Article 5 of the GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
These are known as data protection principles:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights related to automated decision making and profiling
- The right to be informed
This right encompasses the obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over how the personal data is used.
The information about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
- The right of access
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).
- The right to be rectified
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If the personal data was disclosed to third parties, third parties must be informed about the rectification where possible.
The response must be given within one month.
This can be extended by two months where the request for rectification is complex.
- The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
A request for erasure where the personal data is processed may be refused for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defense of legal claims.
There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments.
- The right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data.
When processing is restricted, it is permitted to store the personal data, but not further to process it. It is possible to retain just enough information about the individual to ensure that the restriction is respected in future.
It is required to restrict the processing of personal data in specific circumstances.
The individuals must be informed in the event of lifting a restriction on processing.
- The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and •when processing is carried out by automated means.
- The right to object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
The individuals must be informed of their right to object “at the point of first communication” (in privacy notice).
It is prohibit to process personal data for direct marketing purposes as soon as an objection is received. There are no exemptions or grounds to refuse.
Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.
- Rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Individuals have the right not to be subject to a decision when:
- it is based on automated processing; and
- it produces a legal effect or a similarly significant effect on the individual.
It must be ensured that individuals are able to:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it.
The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyses or predict specific human values.
With special permission of Jessica Carolina Lam, author of Data Protection and Privacy Blog at lawinfographic.com, the data protection principles and principles for the processing of personal data may be presented in following infographics. (Thanks Jessica)