Basic Principles of Data Processing
When processing personal data, the following principles must be respected:
lawfulness, fairness and transparency
integrity and confidentiality
integrity and confidentiality
Lawfulness, fairness and transparency
The controller shall process personal data lawfully, observe diligence and good data processing practices, as well as otherwise act to ensure that the data subject’s private life and fundamental right to privacy are not restricted without a legal basis. The same obligation applies to a person acting as an independent business operator on behalf of the controller.
How the personal data is collected and processed must be clear and transparent to the data subjects. Information and communication regarding the processing must be easily accessible and understandable and must be worded in a clear and simple language.
The personal data must be adequate and relevant and restricted to what is necessary for the purposes for which it is processed. This especially requires that the storage time for the data is as limited as possible.
Personal data may be collected for specified, explicit and legitimate purposes. The purpose must be unambiguously and lawfully defined and communicated in connection with collecting the data.
Further processing, which is incompatible with the original purposes, may not be performed by the controller. The data may at a later stage be used in other contexts than the ones initially defined only if it is necessary due to changed circumstances, and if the modified purpose does not differ significantly from the original purpose. In general, the use of earlier collected personal data for altered purposes requires a new consent by the data subject.
Personal data that is collected and processed is to be adequate and relevant, as well as limited to what is necessary to fulfil the purpose. Furthermore, the collector shall always strive to limit the amount of data collected.
The personal data must be accurate and updated. The controller shall take all reasonable measures to ensure that incorrect personal data is erased or rectified without delay.
Personal data that is no longer necessary for the activities of the controller must be erased, unless the storage of data is subject to legal obligations, e.g. due to the Accounting Act. How the erasure will be completed in practice is also necessary to plan and describe beforehand.
Integrity and confidentiality
When personal data is being processed, appropriate measures must be taken to ensure that the data is well protected. The data must be protected from unauthorized access and unlawful processing, but also from becoming lost, destroyed or damaged through an accident, through appropriate technical or organizational actions.
The controller is responsible for, and must be able to show, that the principles laid down in the GDPR are complied with at all stages of their processing activities. It is up to the controller to interpret the principles in practice and to evaluate how to put them into effect within its own operations. To demonstrate compliance with the principles, the controller must conduct more detailed planning and documentation in relation to its handling of personal data. The GDPR entails requirements regarding accountability, which vary depending on the size of an organization and to what extent personal data is processed. The requirements are for instance the obligation to maintain a record of processing activities, as well as other information practices.