Basic Principles of the GDPR#


Introduction into the GDPR#

The GDPR is a rather encompassing piece of legislation that covers a wide variety of aspects in processing personal data. Parts of the GDPR clearly are outside the scope of this report. Whenever relevant, reference will be made to these parts of the GDPR. The first five chapters of the GDPR are more relevant to understand the core principles of data protection regulation. We will however only present a rather brief overview of these core principles, sufficient to get an initial understanding of the legal framework on the processing of personal data. The focus will be on the general principles regarding the processing of personal data as used within the GDPR, followed by the grounds that can be invoked in order to establish lawful processing, the additional constraints when sensitive personal data are processed, the rights of data subjects and the obligations of data controllers. Issues related to the transfer of personal data to third countries are covered when relevant in treating the topics mentioned. The GDPR starts by outlining some general provisions, including definitions of crucial concepts. Here the following definitions are relevant:

Personal data means “any information relating to an identified or identifiable natural person (‘data subject’).”

Processing means “any operation or set of operations which is performed on personal data or on sets of personal data … such as collection, recording, organisation, structuring, …dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

Data concerning health means “personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status.”

An identifiable natural person is a person who can be identified directly or indirectly. The manner of identification – either directly or indirectly – is not precisely circumscribed in the GDPR. A name could suffice to identify a person as well as an online identifier (such as an email address) or an identifier relating to the “physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Processing is not described in a limitative sense either. The breadth of terms used indicates that basically all operations that can be performed on personal data (including collection and erasure/destruction) should be seen as processing operations.

Principles for fair and legitimate processing of personal data#

The GDPR is a principle-based law. It defines a set of principles that should be taken into account when processing personal data (GDPR, art. 5):

  1. Personal data should be processed lawful, fair and transparent.

  2. Personal data should be collected for specified, explicit and legitimate purposes.

  3. Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes of the processing, and not further processed in a manner that is incompatible with those purposes.

  4. Personal data should be accurate and, where necessary, kept up to date.

  5. Personal data should be kept in a form which permits identification of data subjects no longer than is necessary for the purposes of the processing.

  6. Personal data should be processed in a manner that ensures appropriate protection of the data.

Article 5, GDPR, has a few explicit extensions concerning research activities. The second principle includes that in case of further processing of data for scientific research, one may consider the new purpose to be compatible with the original one. The fifth principle also includes that data may be stored for longer periods when data are processed for research activities.

Grounds for the lawful processing of personal data#

The GDPR continues with offering six grounds for the lawful processing of personal data. Any processing of personal data should be based on at least one of these grounds. Of these six, five represent a necessity for processing the data. The sixth ground (which is the first mentioned in the GDPR) offers the option to process personal data on the basis of the consent provided by the data subject. We will follow the order as presented in the GDPR:

  1. Processing occurs on the basis of specific, freely given, unambiguous and informed consent.

  2. Processing is necessary for the performance of or the entering into a contract.

  3. Processing is necessary for compliance with a legal obligation.

  4. Processing is necessary for the protection of the vital interests of a data subject or another natural person.

  5. Processing is necessary for a task of public interest.

  6. Processing is necessary for the legitimate interest of the controller or of a third party.

The GDPR subsequently indicates that the data subject has the right to withdraw his or her consent at any time and withdrawal of consent should be as easy as it is to provide consent. To evaluate whether consent is freely given, one should especially pay attention to potential imbalances between the data subject and the controller. The European Data Protection Authorities present the relation of the employee vis-à-vis the employer as an example of a relation between data subject and controller in which an imbalance exists. Consent may not be used in these circumstances as ground for lawful processing. In an earlier Working Document, the Article 29 Working Party (which is now replaced by the European Data Protection Board, henceforth EDPB) questions whether consent can be considered to be freely given in case of medical treatment. To evaluate whether consent was informed, at least information on the controller and the purposes of processing should be given. The contract that is mentioned in the second ground relates to labour contracts as well. An employer thus is allowed to process data concerning an applicant in advance of offering a job.

A controller is allowed to process personal data in order to fulfil a legal obligation. An example of such a legal obligation is the obligation physicians and other care providers have to register specifics about a treatment in a patient record.
A public interest should demonstrate through Union law or member state law. The specific laws may contain provisions to adapt the application of specific rules of the GDPR.


Demonstrating a legitimate interest of a controller or third party requires a balancing test in which the interests of the controller or third party is balanced against the interests of the data subject concerning his or her rights and freedoms. Recital 47 of the GDPR emphasizes the relevance of keeping in mind the reasonable expectations of the data subject concerning the processing or further processing of their data by the controller.

Exceptions on the prohibition to process special categories of personal data#

The grounds for lawful processing of personal data presuppose that it is allowed to process personal data given the presence of a lawful ground. The GDPR – just as its predecessor the DPD – determines however that it is prohibited to process personal data that are part of a limitative set of so-called special categories of personal data unless a specific derogation can be invoked. Health data are one of these special categories. In case of health data, one of the following exemptions might be relevant:

  1. The explicit consent of the data subject.

  2. Health data have been manifestly made public.

  3. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law.

  4. Processing is necessary for reasons of public interest in the area of public health, for instance to ensure high standards of quality and safety of health care and of medicinal products or medical devices.

  5. Processing is necessary for scientific research purposes.


The addition ‘explicit’ in ‘explicit consent’ refers to a written statement or a likewise made statement in electronic form. In its Opinion on consent the EDPB also refers to two-factor consent provision as an example how to provide for explicit consent.
The term ‘manifestly’ in the second bullet may require further interpretation. A message posted on a publicly available social network may be considered to be manifestly made public. When such a message is posted in a group that requires subscription, the information cannot be considered to be manifestly made public anymore. The third bullet refers to activities requiring the processing of personal health data for purposes of different kind of medical activities, running from preventive and occupational medicine to medical diagnosis and health management purposes. Likewise, for quality assurance of the health care process and of medical devices and apparatus it is allowed to use personal data when this is considered to be necessary.

Finally, using health data for scientific research is allowed when specific measures and safeguards are in place to safeguard the rights and freedoms of the natural persons whose data are used. Reference is made to the principle of data minimization and pseudonymization that should be invoked under the condition that these measures do not prevent to achieve the planned research objectives.

The rights of data subjects#

Data subjects, being the persons whose data are processed, may exercise specific rights. Since transparency of data processing is the starting point to ensure that data subjects are able to exercise their rights, data subjects need to be notified about any processing of their personal data. Data subjects should be notified about specific features of the processing when data are collected either directly (in which case they should be aware that data are processed) or indirectly (further processing of data that have been earlier processed for a specific purpose). This notification contains information on the identity of the controller, details on the processing (how long data will be stored, for which purpose they are used, to whom the data will be provided), the specific rights data subjects may exercise, the occurrence of automatic decision making including the logic involved, and specific information depending on the legitimate ground used. Only when it would be practically impossible to provide the information or when this would seriously impair the results of the processing the controller may abstain from providing this information. The controller then still should make information available through other means, such as a website.

Data subjects my exercise rights, dependent on the ground which are used for the lawful processing of their data. To start with, data subjects have the right to get access to their data. This implies that they are informed if data are processed and if so, they should receive additional information concerning the purposes of processing, the categories of personal data concerned, (categories of) recipients, the envisaged period of storage (if possible), the existence of the other rights they may exercise, the right to lodge a complaint with a supervisory authority, the existence of automatic decision making, including profiling, and if so, meaningful information about the logic involved, the significance and the envisaged consequences of the processing for the data subject. In order to be able to provide this information, data controllers are obliged to register their data processing activities and to include information that helps answering requests for access.
Data subjects have the right to rectify information that is incorrect, and to complete incomplete information, if necessary by providing a supplementary statement. In situations when data are no longer necessary, when the data subject withdraws consent, when the data subject objects to the processing, when personal data are unlawfully processed, when erasure is necessary to comply with a legal obligation and when personal data have been collected in relation to the offer of information services, the data subject may request the data to be erased.

Data subjects may require a restriction of processing when the accuracy of data is contested by the data subject, when processing is unlawful, when the controller no longer needs the data and when the data subject has objected to the processing. Procedures to determine and control reasonable terms are indicated as well. A data subject may exercise a right to data portability, implying that a controller should hand over the data provided by the data subject in preferably an electronic form and preferably handing over data directly when technically feasible. This right can be only invoked if processing is based upon consent of the data subject (art. 6(1)(a) or art. 9(2)(a), GDPR) or on a contract (art. 6(1)b, GDPR).

The obligations of the data controller#

The GDPR defines two specific roles for parties engaged with processing personal data: the controller and the processor. The controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. The processor is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. The processor has obligations to assist the controller, for instance in offering appropriate security measures, in reporting a data breach and in contributing to the development of a Data Protection Impact Assessment (DPIA). The processor only works on instructions of the controller, laid down in a contract. The controller is however the person ultimately responsible for the data processing and should be able to demonstrate compliance. One of the elements in this respect is to ensure the rights of data subjects that were outlined above. In addition to this the controller is also obliged to implement appropriate technical and organisational measures (data protection by design and by default ) and the controller needs to check whether the processing poses risks that require additional measures to be taken (data protection impact assessments ).

The GDPR itself does not offer an interpretation of minimal requirements for data protection by design and default. It mentions data minimization as principle and pseudonymization as measure. No agreed standards are in place yet that offer satisfying guidelines to meet minimal requirements. Controllers can rely on certification measures or codes of conducts but these are neither in place yet. Several organisations are elaborating the various measures indicated in the GDPR, but it will take time for these measures to become officially accepted. The same goes for data protection impact assessments. Guidelines have been offered by the EDPB that shed light on when processing activities should be considered high risk. High risk processing activities require additional security measures to contain the risks. If no appropriate measures are available to reduce the risks such that they are no longer high risks the lead Data Protection Authority needs to be consulted whether the processing may take place and if so under what additional security measures.

The ‘ordinary’ security measures a controller needs to take into account refer to implementing pseudonymization and encryption of personal data, ensuring confidentiality, availability, integrity and resilience of processing systems and services, and securing of availability and access to personal data.