Data protection principles

CONTENTS OF THE MODULE

This training module explains the principles of data protection. It is of utmost importance because these principles must be applied for each processing operation, from the design stage and by default. The GDPR defines six data protection principles: transparency, purpose limitation, minimization, accuracy, retention period, and security. This module consists of a 3-minute motion design followed by a quiz to validate the learners' knowledge.

PEDAGOGICAL OBJECTIVES

  • Know the principles of data protection: transparency, purpose, minimisation, accuracy, retention period, security
  • Be familiar with the legal terms defining each processing operation
  • Understanding the application of the principles through concrete examples
  • Knowing the stricter protection of sensitive data

All processing of personal data is governed by rules to be known and applied: the key principles of data protection.

Transparency: data must be collected in a "lawful, fair and transparent manner". Individuals must be informed of the processing of their data in a clear, concise and easily understandable manner.

Purpose limitation: data must be "collected for specified, explicit and legitimate purposes". For example, a bank may not use customer account information for other purposes, such as prospecting, without the prior consent of the data subjects.

Minimization: data must be processed in a way that is "adequate, relevant and limited" in relation to the purpose of processing. In other words, only data essential for the purpose should be collected. In order to send a quotation to an individual, a craftsman needs his name and contact details, but he does not need a bank statement at this stage of the exchange.

Accuracy: data must be accurate and up-to-date" with regard to the purpose of processing. If the data are erroneous or have become excessive, the company or organisation must correct or erase them and "without delay" as specified in the European Regulation".

Retention period: personal data must be kept only as long as necessary for processing. A retention period must be defined for each category of data and each purpose. The data must then be deleted, except in the case of a legal obligation such as archiving for historical, scientific or statistical purposes, or to assert a legal claim.

Security and confidentiality: the controller must ensure appropriate data security". This requires security measures to protect data against unauthorised or unlawful processing, leaks and breaches...

These key principles may be supplemented by a specific jurisdiction depending on the country where the organization is located.

So-called "sensitive" personal data, on the other hand, are very strictly regulated. Their processing is only possible with the explicit consent of the individual or in order to defend his or her vital interests. They then follow the principles of data protection with reinforced security measures: specific circuit, dedicated and isolated server, secure cabinets for paper files...