Visit fondia.com
The content concerns Finnish legislation.
 

Basic Principles of Data Processing

When processing personal data, the following principles must be respected:

  • lawfulness, fairness and transparency

  • purpose limitation

  • data minimisation

  • accuracy

  • storage limitation

  • integrity and confidentiality

  • integrity and confidentiality

  • accountability

Lawfulness, fairness and transparency

The controller shall process personal data lawfully, observe diligence and good data processing practices, as well as otherwise act to ensure that the data subject’s private life and fundamental right to privacy are not restricted without a legal basis. The same obligation applies to a person acting as an independent business operator on behalf of the controller.

How the personal data is collected and processed must be clear and transparent to the data subjects. Information and communication regarding the processing must be easily accessible and understandable. The information must be worded in a clear and simple language, especially if the data subjects are children or other groups of vulnerable individuals.

The personal data must be adequate, relevant and restricted to what is necessary for the purposes for which it is processed. This especially requires that the storage time for the data is as limited as possible.

Purpose limitation

Personal data may be collected for specified, explicit and legitimate purposes. The purpose must be unambiguously and lawfully defined and communicated in connection with collecting the data.

Further processing, which is incompatible with the original purposes, may not be performed by the controller. The data may at a later stage be used in other contexts than the ones initially defined only if it is necessary due to changed circumstances, and if the modified purpose does not differ significantly from the original purpose. In general, the use of earlier collected personal data for altered purposes requires a new consent of the data subject.

Data minimisation

Personal data that is collected and processed is to be adequate and relevant, as well as limited to what is necessary to fulfil the purpose of use. Furthermore, the collector shall always strive to limit the amount and use of data collected, for example, by limiting access.

Accuracy

The personal data must be accurate and updated. The controller shall take all reasonable measures to ensure that incorrect personal data is erased or rectified without delay.  

Storage limitation

Personal data that is no longer necessary for the activities of the controller must be erased, unless the storage of data is justified by legal obligations, e.g. due to the Accounting Act. The process of erasure of personal data must also be planned and described.   

Integrity and confidentiality

When personal data is being processed, appropriate measures must be taken to ensure that the data is well protected. The data must be protected from unauthorized and unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organizational actions.

Accountability

The controller is responsible for ensuring that the principles of the GDPR are complied with at all stages of their processing activities. The controller must be able to demonstrate compliance with the principles. It is up to the controller to interpret the principles in practice and to evaluate how to put them into effect within its own operations. To demonstrate compliance with the principles, the controller must conduct more detailed planning and documentation in relation to its processing of personal data. The GDPR entails requirements regarding accountability, which vary depending on the size of an organization and to what extent personal data is processed. Such requirements are for instance the obligation to maintain a record of processing activities, as well as other information practices concerning the processing of personal data.