Principles to Take Into Consideration in Data Protection Compliance
Data Protection Compliance: GDPR
The General Data Protection Regulation –GDPR– constitutes a regulation that covers all (or almost all) aspects related to the personal data of European citizens both within Europe and outside it. It is self-sufficient and its rules are applied from the principle of extraterritoriality.
Just as this principle exists, to determine that the data of European citizens are treated in accordance with the standards established by the GDPR, there are also principles of an axiological nature that are scattered throughout the Regulation – although stated in art. 5° -, and that must be considered as mandatory and effective compliance for all those who process personal data.
Here is a brief explanation of these axioms that must be taken into account when implementing a personal data treatment policy:
Lawfulness, transparency, and fairness
The lawfulness in the treatment has to do with the fact that the collection and treatment of personal data must have a legal and justified basis, requiring the consent of the interested party, or legal provision failing that. The objectives of the regulation must also be borne in mind.
Regarding transparency and fairness, it refers to two behaviors that must be displayed by the person in charge of the treatment and/or the person in charge in relation to the owner of the data who has to be sufficiently informed of what the data processor and/or controller will with the data, how they will treat said data and the communication of the data owner regarding their rights of information, modification, rectification and deletion as a guarantee, always keeping in mind the purpose for which the data was collected.
The collection and processing of personal data must have a lawful, legitimate, transparent, and explicit purpose, which must be informed to the owner of the data so that they can fully understand what they will do with the personal information that belongs to the owner. This principle is related to the previous one.
However, this principle also has another face, which is related to the application of the limitation in terms of purpose. The truth is that the person in charge and / or in charge of the processing of personal data cannot use them for a different purpose than the one that was informed to the owner and on which they consent was obtained, much less, for purposes incompatible with the law, the Regulation and its provisions.
Minimization of data
Based on this principle, the data that is collected and processed should be those that, based on the evaluation of the purpose, constitute the minimum and essential to carry out a project that involves its collection and treatment.
Accuracy in data recording
The importance of the principle of accuracy in personal data lies in the fact that, when dealing with rights that belong to natural people, their erroneous assignment, and in addition, their relationship with people who are not the true owners, can bring damage to them.
In addition, this principle also allows strict control to the owner of the so-called ARCO rights -access, rectification, cancellation, and opposition.
Temporal limitation in the conservation of personal data
This principle is related to the principle of data minimization but from its temporal aspect. The data should not be kept for longer than is necessary to fulfill the purpose for which they were collected. Once the cause of their collection and treatment has disappeared, they must be destroyed and, at the very least, apply a process of dissociation of the data in relation to the owner.
However, the different laws may establish exceptions to the principle of time limitation: for a public interest, for scientific or academic purposes, or because the law establishes an obligation of the person responsible to maintain them for a long time, despite the purpose having been fulfilled (eg: tax issues).
One manifestation of this principle is the so-called “Right to Be forgotten”.
Integrity and Confidentiality
Both principles have to do with the fact that both the person in charge mainly and the person in charge of the processing of personal data must maintain a proactive attitude when collecting and treating.
Furthermore, data processors and controllers’ have a proactive responsibility and both must take all necessary measures to avoid data breaches. In Argentina, the responsibility of the data controller is objective, through the application of the theory of risk.
In Moeller IP Advisors we can assist you in complying with all these principles in case you or your company decide to launch our own product or service in the European Union.