Principles relating to processing of personal data
These are the principles relating to processing of personal data
Compliance with the GDPR requirements is based on the application of the principles relating to processing of personal data: this means to adhere to the accountability principle.
Here is the list of such principles:
1. «lawfulness, fairness and transparency»: this means that data processing shall be lawful, correct and transparent to the data subject. Data subjects shall be able to have a constant and aware monitoring of processing of personal data since the time of their collection
2. «purpose limitation: data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes. Data collection shall not be indeterminate as for the purposes of processing: it must be clear why data are collected and then processed. Clarity about data processing is of the utmost importance
3. «data minimisation»: this means that data collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This principle recalls the requirement of data protection by design and by default
4. «accuracy»: this means that data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. The data subject’s privacy is to be protected not only by the security of processing, but data relating to the person shall be accurate and, where feasible, without errors
5. «storage limitation»: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which their personal data are processed. It is a very important principle which is emphasised by the GDPR: it requires to determine the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period (to be indicated in information to be provided ex arts. 13-14, GDPR and in the Records of processing activities). After that period, personal data shall be anonymised or erased, unless the storage is mandatory to comply with laws or regulations
6. «integrity and confidentiality»: these are principles which recall security of processing, since appropriate technical and organisational measures must be implemented to ensure personal data security and their protection, so that unauthorised or unlawful processing and accidental loss, destruction or damage are mitigated.
In this framework there is the requirement of accountability: the controller shall be responsible for complying with these principles and be able to demonstrate – with written and updated documentation – that such principles are respected.