issues, there are also risks related to possible malfunctions of these devices and the biases they may induce. Researchers report that software used for facial identification, recognition, or analysis performs differently based on the age, gender, and ethnicity of the person it’s identifying. Algorithms would perform based on different demographics, thus, bias in facial recognition threatens to reinforce the prejudices of society. That is why, data controllers must also ensure that biometric data processing deriving from video surveillance be subject to regular assessment of its relevance and sufficiency of guarantees provided.
Video surveillance is not by default a necessity when there are other means to achieve the underlying purpose. Otherwise we risk a change in cultural norms leading to the acceptance of lack of privacy as the general outset.
These guidelines aim at giving guidance on how to apply the GDPR in relation to processing personal data through video devices. The examples are not exhaustive, the general reasoning can be applied to all potential areas of use.
C-465/00 ; C-138/01 ; C-139/01 (20 May 2003)
1. Articles 6(1)(c) and 7(c) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data do not preclude national legislation such as that at issue in the main proceedings, provided that it is shown that the wide disclosure not merely of the amounts of the annual income above a certain threshold of persons employed by the bodies subject to control by the Rechnungshof but also of the names of the recipients of that income is necessary for and appropriate to the objective of proper management of public funds pursued by the legislature, that being for the national courts to ascertain.
2. Articles 6(1)(c) and 7(c) and (e) of Directive 95/46 are directly applicable, in that they may be relied on by an individual before the national courts to oust the application of rules of national law which are contrary to those provisions.
C-342/12 (30 May 2013)
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is included within the concept of ‘personal data’, within the meaning of that provision.
2. Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 do not preclude national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.
C-683/13 (19 June 2014)
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that a record of working time, such as that at issue in the main proceedings, which indicates, in relation to each worker, the times when working hours begin and end, as well as the corresponding breaks and intervals, is covered by the concept of ‘personal data’ as referred to in that provision.
2. Article 6(1)(b) and (c) and Article 7(c) and (e) of Directive 95/46 must be interpreted as not precluding national legislation, such as that at issue in the main proceedings, which requires an employer to make the record of working time available to the national authority responsible for monitoring working conditions so as to allow its immediate consultation, provided that this obligation is necessary for the purposes of the performance by that authority of its task of monitoring the application of the legislation relating to working conditions, in particular as regards working time.
3. It is for the referring court to determine whether the employer’s obligation to provide the national authority responsible for monitoring working conditions access to the record of working time so as to allow its immediate consultation may be considered necessary for the purposes of the performance by that authority of its monitoring task, by contributing to the more effective application of the legislation relating to working conditions, in particular as regards working time, and, if so, whether the penalties imposed with a view to ensuring the effective application of the requirements laid down by Directive 2003/88/EC of the European Parliament and of the Council of 4 November 2003, concerning certain aspects of the organisation of working time, are consistent with the principle of proportionality.
C-398/15 (9 March 2017)
Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
C-496/17 (16 January 2019)
The second subparagraph of Article 24(1) of Commission Implementing Regulation (EU) 2015/2447 of 24 November 2015 laying down detailed rules for implementing certain provisions of Regulation (EU) No 952/2013 of the European Parliament and of the Council laying down the Union Customs Code, read in the light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the customs authorities may require an applicant for AEO status to send to them the tax identification numbers, allocated for the purposes of collection income tax, concerning solely the natural persons who are in charge of the applicant or who exercise control over its management and those who are in charge of the applicant’s customs matters, and the details of the tax offices responsible for the taxation of all those persons, to the extent that that data enables those authorities to obtain information on serious or repeated infringements of customs legislation or taxation rules or on serious criminal offences, committed by those natural persons and relating to their economic activity.
C-708/18 (11 December 2019)
Article 6(1)(c) and Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as not precluding national provisions which authorise the installation of a video surveillance system, such as the system at issue in the main proceedings, installed in the common parts of a residential building, for the purposes of pursuing legitimate interests of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in Article 7(f), which it is for the referring court to determine.
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
1st proposal close
Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.
2nd proposal close
1. Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes ;
(c) adequate, relevant and not excessive in relation to the purposes for which they are processed (...);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (...); personal data may be stored for longer periods insofar as the data will be processed for archiving purposes in the public interest or scientific, statistical, or historical purposes in accordance with Article 83 subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and
freedoms of data subject;
(ee) processed in a manner that ensures appropriate security of the personal data.
2. The controller shall be responsible for compliance with paragraph 1.
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
Confidentiality of data
§ 6 DSG
(1) The controller, the processor and their employees, i.e. employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data).
(2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor.
(3) The controller and the processor shall inform the employees affected by these orders about the transmission orders applicable to them and about the consequences of a violation of data confidentiality.
Old law close
All of the following in force until May 25, 2018:
Use of Data
§ 6 DSG 2000
(1) Data shall only
1. be used fairly and lawfully;
2. be collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further uses for scientific and statistical purposes is permitted subject to § 46 and 47;
3. be used insofar as they are essential for the purpose of the data application and are not excessive in relation to the purpose;
4. be used so that the results are factually correct with regard to the purpose of the application, and the data must be kept up to date when necessary;
5. be kept in a form which permits identification of data subjects as long as this is necessary for the purpose for which the data were collected; a longer period of storage may be laid down in specific laws, particularly laws concerning archives.
(2) The controller shall bear the responsibility that the principles of para. 1 are complied with in all his data applications; this also applies when he employs a processor to use the data.
Data Security Measures
§ 14 DSG 2000
(1) Measures to ensure data security shall be taken by all organisational units of a controller or processor that use data. Depending on the kind of data used as well as the extent and purpose of the use and considering the state of technical possibilities and economic justifiability it shall be ensured that the data are protected against accidental or intentional destruction or loss, that they are properly used and are not accessible to unauthorized persons.