ABSTRACT
This chapter briefly discusses the general principles at the heart of the GDPR. The duties (Chapter 4) and rights (Chapter 5) often follow from and elaborate on these general principles. This chapter will discuss these principles in five steps:
The core principle of the GDPR is legitimacy. The right to data protection is a fundamental right, contained in the Charter of Fundamental Rights of the EU. Fundamental rights may only be curtailed if this is necessary for a legitimate purpose and proportionate in relation to that aim (section 3.1).
The principle of legitimacy is further set out in the GDPR in 10 Fair Information Principles. These principles form the backbone of the Regulation and underline, among other things, that no more data may be collected than are necessary, that data must always be stored safely and securely, and that they must be deleted when the purpose for which they have been collected has been achieved (section 3.2).
Personal data may be processed on the basis of one of the six legitimate processing grounds listed in the GDPR, such as informed consent or a legal obligation to which the data controller is subject (section 3.3).
When sensitive data are concerned, such as information about a person’s sexual preferences, race or medical condition, the GDPR specifies that in principle, processing these data is prohibited, except when one of 10 relatively broad exceptions provided by the GDPR applies (section 3.4).
Finally, personal data may in principle only be shared with persons or organisations within the EU. Sharing data with persons or organisations outside the EU is not allowed, except when these persons or organisations respect a level of data protection that is essentially equivalent to that offered by the GDPR (section 3.5).
