The GDPR defines seven key principles that must be strictly complied with in data processing:
Data must be processed lawfully, fairly and in a transparently.
Data may only be processed for specified, explicit and legitimate purposes.
The processing of data must be limited to what is strictly necessary.
Data must be accurate and up to date.
Personal data must be kept in a form which permits identification of the data subjects only for as long as is necessary for the purposes for which they are processed.
Personal data must be protected against unauthorised processing and against accidental loss or damage by suitable technical (e.g. backups) and organisational measures (e.g. access authorisations). .
The controller must beable to prove compliance with the data protection principles.
Important
Violations of these principles are likely to result in maximum penalties.
Did you know that the processing of personal data is prohibited in general, unless specific conditions are met? For non-sensitive personal data the GDPR has a total of six available lawful basis for processing:
Processing is necessary to fulfila contract – e.g. processing of customer address data for online purchases
Processing is necessary to satisfy alegal obligation – e.g. employer’s duty to record working time
Processing is needed toprotect someone’s life – e.g. in the event of epidemics or natural disasters
Personal data are processed to carry out specific tasks inthe interst of the public or in the exercise of offical authority which are laid down by law – e.g. in the context of police queries
Processing is necessary for yourlegitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests – e.g. video surveillance of the company premises to protect against burglary
Consent of the individual concerned – g. by signing or ticking a box on a website.
If consent is to be used as the lawful basis, certain requirements must be met and the age of the data subject must also be taken into account.
Important
Declarations of consent can be revoked by the persons concerned at any time!
In the case of persons who have not yet reached the age of 16, the consent of their parent or legal guardian is required. A lower age treshold for obtaining parental consent may be estabilshed by EU member states but this will not be below the age of 13.
Special requirements apply to the processing of sensitive data. Data processing is only permitted in very specific exceptional cases, e.g. in the event of an accident due to vital interests or if the personal data have obviously been published by the data subject.
The GDPR defines seven key principles that must be strictly complied with in data processing:
Important
Violations of these principles are likely to result in maximum penalties.
Did you know that the processing of personal data is prohibited in general, unless specific conditions are met? For non-sensitive personal data the GDPR has a total of six available lawful basis for processing:
If consent is to be used as the lawful basis, certain requirements must be met and the age of the data subject must also be taken into account.
Important
Declarations of consent can be revoked by the persons concerned at any time!
In the case of persons who have not yet reached the age of 16, the consent of their parent or legal guardian is required. A lower age treshold for obtaining parental consent may be estabilshed by EU member states but this will not be below the age of 13.
Special requirements apply to the processing of sensitive data. Data processing is only permitted in very specific exceptional cases, e.g. in the event of an accident due to vital interests or if the personal data have obviously been published by the data subject.