Every processing of personal data must comply with certain conditions: these are the 8 golden rules of privacy and personal data protection. In this article, these 8 golden rules are described and explained, and correspond to 8 practical sheets that Dastra has made available to you.
You should have 4 good reflexes to meet the requirements of the GDPR in this area:
- ✔ Only collect data that is really necessary
- ✔ Be transparent with all your stakeholders
- ✔ Think about people's rights, such as rights of access, erasure, or rectification
- ✔ Secure your data
Enjoy your reading!
1. Lawfulness of processing (Article 6 of the GDPR)
Processing is lawful only if, and insofar as, at least one of the following 6 conditions is met:
▶ The data subject has given consent to the processing of their personal data for one or more specific purposes;
▶ The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;
▶ The processing is necessary for compliance with a legal obligation to which the controller is subject;
▶ Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
▶ Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
▶ The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child. See our guide to assessing legitimate interests.
Find out how to manage the legal basis in the Dastra App.
2. Purpose of processing
Personal data collected may only be processed for a specific purpose that meets the following conditions:
▶ Precisely determined
▶ Explicit
▶ Legitimate
The purpose of processing is the reason for using personal data. Data is collected for a well-defined and legitimate purpose and is not further processed in a way incompatible with that initial purpose. This purpose principle limits the way in which the data controller may use or re-use the data in the future.
3. Minimisation of data
Only data strictly necessary to achieve the purpose may be collected and processed.
4. Special protection for sensitive data
Sensitive data may only be collected and processed under certain conditions.
5. Limited retention of data
As soon as the purpose for which they were collected has been achieved, data may be :
▶ Archived
▶ Deleted
▶ Anonymised
In all cases, a retention period must be defined and applied.
6. Security obligation
Security measures must be implemented to:
▶ Prevent the risk of a breach of security
▶ Ensure the security of the data processed.
7. Transparency
Data subjects must be informed about the use of their data and how they can exercise their rights.
8. Individuals' rights
Data subjects have numerous rights that allow them to retain control over their data:
▶ Right of access
▶Right of rectification
▶Right of erasure
▶Right to object
▶Right to data portability
▶Right to limit processing
▶Right to define the fate of data after death
▶The right not to be the subject of an automated decision.
These 8 golden rules are a guarantee of legal certainty for data controllers and a factor of transparency and trust for data subjects.