多语言
  • Index
  • News
  • Information Details
  • JAVY Insight | GDPR for cross-border data compliance (II) - basic principles of data protection

    Release Time:2022-08-02

    嘉律师.gif


    Article 5 of gdpr stipulates the basic principles that data controllers should follow in the process of data processing. These principles are: legitimacy, fairness and transparency, purpose restriction, data minimization, data accuracy, storage restriction, honesty and confidentiality.


    01. Principles of legality, fairness and transparency

    According to gdpr, personal data of relevant data subjects will be processed legally and fairly in a transparent manner. In other words, personal data must be processed in the presence of legal basis, and the degree of processing is to process individuals who collect and use personal data in a fair and transparent manner.


    1659512536965.jpg

    (the picture is quoted from the network)


    ❐ (1) legitimacy

    Legitimacy means that personal data can be processed only when the data controller has the legal basis for processing data. In order for data processing to be legal, it must comply with all possible applicable laws in specific circumstances. According to gdpr, the processing of personal data is considered legal only if one of the following legal reasons is met:


    1. Consent: the data subject has agreed to process his personal data for one or more specific purposes;


    2. Contract performance: data processing is a necessary condition for the execution of the contract (the data subject is one of the parties to the contract), or a step taken at the request of the data subject before signing the contract;


    3. Legal obligations: data processing is necessary for the data controller to perform legal obligations;


    4. Personal vital interests: data processing is necessary to protect the vital interests of data subjects or other natural persons;


    5. Public interest: data processing is necessary in order to maintain tasks performed for the public interest or exercise the power granted to the controller;


    6. Legitimate interests: data processing is necessary for the legitimate interests pursued by the controller or a third party, unless these interests conflict with the interests and basic rights and freedoms of the data subject, and personal data needs to be protected first, especially when the data subject is a minor. And this legitimate interest reason cannot be used for public power to exercise public affairs.

    In order to seek coordination within the European Union (EU), gdpr stipulates a high level of protection of individual rights and freedoms, and achieves certain minimum data protection requirements in Member States by stipulating the above legal standards. However, Member States still maintain certain rights to introduce or preserve domestic legislation to further specify the implementation of laws in certain cases, as long as their legislative spirit is consistent with gdpr. The detailed discussion on legitimacy will be introduced in the following article.


    ❐ (2) fairness

    In addition to legality, the processing of personal data must be fair. The fairness of processing essentially includes: data subjects must understand the fact that their personal data will be processed, including how the data will be collected, preserved and used, so that they can make an informed decision on whether to agree to processing, and enable them to exercise their data protection rights. However, in some cases, processing is automatically permitted by law, so data processing in this case is considered fair, regardless of the cognition or preference of the data subject.

    In addition, fairness also needs to evaluate how data processing will affect data subjects. If data processing has a negative impact on individuals, and the damage is unfair, then such data processing will be unfair. For example, when users browse the travel agency website, the travel agency may collect and process behavior data. Travel companies use cookies or other tracking techniques to analyze users' preferences when searching for tickets and hotels. If the system is programmed to automatically make a price decision for a specific holiday, and detects that the same person visits the website many times to search for information about a specific destination, it will be considered unfair to increase the price according to this information.

    In conclusion, ensuring fair treatment requires the data controller to consider all the circumstances of the case and maintain transparency by providing reliable information and implementing appropriate mechanisms. This mechanism allows individuals to make informed decisions and exercise their choices and rights, unless there is other legitimate basis for data processing.


    ❐ (3) transparency

    The principle of transparency directly related to fairness means that the data controller must be open and transparent to the data subject when processing personal data. Gdpr encourages data subjects to be informed of how their personal data is processed, and how much information is considered sufficient will depend on the specific situation. In this regard, gdpr stipulates the minimum information requirements that data controllers should provide to data subjects. (gdpr Articles 13 and 14)

    When the data is obtained directly from the data subject and the data subject already knows the information, the regulation exempts the data controller from the notification responsibility. In addition, gdpr exempts the data controller from the obligation to provide information when personal data is collected from other sources in the following cases (gdpr 14 (5) (a)):

    1. The cost of providing information to data subjects is too high or almost impossible

    2. When the law clearly stipulates that information disclosure needs to be restricted due to the protection of the legitimate interests of data subjects

    3. When there is a legal requirement that the data controller must keep the information confidential

    Transparency also requires the timely provision of information to data subjects. When personal data is obtained directly from the data subject, relevant information must be provided at the time of collection. However, when personal data is obtained from other sources, the regulation specifies different time periods for providing such information (gdpr 14 (3))

    In addition, gdpr also requires that the information be clear, concise and easy to understand, and be provided to the data subject in an accessible manner. (gdpr 12) the detailed discussion on transparency will be introduced in the following chapters.


    02. Purpose limitation principle


    Purpose restriction means that the data controller must only collect and process personal data to achieve the specified, clear and legitimate purposes, and cannot process personal data beyond these purposes, unless further processing is considered to be compatible with the purpose for which the personal data was originally collected. Therefore, the data controller must first determine the specific purpose for which personal data will be processed. Such purposes will become boundaries within which personal data will be collected and used. For secondary processing, only when such processing is considered compatible with the original purpose of collecting personal data can it be carried out legally. The use of personal data for statistical purposes, public interest, scientific or historical research purposes will be considered compatible as long as these processes occur within the limits prescribed by the laws of the European Union or the member states that regulate specific processes.

    In order to help the controller evaluate whether the secondary use of data is compatible with the original purpose, the regulation stipulates: "... The controller has met all the requirements of the legitimacy of the original processing, and the following factors should be considered (gdpr recital 50):

    1. The relevance between these purposes and the intended purpose of further processing

    2. The collection of personal data, especially the relationship between the reasonable expectations of the data subject for its further use based on its relationship with the controller

    3. Properties of personal data

    4. Possible consequences of further data processing

    5. Are there appropriate safeguards in the initial and planned further data processing

    When all the above conditions are met and the processing is considered compatible with the original purpose, there is no need for a legal basis other than the legal basis that allows the original collection and use of personal data. However, when processing is considered incompatible, a separate legal basis will be required (for example, the consent of the data subject must be obtained before processing personal data for new purposes).


    03. Data minimization principle

    The principle of data minimization means that the data controller must only collect and process relevant, necessary and sufficient personal data to complete the purpose of its processing (gdpr 6 (c)). Data minimization means that the data controller should limit the collection of personal information to the scope directly related to and necessary to achieve a specific purpose.


    ❐ (1) necessity

    The data controller must assess whether the collected personal data is necessary to achieve a specific purpose. In data minimization evaluation, the first step is to evaluate whether anonymous data can be used to accomplish specific purposes. The data controller must evaluate whether the purpose can be achieved by processing anonymous data with all unique identifiers removed. In addition, if the purpose of data processing can be achieved by excluding some data from processing, then these exhaustable data will be redundant compared with the purpose, so it is unnecessary.


    ❐ (2) equilibrium

    The data controller should also consider the amount of data collected. For example, if a large amount of data is collected, but these data are excessive compared with the data processing objectives of the data controller, and there are no restrictions, then these personal data will be considered disproportionate. Therefore, the data collection method of "save everything" may be considered as a violation of the principle of data minimization. (GDPR Recital 64)


    In order to assess the balance, the data controller must consider the potential adverse effects of the processing means and verify whether there are other processing means that may lead to less intrusive processing, or whether there are alternative means with less adverse consequences related to the privacy of the data subject. (gdpr recital 39) an example of excessive or disproportionate means may include the use of biometric data (E. G., fingerprints) to identify individuals, in which case alternative and less intrusive means can be used to achieve the same purpose (E. G., identity cards).


    04. Data accuracy principle

    The data controller must take reasonable measures to ensure the accuracy of the data and keep the data updated when necessary. The data controller needs to take measures to ensure the accuracy of data in the process of data collection, and ensure that personal data is not distorted in the subsequent processing of data. During the collection process, if the data controller does not correctly verify the authenticity of the information, personal data may be inaccurate. Data controllers must assess the reliability of the sources of information collected and pay special attention when potential inaccuracies may adversely affect individuals. The accuracy principle also requires that records of error correction be kept.


    05. Storage restrictive principle

    Storage limit means that the storage time of personal data shall not exceed the time required for the purpose of processing personal data. In other words, once the information no longer needs to be processed, personal data must be safely deleted. (gdpr 5 (1) (E)) therefore, the data controller must evaluate whether personal data is used for one purpose or several purposes, and limit the processing to the period during which personal data is required to complete a specific purpose. For example, personal data may need to be processed during the recruitment process and during the employment relationship. Once the recruitment process is completed, the employer can no longer retain the personal data of job seekers who have not passed the recruitment.


    The data controller must verify whether there is a statutory data retention period related to the type of processing in the applicable law (for example, personal data may need to be saved in order to comply with tax, health and safety or employment regulations). When the law does not specify, the retention period of internal data must be set to meet the storage restriction principle. Personal data may be stored for a long time only when the processing of personal data is only for the purpose of archiving for public interest, scientific, historical research or statistical purposes. Otherwise, only when the data becomes irreversible anonymous data, the data controller can retain personal data without time limit.


    06. Principle of security and confidentiality

    The principle of security and confidentiality means that the security of personal data must be ensured in the processing of personal data, including the use of appropriate technical or organizational measures to prevent unauthorized access or illegal processing, as well as accidental loss, destruction or damage. Gdpr recommends that the data controller use methods such as Pseudonymization or encryption to ensure data security (gdpr 5 (1) (f), 89 (1), recap 28). And when dealing with sensitive personal data, we need to strengthen the protection.


    (to be continued)


    JAVY Law Firm’s Official Website Suggestion Box
    Dear Netizens,Nice to see you!:
    Welcome to the official website of JAVY Law Firm. In order to continuously improve the quality of the website and the service quality of all colleagues in JAVY Law Firm,your suggestions and comments on any aspect of our firm can be put forward here, and we will listen to you carefully. Looking forward to your valuable suggestions in your busy schedule. Your information or idea is only for research and will never be made public. Please feel free to answer.
    *Name:
    *Cellphone:
    1. Where did you get the information about JAVY Law Firm?
    2. Does the content of this website meet your needs? Are there any other suggestions?
    3. What do you think of the environment of JAVY Law Firm? Are there any other suggestions?
    4. Do you think JAVY Law Firm has convenient transportation? Are there any other suggestions?
    5. Does the current business scope of JAVY Law Firm meet your needs? Do you have any other better suggestions?
    6. How about the lawyer's services that contact you? Are there any areas for improvement?
    7. Do you think if there are any shortcomings of JAVY Law Firm? What are the specific suggestions and expectations?