Part One | Part Two | Part Three | Part Four
GDPR Principles is the second in the General Data Protection Regulation (GDPR) series glossary. GDPR aims to bring data protection into the 21st century and it is easy to get caught up with what needs to be done to be GDPR compliant. What is less frequently elaborated on in blog posts are the reasons for, and the introduction of, GDPR principles. In my experience, I have found it easier to understand the practical implications of GDPR after breaking down the EU’s theoretical reasons for introducing the regulation.
Accountability: The data controller is responsible for compliance with the data protection regulations. They must also be able to demonstrate the steps a business takes to ensure compliance.
Accuracy Principle: Personal data must be accurate and kept up to date and every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
Fairness GDPR Principle: Fairness is achieved when the Data Controller has put in place working procedures for the Data Subject to exercise in an effective manner the following rights:
- Right of access to the data (to know what data is held about the individual).
- Right to rectification of the data.
- Right to erasure of the data (to be forgotten).
- Right to restriction of processing.
- Right to data portability (to be given personal data in a structured and commonly used and machine-readable format and transmit such data to another controller).
- Right to object to the processing of personal data, including profiling.
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her.
GDPR Principles: All the fundamental principles in the GDPR are further “translated” into detailed rights for the individual and corresponding obligations for the organisation. Additionally, all the principles are reinforced with overarching Accountability principle.
Storage Limitation Principle: Personal data must be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes. Data may be stored for longer periods only for public interest achieving, scientific, historical or statistical research purposes.
Transparency Principle: Any information the data controller gives to the data subject about its data processing practices must be concise, transparent, intelligible and in easily accessible form; must be provided at the latest within one month, in writing. The data controller can only refuse if it can demonstrate that it is not able to identify the data subject. If the data controller does not take action on the request, it must inform the data subject at the latest within a month of the reasons for not taking action and of the possibility of lodging a complaint to a supervisory authority and of seeking a judicial remedy. Information shall be free of charge, unless the requests are unfounded, excessive or repetitive, in which case the controller may charge an administrative fee but bears the burden of proving the unfounded or excessive character of the request.
This glossary has aimed to break down the theoretical reasons behind the implementation of GDPR principles. I hope this will help with the third and fourth glossaries of the series. Please feel free to suggest terms which you think should be added to this glossary in the comments section below.
If you would like to continue reading GDPR glossaries, please read the third part of the series ‘What GDPR Strictly Protects‘.