• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

5. Principles relating to personal data processing

19/12/2016 by Andreas Schindler

« 4. Definitions6. Lawfulness of processing »

CHAPTER II Principles

5. Principles relating to personal data processing

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   are processed; personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   may be stored for longer periods insofar as the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

processed in a manner that ensures appropriate security of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1  , including protection against unauthorised or unlawful processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Recitals

Recital 39

Any processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   should be lawful and fair. It should be transparent to natural persons that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   concerning them are collected, used, consulted or otherwise processed and to what extent the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   are or will be processed. The principle of transparency requires that any information and communication relating to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of those personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and the purposes of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and further information to ensure fair and transparent processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   and how to exercise their rights in relation to such processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2. In particular, the specific purposes for which personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   are processed should be explicit and legitimate and determined at the time of the collection of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1  . The personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 could not reasonably be fulfilled by other means. In order to ensure that the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   are not kept longer than necessary, time limits should be established by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1  , including for preventing unauthorised access to or use of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1   and the equipment used for the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2.

FAQs regarding this GDPR Article:

  • What is the GDPR anyway and which companies does it affect?
  • May I continue to maintain my acquisition database?

GDPR Fines based on this article

TitleGDPR CountryNumber of involved data recordsGDPR Fine
Unauthorized recording on toilet facilityGermanyunknown25,000 €
Recording dashcam in road trafficGermanyunknown0 €
Improper disposal of customer data and unlawful video surveillanceGermanyunknown6,500 €
Health data of a kindergarten teacherAustria1600 €
Processing of sensitive data of prospective tenants without legal basisGermany95001,900,000 €
972,191 files encrypted after ransomware attackUnited Kingdom972191117,295 €
Inappropriate use of contact tracing listsGermanyunknown170 €
Audio and video surveillance of employees, storage for too long, inadequate security measuresGermanyunknown16,000 €
POLAS query on an online seller for private purposesGermany1400 €
Queries from police information systems on colleaguesGermany1500 €
Use of the EWO system to determine the address of the ex-partnerGermany1600 €
Queries from police systems on persons in the family environmentGermanyunknown1,800 €
unencrypted dataItalyunknown40,000 €
Storage period exceededFranceseveral million1,750,000 €
unlawful submissions to general practitionersItaly48120,000 €
Too detailed video surveillanceLuxembourgunknown12,500 €
E-mail data freely accessibleGreat Britain55029,183 €
Transfer of customer data despite objectionGermanyunknown12,500 €
dentist refuses examinationItaly120,000 €
Making video recordings of young women and girls without legal basisGermanyunknown5,000 €
Data protection penalty against Vfb StuttgartGermany70000300,000 €
Transfer of an employee’s health data to over 3,000 customers without a legal basisGermany110,110 €
Penalty on computer mail orderGermanyunknown10,400,000 €
Fine against Italian municipalityItaly14,000 €
Ticketmaster UK Limited – hacker attackGreat Britain94000001,392,525 €
GDPR fine after Facebook postingAustriaunknown600 €
Allseas MARINE S.A. – 15,000 euro fineGreeceunknown15,000 €
Eni gas e luce SpA – 11.5 million fineItaly720011,500,000 €
SC Enel Energie SA – 6000 euros fineRomaniaunknown6,000 €
Entirly Shipping & Trading SRL – 10,000 euro fineRomaniaunknown10,000 €
Hora Credit IFN SA – 14,000 euros fineRomaniaunknown14,000 €
Austrian Post: 18 million DSGVO fineAustria3 million18,000,000 €
DSGVO fine for new owner of Delivery HeroGermanyunknown195,407 €
GDPR Fine for merchantBelgiumunknown10,000 €
Penalty for processing personal dataGreeceunknown150,000 €
Penalty against Financial Institution in BulgariaBulgariaunknown5,100 €
Italy: Penalty for FacebookItaly571,000,000 €
Penalty against Romanian bankRomania337 042130,000 €
Germany: DSGVO fine for police officerGermany11,400 €
Spain: Soccer App spies on FansSpainunknown250,000 €
Penalty for missing deletion deadlinesDenmark385000201,000 €
Belgium: Mayor violates GDPR for voting campaignsBelgiumunknown2,000 €
Penalty against real estate law firmFrance29440400,000 €
Lithuania: Data Breach at a payment service providerLithuania9.00061,500 €
Poland: GDPR penalty for sports associationPoland58512,950 €
Fine against newspaperCyprus53,000 €
Fine against Bounty LimitedGreat Britain34 267 889465,000 €
Penalty against True Vision ProductionsGreat Britain1990140,000 €
Penalty against medical practiceBulgaria1500 €
Italy: Energy provider violates GDPRItaly2,018,000 €
Fine against Bisnode PolskaPoland5 700 000220,000 €
Penalty against Bulgarian consulting firmBulgaria15,000 €
Penalty against Jusos Baden-WürttembergGermany1682,500 €
First GDPR fine in DenmarkDenmark8873333161,000 €
Penalty for refusal to provide dataHungary13,200 €
Data graveyard: 14.5 million euro fineGermanyunknown14,500,000 €
Penalty against telephone providerBulgaria127,000 €
Penalty against private personGermany1602,628 €
Penalty for failure to shred filesCzech Republic3001,200 €
Penalty against car rentalCzech Republicunknown1,200 €
CNIL imposes 50 million fine on GoogleFranceunknown50,000,000 €
Penalty for Carphone Warehouse for lack of data protectionGreat Britain3 348 869460,000 €
Penalty for erroneous publication of health dataGermanyunknown80,000 €
Penalty for unauthorized video surveillanceAustriaunknown2,200 €
Penalty against Bulgarian bankBulgaria1500 €
Penalty against UberGreat Britain2 700 000440,000 €
France: GDPR breach in consulting officeFranceunknown20,000 €
Penalty against private person because of dashcamAustriaunknown330 €
Unauthorized video surveillance on company premisesCyprusunknown5,000 €
Penalty against British Bible SocietyGreat Britain417 000115,000 €
Cyprus: GDPR fine for InfocreditCyprus025,000 €

Category iconUncategorized

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept