This section presents the seven principles governing the processing of personal data and set out in article 5 of the GDPR: (1) lawfulness, fairness and transparency; (2) purpose limitation; (3) data minimisation; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality; (7) accountability.
Lawfulness, fairness and transparency
Processing is lawful if it is based on one of the legal grounds listed in art. 6 of the GDPR. The most prominent of these legal grounds is consent, but other grounds are also available, including legitimate interest.
Consent is "any freely given, specific (cf. below), informed and unambiguous indication of the data subject’s wishes by which he or she (...) signifies agreement to the processing". Consent can be express (i.e. by a written or oral statement, including by electronic means, where it is often signified by ticking a box) or implied (by an affirmative action). Silence or inaction (e.g. a pre-ticked box) cannot be interpreted as consent.
Consent can be withdrawn at any moment, but this withdrawal is not retroactive (i.e. it does not affect the lawfulness of the processing prior to the withdrawal).
For processing of data relating to minors under the age of 16, consent needs to be given or authorised by the holder of parental authority. Member States may lower this "age of consent", but not below 13 years of age.
When it comes to processing of sensitive data, consent must be explicit (i.e. no implied consent possible).
For more information about consent, consult these Guidelines.
Alternatively, processing can also be based on one of alternative grounds for lawfulness listed in art. 6 of the GDPR. From the point of view of research, the most important of these alternative grounds is art. 6 (1) (f) according to which processing is lawful if it is "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject". It is therefore a "balance of interests" test: processing is lawful if the legitimate interests (personal, scientific or societal) pursued by the controller (or by a third party) outweigh those of the data subject in protecting his/her privacy. This must be evaluated on a case-by-case basis, taking into account such elements as the category of data that are being processed, the reasonable expectations of the data subject and the implemented safeguards (such as pseudonymisation). This ground for processing should only be subject to careful assessment.
For more information about legitimate interest, see these Guidelines.
There is no definition of "fairness" in the GDPR; it should therefore be interpreted as referring to the general concept of justice and equity. Processing is not fair if it is carried out in a way that might be misleading for the data subject, or — even despite his/her consent — be a threat to his/her privacy. This principle is meant to introduce some "common sense" in the strict framework of the GDPR.
According to the principle of transparency, the data subject should be provided with information about the processing, regardless of the legal ground upon which the processing is based and regardless whether the data were collected directly from him/her or obtained otherwise (e.g. via web crawling). The information should be provided in a form that is easily accessible and easy to understand, using clear and plain language (cf. recital 39 of the GDPR).
The information should include at least (see art. 13 and 14 of the GDPR for more details):
- who will control the processing of the data;
- for what purposes the data will be processed;
- if applicable, whom the data will be shared with (it is enough to specify a category of recipients, not necessarily the specific persons);
- whether the data will be transferred outside of the European Economic Area;
- for how long will the data be stored;
- the rights of data subjects.
Exceptions to the obligation to provide information are very few and should be interpreted strictly, but it is useful to know that one of these exceptions is when the data are not collected directly from the data subject, and the provision of the information is likely to render impossible or seriously impair the objectives of the processing.
For more information about transparency, see these Guidelines.
Personal data should be processed for "specified, explicit and legitimate purposes". In other words, the purpose of processing shall be specified before the processing starts and respected throughout the whole personal data lifecycle. Interestingly, the GDPR (recital 33) expressly states that "it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research". This does not mean, however, that when it comes to scientific research, a very broad definition of purposes suffices (e.g. "for language research"); already at the moment of collection, research should have a well-described purpose, which can later evolve.
Once the purpose of the processing is defined, it is prohibited to process data for a purpose that is incompatible with the initial one. A contrario, this means that the data may be processed for a new, different purpose, if this new purpose is compatible with the initial one. By way of exception, the GDPR specifically states that scientific research is always to be regarded as a compatible purpose — this means that data lawfully collected for any purpose (e.g. statistics or bookkeeping) can be re-used for scientific research purposes, provided that all the remaining data protection principles are respected.
For more information about this mechanism, known as "purpose extension", see these Guidelines.
According to the principle of data minimisation, personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". This means that data that are not necessary to achieve the intended purpose cannot be lawfully collected, stored or otherwise processed. This principle is therefore largely incompatible with data-intensive operations performed on personal data, where every piece of data is valuable, but none (or very few) are really necessary to achieve the intended purpose.
Unfortunately, there are no exceptions to this principle, which obliges researchers to be able to explain the relevance of the collected data for their research project.
Personal data shall also be "accurate and, where necessary, kept up to date". This principle is closely related to data subjects’ rights of access and rectification. It is also compatible with ethical norms and best practices recognized by the research community.
According to the principle of storage limitation personal data shall be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed". There is a plethora of country- and sector-specific rules on "data retention", i.e. how long a particular type of personal data can be stored for a particular purpose (for example, contracts may often be stored (in non-anonymised form) for five years after their termination).
When the data are used exclusively for scientific research purposes and appropriate measures are implemented (e.g. an authentication procedure), personal data can (at least according to the GDPR, as national laws may be more strict) be archived for longer periods of time.
Integrity and confidentiality
Personal data should also be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". Such security measures are always necessary whenever personal data are being processed; moreover, in certain specific cases, a higher standard may apply. It shall also be noted that ensuring integrity of research data is also a requirement of research ethics and deontology.
The accountability principle is a new and important addition in the GDPR. According to art. 5(2) of the GDPR, the controller shall be responsible and able to demonstrate compliance with all the principles of the GDPR. In other words, the burden of proof is always on the controller: it is not for the data subject to prove that the principles of the GDPR are infringed, but for the controller to prove that they are respected.