Principles that are to permeate personal data processing
The General Data Protection Regulation states a number of fundamental principles that can be said to be the core of the regulation. The principles apply in the case of all processing of personal data and it is important that you understand and apply them.
Always have the principles at the back of your mind when you are working with personal data processing.
The principles in brief
The principles mean among other things that as data controllers you
- must have a lawful basis under the General Data Protection Regulation to be able to process personal data
- may only collect personal data for specific, explicitly stated and legitimate purposes
- are not to process more personal data than is necessary for those purposes
- are to ensure that the personal data is accurate
- are to erase the personal data when it is no longer needed
- are to protect the personal data, for example so that unauthorised persons are not given access to it and so that it is not lost or destroyed
- are to be able to demonstrate that and how you live up to the General Data Protection Regulation.
Anyone familiar with the Personal Data Act will recognise these fundamental principles. A new aspect, however, is that it is no longer sufficient to comply with the law but the data controller must also be able to demonstrate that and how the provisions of the General Data Protection Regulation are complied with.
All processing of personal data is to be lawful, fair and characterised by transparency.
It is to be lawful
That personal data processing is to be lawful means first and foremost that you must have lawful grounds for all your processing of personal data. The General Data Protection Regulation states six lawful grounds of which one must be met for every instance of processing of personal data.
You must also comply with the other principles and provisions stated in the General Data Protection Regulation and in other complementary legislation.
It is to be fair
The processing of personal data is to be fair, appropriate, reasonable and proportional in relation to the data subjects.
The personal data processing is to be commensurate with the benefit that the processing of the personal data gives. This means that you must weigh your own interests against those of the data subjects before the personal data is processed. You must also take into account what kind of processing of personal data the data subjects can reasonably expect. The processing of personal data must be clear and understandable to the data subjects and must not be carried out in hidden or manipulated ways.
Inform the data subjects
How you process their personal data must be clear to and easily understood by the data subjects. They are thus to know that you collect personal data, why you collect it and how you then use it. The data subjects must also know what rights they have, for example how they can request register extracts, how they can have errors rectified, and how they can have personal data erased.
The data subjects must thus be given information about all this. This information is to be easily accessible and be worded using clear, simple language. It is particularly important to use clear and plain language where the data subjects are children.
You may only collect personal data for specific, explicitly stated and legitimate purposes. You therefore need to have a clear picture of why you are to process the personal data when you begin to collect it. The purposes set the limits for what you may and may not do, for example what data you may process and for how long you may retain it.
Specific, legitimate purposes
The purposes must be specific and concrete, not vague or imprecise. It is for example not sufficient to state "checks" as the purpose of logging and surveillance without also stating the purpose of the checks. The purpose of the checks might be surveillance for security or technical reasons or to follow up internal rules.
Nor is it normally sufficient for your purpose to be only "to improve users' experience", "IT security", or "future research". These are far too broad and the data subjects cannot judge what such processing of personal data might involve.
The purpose must also be legitimate. This means that the processing of personal data must both have a lawful basis under the General Data Protection Regulation and be carried out in accordance with other applicable legislation and general principles of law.
Inform the data subjects
The data subjects have the right to know why you process their personal data, that is to say what the purposes are. Inform the data subjects when you collect the personal data and also if a data subject requests it.
Document the purposes
Document what the purposes of your personal data processing are. You need this to be able to demonstrate that you are complying with the principle of accountability.
Are you processing already collected personal data in new ways?
If you wish to begin processing personal data that you have already collected in some new way, this must be compatible with the original purposes. You can in such cases cite the same lawful grounds as when you collected the data. Remember to inform the data subjects about the new processing of personal data before it begins.
If you on the other hand wish to use the personal data in a way that is not compatible with the original purposes, this is am entirely new instance of personal data processing. You then need to begin all over again and find a lawful basis for the processing of the personal data, ensure that it is carried out in accordance with the fundamental principles and so on.
Is the new instance of processing of personal data compatible with the original purposes?
When you assess whether a new instance of personal data processing are compatible with earlier purposes, you must among other things take into account and ask yourself the following questions:
- What connections are there between the purpose of the original processing of personal data and the new processing?
- In what context did you collect the personal data? What relationship do the data subjects have to you as data controller? What kind of processing of personal data can the data subjects reasonably expect?
- What kind of personal data are you going to process? Is the data sensitive?
- What consequences can the personal data processing have for the data subjects?
- What security measures do you have, for example authorisation control, encryption and pseudonymisation?
It is as a rule compatible with the original purposes to also process personal data for
- archiving purposes in the public interest
- scientific or historical research purposes
- statistical purposes.
You must however have taken appropriate security measures to protect the data subjects' rights.
Personal data that is processed is to be adequate, relevant and not too extensive in relation to the purpose.
Personal data that is relevant
You are never to process more personal data than is necessary and the personal data that is processed must be clearly connected to the purpose. In other words, it is not permitted to collect personal data for undefined future needs because it might be "good to have".
Personal data that is processed must be accurate and, if necessary, updated.
Rectify or erase inaccurate personal data
If the personal data is inaccurate, you must rectify or erase it. It is therefore important that you have procedures in place to be able to rectify and remove inaccurate personal data, for example if a data subject requests you to do so.
You may only retain personal data for as long as it is needed for the purpose of your processing of the personal data.
Dispose of personal data that is not needed
When the personal data is no longer needed for the purpose, you must erase or anonymise it. You should therefore establish procedures for erasure of personal data, for example that you make regular checks or erase after a certain period of time.
Separate personal data from your daily activities
You must in certain cases retain documents containing personal data even after you have finished using then. This applies for example in the case of bookkeeping, where the Swedish Accounting Act stipulates for how long certain documents are to be kept. Save the documents in such a way that they are no longer accessible in your daily activities (separation). You can do this by separating the documents from, for example, a case management system or by setting technical limitations for access to and authorisation to use the system.
Personal data may be archived
It may also be permitted to store personal data after the original purpose is no longer relevant if it is done only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. You must however always ensure that you take appropriate security measures to protect the personal data.
When you process personal data you must ensure that the data is well protected by taking appropriate security measures.
Protect personal data with security measures
You must protect all personal data that you process so that no unauthorised person can access it and so that it is not used in a prohibited manner. You must also ensure that the personal data is not lost or destroyed, for example through accidents.
You must therefore establish appropriate technical and organisational security measures. Technical measures include for example firewalls, encryption, pseudonymisation, making security back-ups and installing anti-virus protection. Organisational measures include for example internal procedures, instructions and guidelines.
You are responsible for complying with the fundamental principles relating to processing of personal data. You must also be able to demonstrate that you comply with them and how you do so.
How to demonstrate that you comply with the General Data Protection Regulation
You can demonstrate your compliance with the fundamental principles in several ways, for example by
- providing clear information to the data subjects
- maintaining a record of and documenting the processing of personal data that is carried out within your organisation, including what considerations you have made
- drawing up internal guidelines for data protection (a data protection policy) and training your personnel
- building integrity-friendly solutions into your systems (integrity by design)
- making an impact assessment before you begin processing of personal data that involves particular integrity risks
- designating a data protection officer
- subscribing to an approved code of conduct or certification mechanism.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.