47. OUTLINE – EU data protection law seeks to protect individuals with regard to the processing of their personal data by (1) requiring compliance with a number of key principles; (2) providing individuals with a right to information as well as other data subject rights; (3) imposing an obligation to ensure the confidentiality and security of processing; (4) requiring the establishment, at national level, of supervisory authorities dedicated to monitoring compliance with the substantive provisions of EU data protection law; and (5) requiring controllers to able to demonstrate compliance with these principles.

KEY PRINCIPLES

48. LAWFULNESS, FAIRNESS & TRANSPARENCY – Article 5(1)a of the GDPR provides that personal data must be processed “lawfully, fairly and in a transparent manner”. Fairness of processing is considered an overarching principle of data protection law. It is a generic principle which has provided the foundation for other data protection requirements. As such, the fairness principle provides a “lens” through which the other provisions in the Directive should be interpreted. The principle of lawfulness of processing reaffirms that data controllers must stay in line with other legal obligations, even outside of the GDPR, regardless of whether these obligations are general, specific, statutory or contractual. The principle of transparency is in many ways a logical extension of the requirement that personal data shall be processed “fairly and lawfully”. It is based on the idea that even if one doesn't have a say in the matter, an individual should generally at least be informed when his personal data are being processed and/or be in a position to acquire additional information. The transparency principle is given further substance within the context of the data subject's right to information and right of access.

49. FINALITY – Article 5(1)b of the GDPR dictates that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” This provision embodies the so-called “principle of finality”, which comprises two basic rules. First, it requires controllers to clearly articulate the purposes for which personal data are being collected (purpose specification). Second, it requires controllers to limit their subsequent use of this information to practices compatible with the purposes defined at the moment of collection (use limitation).