Rina Steenkamp - Privacy and technology
Chapter II Principles
Article 5 Principles relating to personal data processing
October 2013
Article 5
Personal data shall be:
[Lawfulness, fairness and transparency]
- (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency);
[Purpose limitation]
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation);
[Data minimisation]
- (c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data (data minimisation);
[Accuracy]
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).
[Storage minimisation]
- (e) kept in a form which permits direct or indirect identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research or for archive purposes in accordance with the rules and conditions of Articles 83 and 83a and if a periodic review is carried out to assess the necessity to continue the storage, and if appropriate technical and organizational measures are put in place to limit access to the data only for these purposes (storage minimisation);
[Effectiveness]
- (ea) processed in a way that effectively allows the data subject to exercise his or her rights (effectiveness);
[Integrity]
- (eb) processed in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity);
[Accountability]
- (f) processed under the responsibility and liability of the controller, who shall ensure and be able to demonstrate the compliance with the provisions of this Regulation (accountability).
[Source: October 2013]
Recital 30
(30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not be fulfilled by other means. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
[Source: October 2013 | Notes: Recitals | Context: Recitals]
January 2012
Explanatory memorandum
3.4. Detailed explanation of the proposal
Article 5 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.
[Source: January 2012 | Context: Proposal from the European Commission]
Article 5 [Amended: October 2013]
Personal data must be:
[Lawfulness, fairness and transparency]
- (a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
[Purpose limitation]
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
[Data minimisation]
- (c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
[Accuracy] [Amended: October 2013]
- (d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
[Storage minimisation] [Amended: October 2013]
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
[Accountability] [Amended: October 2013]
- (f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.
[Source: January 2012 | Context: Proposal from the European Commission]
Recital 30
(30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not be fulfilled by other means. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]
Directive 95/46/EC
Chapter II General rules on the lawfulness of the processing of personal data
Section I Principles relating to data quality
Article 6
Article 6(1)
1. Member States shall provide that personal data must be:
- (a) processed fairly and lawfully;
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. [...];
- (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
Article 6(2)
2. It shall be for the controller to ensure that paragraph 1 is complied with.
[Context: Article 6 Directive 95/46/EC]
Menu |
My annotated General Data Protection Regulation |
Chapter II |
Previous |
Next |
Additional information | Meta |
Contact |
Nederlands
