Principles relating to processing of personal data
In order for a processing of personal data to be legal, it must first and foremost have a lawful basis. All processing activities also have to comply with the principles that are stated in GDPR, these principles can be seen as the core of the regulation.
The principles apply to all processing activities and it is important that all KI employees understand and apply them when processing personal data. In addition, other principles and requirements of GDPR and other supplementary legislation must also be complied.
You can read more about lawful basis here.
Lawfulness, fairness, transparency
Personal data shall be processed in a lawfully, fairly and transparent manner in relation to the data subject.
Purpose limitation
Personal data shall be only collected for specific, explicit and legitimate purposes and not further processed in a way that is not in line with those purposes. This implies that you must state why the processing is necessary for the purposes of the processing. The purpose must be described in detail so that the data subject can assess the effects of the processing, describing the purpose with "administration", "research" or "financial system" is therefore not detailed enough.
The key to comply with this principle is that the data subject should be able to predict what will happen to his or her personal data when KI is processing it.
Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes. Because of this data from population registers and records from the health care can be used in research.
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that you only shall collect personal data that are required to fulfill the purpose and that you know you will use. When the purpose is fulfilled the personal data shall be deleted.
Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without undue delay.
Storage limitation
Personal data may not be stored in a form that allows identification of the data subject for a longer period than necessary to fulfill the purposes. There is an exception from this principle that states that personal data may be stored for longer periods if it is necessary for archiving purposes, statistics or scientific research purposes.
Integrity and confidentiality
Personal data shall be processed in a manner that ensures an appropriate level of security for the personal data. This includes protection from unauthorized or unlawful processing, loss, destruction or damage. This can be achieved through both technical measures (such as firewall, encryption, pseudonymization, backup, anti-virus protection, secure authorization, etc.) and organizational actions (e.g. internal routines, instructions, guidelines, separate processing, etc.).
Accountability
The controller (KI) shall be responsible for, and be able demonstrate compliance with these principles.
Checklist for complying with principles relating to processing of personal data
- Determine the purpose: Why do you need to process personal data? What is the purpose of the processing?
- Find a lawful basis: Which lawful basis in GDPR is applicable for the processing?
- Inform the data subject: Is the information about the processing easy to find and understand for the data subject?
- Have the right information: Do you only process the personal data that you need for the purpose? Do you have too much personal data?
- Protecting the personal data: Have you taken sufficient technical and organizational security measures? Have you conducted a risk and vulnerability analysis?
- Delete the data: Do you have routines to delete the personal data once the purpose has been fulfilled?
- Demonstrate compliance: Have the decisions and considerations regarding the processing been documented? Are there any internal guidelines for data protection and processing of personal data?