Artikkel 5
Principles relating to processing of personal data

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 5 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 5 keyboard_arrow_up

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population. Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions. Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services. In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.

Vis direktivets fortaletekst relatert til art. 5 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 5 keyboard_arrow_up

(22) Whereas Member States shall more precisely define in the laws they enact or when bringing into force the measures taken under this Directive the general circumstances in which processing is lawful; whereas in particular Article 5, in conjunction with Articles 7 and 8, allows Member States, independently of general rules, to provide for special processing conditions for specific sectors and for the various categories of data covered by Article 8;

(28) Whereas any processing of personal data must be lawful and fair to the individuals concerned; whereas, in particular, the data must be adequate, relevant and not excessive in relation to the purposes for which they are processed; whereas such purposes must be explicit and legitimate and must be determined at the time of collection of the data; whereas the purposes of processing further to collection shall not be incompatible with the purposes as they were originally specified;

(29) Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual;

GDPR

Article 5 of the Regulation contains and reinforces the principles relating to the personal data processing that are set out in Article 6 of the Directive.

We see first that the principle of fairness and lawfulness of the data processing is supplemented by a principle of transparency.

Transparency requires that any information addressed to the public or the data subject must be easily accessible and easy to understand, and be formulated in simple and clear terms, particularly with regard to the information on the identity of the controller and the purposes of processing (see recital 39 ). The obligations for information of the controller resulting from the principle of transparency are detailed in Article 12 and seq of the Regulation.

A new exception is recognized to the prohibition for pursuing purposes that are incompatible with the initial purpose (Art. 5, paragraph 1,   b): archiving in the public interest as long as - as for historical, statistical and scientific purposes - this processing meets the conditions set by Article 89 of the Regulation. The principle of prohibition is maintained despite an attempt to make it a bit more flexible, given the difficulties it poses in case of changing the purposes (see the commentary on Article 6).

Article 5, paragraph 1,   c) of the Regulation states that data must be ”adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, while the Directive required the controllers to process only “not excessive data” in view of the processing purposes. So, the Regulation accepts the principle of data minimisation whereby only the personal data which appear necessary for achieving the purpose can be processed (Art. 5, 1, c). A classic application of a proportionality rule is actually found here.

Concerning the principle of limited period of data storage, item e) recalls that the data allowing for the identification of individuals must not be kept beyond the time required for achieving the processing goals. In other words, the data for the identification of the data subjects must be erased as soon as they are no longer needed for processing, except for archiving purposes in the public interest and for scientific research, statistical or historical services, provided that the rights of safeguards (see Article  89 , paragraph 1).

Initially, the first proposed provision of the Regulation required the controller to periodically check the need for further storage. This element was not retained. 

The Regulation also establishes the principle of the obligation of security and confidentiality of processing (integrity and confidentiality), already contained in Articles 16 and 17 of the Directive (Art. 5, paragraph 1,   f), which requires the controller to ensure appropriate security and confidentiality, including to prevent unauthorised access to the data and equipment used in their processing as well as the unauthorised use of such data and such equipment (see recital 39 ).

The Regulation finally establishes a principle of responsibility, pursuant to which the controller is responsible for compliance with processing principles defined in Article 5. It is therefore controller’s responsibility to ensure and demonstrate that the processing is consistent with the principles referred to in Article 5, paragraph 1 for the duration of the processing. Compliance means that the controller shall implement mechanisms and control systems (audit measures, internal policies...) within their entity to ensure compliance of processing throughout its duration and to keep the relevant evidence. This obligation for accountability is further developed by Article  24  of the Regulation (see also, G29, Opinion 3/2010 of 13 July 2010 on the principle of responsibility).

Direktivet

Article 6 of the Directive determined the terms and conditions under which the processing of data was lawful. Through this provision, the EU legislature had implemented several basic principles that underlie any processing of personal data. These were included into Article 4 of the act of 8 December 1992 and into Article 6 of the Computers and Freedoms Act.

The principle of fairness and lawfulness of the data collection assumes that the data subjects must be in a position to be aware of the existence of a processing operation and, when data is collected from them, must be given accurate and full information on the circumstances of the collection; In addition, the data cannot be obtained by use of unlawful or unfair means (Art. 6, paragraph 1, a).

Pursuant to the principle of purpose, the purpose must be determined, explicit and legitimate. Any purpose that is incompatible with the announced purpose is therefore prohibited, except for historical, statistical or scientific purposes (Article 6, paragraph 1, b).

Pursuant to the principle of proportionality, the processing of personal data to be performed must be adequate, relevant and not excessive for the purpose pursued, which assumes that the means used shall be appropriate and necessary to achieve the objective sought (Article 6, paragraph 1, c)).

According to the principle of data quality, data must be accurate, complete and, if necessary, updated; appropriate measures must be taken to ensure that inaccurate or incomplete data in terms of the purposes for which they are collected or processed are erased or rectified.

Finally, the data can not be stored indefinitely. Data must be erased when their storage exceeds the time necessary for the purposes for which they are collected and processed (see Article 6, paragraph 1, e) of the Directive; (Article 6, 5° of the Computers and Freedoms Act), as well as Article 4, paragraph 1, 5 ° of the Act of 8 December 1992).

Utfordringer

The basic principles are not dislocated, just refined.

Strengthening the principles of transparency and accountability will involve a review of current processing processes in the organization of the controller and the implementation of control measures and internal or external audit of the compliance of the processing with the Regulation.

Unfortunately, the principle of compatibility has not been made more flexible given the difficulties in terms of the evolution of purposes (see the comments on Article 6).

Forordning
1e 2e

Art. 5

1.   Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.   The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

1. forslag close

Art. 5

Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;

(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.

 

2. forslag close

Art. 5

1. Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes ;

(c) adequate, relevant and not excessive in relation to the purposes for which they are processed (...);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (...); personal data may be stored for longer periods insofar as the data will be processed for archiving purposes in the public interest or scientific, statistical, or historical purposes in accordance with Article 83 subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and

freedoms of data subject;

(ee) processed in a manner that ensures appropriate security of the personal data.

(f)  (...)

2. The controller shall be responsible for compliance with paragraph 1.

 

Direktiv close

Art. 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

Art. 5

Prinsipper for behandling av personopplysninger

1. Personopplysninger skal

a) behandles på en lovlig, rettferdig og åpen måte med hensyn til den registrerte («lovlighet, rettferdighet og åpenhet»),

b) samles inn for spesifikke, uttrykkelig angitte og berettigede formål og ikke viderebehandles på en måte som er uforenlig med disse formålene; viderebehandling for arkivformål i allmennhetens interesse, for formål knyttet til vitenskapelig eller historisk forskning eller for statistiske formål skal, i samsvar med artikkel 89 nr. 1, ikke anses som uforenlig med de opprinnelige formålene («formålsbegrensning»),

c) være adekvate, relevante og begrenset til det som er nødvendig for formålene de behandles for («dataminimering»),

d) være korrekte og om nødvendig oppdaterte; det må treffes ethvert rimelig tiltak for å sikre at personopplysninger som er uriktige med hensyn til formålene de behandles for, uten opphold slettes eller rettes («riktighet»),

e) lagres slik at det ikke er mulig å identifisere de registrerte i lengre perioder enn det som er nødvendig for formålene som personopplysningene behandles for; personopplysninger kan lagres i lengre perioder dersom de utelukkende vil bli behandlet for arkivformål i allmennhetens interesse, for formål knyttet til vitenskapelig eller historisk forskning eller for statistiske formål i samsvar med artikkel 89 nr. 1, forutsatt at det gjennomføres egnede tekniske og organisatoriske tiltak som kreves i henhold til denne forordning for å sikre de registrertes rettigheter og friheter («lagringsbegrensning»),

f) behandles på en måte som sikrer tilstrekkelig sikkerhet for personopplysningene, herunder vern mot uautorisert eller ulovlig behandling og mot utilsiktet tap, ødeleggelse eller skade, ved bruk av egnede tekniske eller organisatoriske tiltak («integritet og konfidensialitet»).

2. Den behandlingsansvarlige er ansvarlig for og skal kunne påvise at nr. 1 overholdes («ansvar»).

Gamle loven close

§ 11 Grunnkrav til behandling av personopplysninger

Den behandlingsansvarlige skal sørge for at personopplysningene som behandles

a) bare behandles når dette er tillatt etter § 8 og § 9,

b) bare nyttes til uttrykkelig angitte formål som er saklig begrunnet i den behandlingsansvarliges virksomhet,

c) ikke brukes senere til formål som er uforenlig med det opprinnelige formålet med innsamlingen, uten at den registrerte samtykker,

d) er tilstrekkelige og relevante for formålet med behandlingen, og

e) er korrekte og oppdatert, og ikke lagres lenger enn det som nødvendig ut fra formålet med behandlingen, jf. § 27 og § 28.

Senere behandling av personopplysningene for historiske, statistiske eller vitenskapelige formål anses ikke uforenlig med de opprinnelige formålene med innsamlingen av opplysningene, jf. første ledd bokstav c, dersom samfunnets interesse i at behandlingen finner sted, klart overstiger ulempene den kan medføre for den enkelte.

Personopplysninger som gjelder barn, skal ikke behandles på en måte som er uforsvarlig av hensyn til barnets beste.

close