Privacy Company advisors talk GDPR: Principles governing the processing of personal data

July 25, 2018

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article.

Today, the blog series is set within the framework of the principles of the processing of personal data. The GDPR is based on a number of general principles that you as an organisation must guarantee when personal data is processed. Think, for example, of the principle of "minimum of personal data", meaning that you always have to ensure that you do not process more data than is necessary for the purpose.


Laurens writes about one of these principles, namely the principle that processing must always be "lawful, proper and transparent" in relation to the data subject:

I find it interesting that Article 5, paragraph 1, letter a) indicates in a relatively simple text exactly what it is (or should be) about in the end: the right to respect for privacy. The principles not only have an independent meaning as a standard, but also play a role in the interpretation of other provisions in the GDPR on rights and obligations. So the effect goes a long way. At the same time, a term such as "transparent" is not easy to apply in practice. You must make clear to what extent and in what way you process personal data. And your communication must be easily accessible and understandable. This is not easy to combine - it requires real attention and commitment within an organisation, as well as concern for privacy and data protection as a whole.


These principles are not new, because other (old) legislation in the area of privacy is already based on these principles. What is new in the GDPR is the principle of "accountability". Sjoera writes about this principle:

Article 5, paragraph 2 of the GDPR reverses the burden of proof. Every organisation responsible for processing personal data must be able to prove that it complies with the principles of the law. These include principles such as purpose limitation, data minimisation and transparency. This reversal is important for the Netherlands Authority for Personal Data and for well-intentioned organisations. Without this reversal of the burden of proof, malicious organisations (which knowingly break the law) could frustrate any enforcement by refusing to cooperate. In order to prevent unfair competition, it is in everyone's interest for the regulator to take enforcement action against the biggest offenders.

Curious which other parts of the GDPR our colleagues are going to tell you about? In the next blog post, Jill and Simone will talk about the lawfulness and transparency of processing activities!