For processing of personal data to be lawful, Controllers must comply with the principles of data protection in that they must process with:
- Lawfulness, fairness and transparency meaning:
- lawful – in accordance with the lawful bases as set out in Articles 6 – 10
- fair- in the reasonable expectation of the individual
- transparency – providing information in clear language, identifying the controller, the nature and purpose of the processing and how to exercise rights and freedoms
- Purpose limitation meaning:
- only collect personal data for specified, explicit and legitimate purposes
- no processing of personal data in a manner incompatible with purposes for which it was collected
- Data minimisation meaning personal data collected for the identified purpose should be:
- adequate
- relevant
- limited to what is necessary
- Accuracy meaning personal data must be:
- accurate and kept up to date
- corrected or deleted without delay when inaccurate
- Storage limitation meaning that personal data should only be kept in an identifiable format for only as long as necessary for the purposed for which it was originally collected
- Integrity and Confidentiality meaning that the business or organisation must apply appropriate technical and [BIT OF TEXT MISSING FROM JANE’S SPREADSHEET]
References:
Article 5(1) to 10 and Recital (39) of the GDPR Articles 13 and 14 of the GDPR
Article 29 Working Party Opinion on Transparency ((EU) 2016/679) revised in April 2018 https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025 Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203)
Cases:
Expectation of privacy:
ZXC v Bloomberg LLP [2020] EWCA Civ 611 paragraphs 82 and 84 Axel Springer v Germany [2012] EMLR 15ICO guidance on principles of data protection with links to further guidance https://ico.org.uk/for-organisations/guide-to-data-protection/