Menu

Filter by
content
PONT Data&Privacy

0

What do you need to comply with when using an algorithm to process personal data?

Personal Data Authority September 25, 2025

Question & Answer

ANSWER

Processing personal data using an algorithm is no different from "ordinary" processing. You must therefore comply with the general principles for processing personal data. Those principles are found in Article 5 of the General Data Protection Regulation (AVG). Important principles include:

Legality
You must have a basis for processing personal data (Art. 6 AVG).

Transparency

  • When processing personal data, you must be transparent towards the data subject (Art. 12, 13 and 14 AVG). The data subject is the person whose data you are processing.

  • You also need a register of processing activities (Art. 30).

  • And do you use an algorithmic system for your decision-making, for example? Then you should provide useful information about the underlying logic and the expected impact of that processing on the data subject.

Purpose limitation
You may only process personal data for a predetermined purpose. You are bound by this purpose. This means that you may not simply process personal data for another purpose.

Data minimization
If you process personal data for a particular purpose, you must do so with as little personal data as possible. Any data that is not demonstrably needed, you are processing unlawfully. You may also store the data only to a limited extent. To this end, you must establish retention periods in advance.

Correctness
The personal data you process must be accurate (correct). This prevents unforeseeable outcomes and unwanted effects for the data subject.

Security
All personal data you process must be properly secured. You must take technical and organizational measures to do so (Art. 32 AVG). In doing so, you must take into account:

  • the state of the art;

  • The nature, scope, context and purposes of processing;

  • the varying risks to the rights and freedoms of data subjects.

Privacy by design & default
When developing (algorithmic) systems, you must consider the principles of privacy by design and privacy by default.

This means that you need to develop, set up and deploy systems that are privacy-friendly. User settings should be privacy-protective by default.