#1 – PRINCIPLE OF LAWFULNESS, FAIRNESS & TRANSPARENCY

LAWFULNESS

Processing of personal data is lawful only if, and to the extent that, it is permitted under the GDPR. Article 6 of the GDPR lists six lawful bases for processing:

1. The user has given you consent to do so.
2. You must do it to make good on a contract.
3. It’s necessary to fulfil a legal obligation.
4. For protection of vital interests of a natural person.
5. It’s a public task done in public interest.
6. You can prove you have legitimate interest, and it’s not overridden by data subject’s rights and interests.

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

FAIRNESS

In general, fairness means that personal data should be handled in ways that data subjects would reasonably expect and data should not be used in ways that have unjustified adverse effects on the data subjects.

This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. In other words, users wouldn’t be surprised if they knew how you were using their data.

Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.

TRANSPARENCY

The requirement to process personal data fairly and lawfully is extensive. It includes the transparency obligation to tell data subjects what their personal data will be used for. Transparency is about informing data subjects about how their data is collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.

Transparency is inherently linked to the data subject’s ‘right to be informed’ (Article 12), which requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

PENALTIES

Google fined 50 million euros by the French Supervisory Authority in 2019, for a breach of the GDPR rules. CNIL levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”

That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads. Additionally, CNIL found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy collectively.

#2 – PRINCIPLE OF PURPOSE LIMITATION

Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. This means processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

However, it should be noted that in accordance with Article 89(1), further processing if for the following purposes, should be considered to be compatible with the initial purposes:

• archiving purposes in the public interest,
• scientific, or historical research purposes, or
• statistical purposes (in accordance with Article 89(1) GDPR).

The GDPR does not totally ban the use of data for other purposes, not specified, but there are restrictions.

For example, if your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you may go ahead if:

• the new purpose is compatible with the original purpose;
• you get the individual’s specific consent for the new purpose; or
• you can justify legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.

In essence, all processing must also be ‘lawful’, so you do need to rely on a lawful basis appropriate for the new processing. The original basis you used to collect the data may not always be appropriate for your new use of that data.

You need to make sure that you update your privacy notices to ensure that your processing is ‘transparent’.

It is important to regularly review your processing, documentation and privacy information to avoid non-compliance as a result of ‘function creep’ – ensure your purposes have not evolved over time beyond those you originally specified.

PENALTIES

The Dutch Data Protection Authority (DPA) imposed a fine of 525,000 euro against the Royal Dutch Lawn Tennis Association (KNLTB), over violations of the GDPR ‘Purpose Limitation’ principle. The DPA found the association unlawfully shared the personal information of its members with two sponsors for tennis and unrelated promotions.

#3 – PRINCIPLE OF DATA MINIMISATION

‘Data Minimisation’ is a principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy. Under the GDPR, data minimisation requires that personal data be:

• adequate;
• relevant; and
• limited to what is necessary for the purposes for which they are processed.

In practice, data minimisation requires limiting the collection and processing of personal information to what is directly relevant and necessary to accomplish a specified purpose. This specifically requires ensuring that the period for which the personal data are stored is limited to a strict minimum (see also #Principle of ‘Storage Limitation’).

In essence, choose Quality over Quantity!

PENALTIES

Airbnb was issued with a reprimand by the Irish Data Protection Commissioner and was ordered to revise its internal policies and procedures for handling erasure requests to ensure that individuals are no longer required to provide a copy of photographic ID when making erasure requests unless Airbnb can demonstrate a valid legal basis for doing so. Airbnb’s requirement that a data subject verified their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of ‘data minimisation’. This infringement occurred in circumstances where less data-driven and less intrusive solutions to verify identity were available to Airbnb.  In essence, the legitimate interest pursued by Airbnb does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.

The DPC’s draft decision was submitted to the GDPR Article 60 cooperation mechanism and no objections were raised by the other concerned supervisory authorities.

The decision is available here

Accuracy

Storage Limitation

Integrity and Confidentiality (Security)

Accountability