Читать книгу International Data Protection Laws - Amit Luhach - Страница 10

3

Data Processing Principles

The principles relating to the processing of personal data require lawfulness, fairness and transparency; purpose limitation; data minimization; data accuracy; storage limitation; integrity and confidentiality.¹ These principles set the standards for controllers and processors. To comply with these standards, enterprises have to review the way they carry out personal data processing under the GDPR. In this context, enterprises have to analyse the lawfulness of data processing that requires knowledge of which IT systems process personal data, on what legal basis and in which way. Accordingly, enterprises need to examine their data processing in detail and create data processing documentation. Based hereon, enterprises have to undertake a Data Processing Impact Assessment (DPIA) and determine Technical and Organizational Measures (TOMs) to safeguard the processing of personal data. We will look at the practical steps in Chapter 4 but first, need to understand the essence of the data processing principles which the GDPR imposes.

Lawfulness, Fairness and Transparency

The lawfulness of personal data processing requires either consent or some legitimate basis.² There are six legal grounds for the processing to be lawful i.e. consent of the data subject, the performance of a contract between data subject and controller, legal obligation, vital interests, a task carried out in the public interest, and legitimate interests.³ Personal data processing should be carried within the limits of applicable laws such as the GDPR, employment, tax, competition, health, etc. The most important legal justifications for data processing in commercial life are consent and/or performance of a contract. Neither anonymization nor pseudonymization will lead to an exemption of the requirement of the lawfulness principle.

The fairness principle regulates the controller–processor relationship. The controller has to notify the data subject about the processing of his personal data. Such processing should follow the principle of lawfulness and fairness, and the controller must demonstrate compliance.⁴

The transparency principle requires a controller to take appropriate measures to inform the data subject about personal data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.⁵ It covers the information provided to the data subject before personal data processing⁶ starts, the information available to him during such processing⁷ and the information received by the data subject using his right of access.⁸ The data subject, at the time of collection of personal data, must be given information about the specific purpose of the processing of his personal data in a clear and plain language, taking into account risks, rules, safeguards and rights concerning such processing.⁹

Purpose Limitation

This principle restricts the controller to only collect and process personal data which is required to accomplish specified, explicit and legitimate purposes unless further processing is for archiving purposes in public interest, scientific or historical research or statistical purposes.¹⁰ However in any case the purposes of processing must be defined beforehand.

Data Minimization

This principle limits the controller to only collect and process such personal data which is adequate, relevant, limited and necessary to accomplish the purposes for which it is being processed.¹¹ The concepts of necessity and proportionality are required for its practical application.¹²

Anonymization and Pseudonymization

Technical means like anonymization or pseudonymization are both important data minimization techniques that can be used to avoid or limit the applicability of the GDPR. The difference between anonymization and pseudonymization rests on whether personal data can technically be re-identified. The prerequisites are however strict. WP29 opinion on the anonymization techniques note that true data anonymization requires an extremely high technical process and the data controllers often fall short of that.¹³ Hence, anonymization should be done on a case to case basis and the regular risk assessment should include the residual risk of re-identification:

 Anonymization requires that the information provided cannot be related to an identified or identifiable natural person or to personal data because it has been rendered anonymous in a manner that makes the data subject un-identifiable.14 The main anonymization techniques are randomization and generalization. The randomization technique alters the veracity of data to remove the strong link between the data and the individual. If the data are sufficiently uncertain then they can no longer be referred to a specific individual. Examples of this technique are noise addition, permutation, differential privacy, etc. The generalization technique consists of generalizing or diluting the attributes of the data subjects by modifying the respective scale or order of magnitude (i.e. a month rather than a week, a region rather than a city). Its examples include aggregation and k-anonymity and L-diversity/T-closeness. The anonymization puts the processing and storage of personal data beyond the scope of the GDPR as the anonymized data carries no risk to the rights and freedoms of the natural persons.

 Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.15 Pseudonymization is not a method of anonymization. It just reduces the linkability of a data set with the original identity of a data subject and is accordingly a useful security measure. The most used pseudonymization techniques include encryption with a secret key hash function16, keyed-hash function with the stored key, deterministic encryption or keyed-hash function with deletion of the key and tokenization.

One important point to note here is that the above acts in themselves are considered processing of personal data, so there must be some legal basis for undertaking such anonymization or pseudonymization.

Data Accuracy

This principle mandates the controller to keep personal data accurate, up to date and erased or rectified without delay having regard to the purposes of the processing.¹⁷

Storage Limitation

Personal data must not be stored for a longer duration than is necessary for the purposes it is being processed for i.e., it must be deleted or anonymized as soon as it no longer serves such purposes unless processed solely for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to the implementation of appropriate technical and organizational measures.¹⁸

Integrity and Confidentiality

The principle of integrity and confidentiality mandates that the personal data must be processed in a way that ensures appropriate security including protection against unauthorized or unlawful processing against accidental loss, destruction or damage by implementing appropriate technical or organizational measures.¹⁹ Pseudonymisation²⁰ may be used to protect personal data.

Accountability

The accountability for demonstrating compliance with the above principles lies with the controller.²¹