The AVG is a regulation that assumes a "risk-based approach."(1) This means that a risk analysis must always be carried out in order to assess how the controller fulfills its obligations. What is the nature of the processing of personal data, what is its scope and purpose? And more: what are the risks? These are the kinds of issues a data controller needs to have a sharp eye on in order to take the right measures so that the processing of personal data complies with the AVG.
So what are all these obligations? This article does not go over all 99 articles, but focuses on the six principles that a data controller must observe when processing personal data. One could argue that if these principles are met, a data controller basically meets the requirements as stated from the AVG.
The principles are contained in Article 5 of the AVG.(2)
The first principle is that personal data must be processed in a way that is lawful, proper and transparent with respect to the data subject. This means that if personal data are processed, there must always be a legal basis(see Article 6 and Article 9 of the AVG). In addition, the processing must be proper. This means that organizations must ensure that they do not violate the rules of the AVG and that they do not hide anything. The latter in the principle of transparency. A data subject(always a natural person) must be informed of any processing of their personal data. Prior to the processing, the data subject must be informed about this processing, using clear and simple language. It must also be transparently made clear to the data subject what the processing involves and what rights he has and how he can exercise these rights.
2.
A second principle says that personal data may only be processed for specified, explicitly described and legitimate purposes ("purpose limitation"). These purposes must have been identified and defined even before the processing of personal data begins. Personal data may only be processed with respect to these previously reported purposes. Additionally, these personal data may not be processed(further) if they are not compatible with the original purposes. Processing done for archiving in the public interest or for scientific, historical or statistical purposes is given more freedom and does not have to indicate this as an (additional) purpose.
3.
Next, the processing must be adequate, relevant and limited to what is necessary for the purposes for which they are processed ('minimal data processing'). Here the 'necessity criterion' applies. Only personal data that are strictly necessary in relation to the purpose of processing may be processed. This further means that personal data must be deleted as soon as possible when they are no longer needed. It also follows from this principle that personal data may only be processed if the processing cannot reasonably be achieved in any other way.
4.
Personal data must also be accurate and updated when necessary ('accuracy'). All reasonable steps must be taken to promptly delete or rectify personal data that are inaccurate in relation to the purposes for which they are processed. Thus, this principle requires that personal data be accurate and up to date. Should personal data prove to be inaccurate or no longer up to date, the data subject may request that these data be rectified or even erased. Of course, the controller has an independent duty to ensure that the personal data are correct and up to date.
5.
The principle of "storage limitation" applies to retention periods. Personal data must be kept in a form that does not allow for the identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. In simple terms, this means that retention periods must be met. After the expiration of the retention period, personal data must be deleted. The AVG itself does not specify specific retention periods, but it does require the organization processing personal data to establish time limits for deleting these personal data. Before the AVG came into force, there was an "Exemption Decree. This decree listed many retention periods. If an organization sets retention periods, knowing this decree can still serve as an example. However, it therefore no longer applies and the data controller itself must set reasonable retention periods and demonstrate compliance. Incidentally, there is a lot of pressure to reinstate the Exemption Decree.
6.
The sixth and final principle concerns taking appropriate technical or organizational measures in such a way as to ensure appropriate security of personal data ("integrity and confidentiality"). Under this principle, the organization must take appropriate measures to secure personal data and prevent unauthorized access to or use of such data.
Article 5 AVG concludes with an important paragraph 2: Under the AVG, the data controller is responsible for compliance with the principles stated in paragraph 1 and must be able to demonstrate ("accountability") that these principles have been met.
(1) This is also explained in recitals 39, 50 and 58 of the AVG.
(2) See, for example, Article 24(1) of the AVG: 'Taking into account the nature, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons which vary in their likelihood and seriousness, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with this Regulation. Those measures shall be reviewed and updated as necessary.'
Back to file Accountability
