Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

Data Protection & Cyber Security

Russia Small Flag Russia

The key principles relating to processing of PII are set out by the Personal Data Law:

  • Processing of PII shall be lawful. In particular, it implies ensuring legal grounds for data processing by the data controller.
  • Purpose limitation principle implying that processing of PII shall be limited to achievement of specific lawful purpose and PII shall not be processed for other incompatible purpose.
  • It is prohibited to accumulate the databases containing PII processed for different incompatible purposes.
  • Data minimization principle implying that scope and content of PII shall be limited to what is necessary to achieve the specific data processing purpose. PII being collected and processed shall not be excessive in the context of the data processing purpose.
  • PII shall be kept accurate, complete and up-to-date. Data controller shall rectify or delete data, which is inaccurate or incomplete.
  • Once purposes of processing are achieved, PII shall not be stored in a way allowing identification of the data subject, unless otherwise is provided by legislation or agreement where data subject is a party, a beneficiary or guarantor. Once the purposes of processing are achieved PII shall be destroyed or anonymized, unless otherwise is provided by legislation.

Argentina Small Flag Argentina

The Data Protection Law states that the gathering of personal data cannot be done through dishonest, fraudulent, or illegal means. The Data Protection Law also provides that personal data cannot be processed for different or incompatible purposes from those it was intended for when collected, and any personal data that is collected must be accurate and current.

Furthermore, the general principle under the Data Protection Law is that any processing of personal data must be specifically consented to by the data subject (see question 5 below).

Personal data may be held for as long as it is necessary or current for the purposes for which it was collected, after which it must be destroyed or deleted.

Brazil Small Flag Brazil

The LGPD establishes that processing of personal data shall only be carried out in the following cases:

  • By means of the data subject's consent;
  • For compliance with legal or regulatory obligation by the controller;
  • By the public administration for the processing and shared use of data required for the implementation of public policies;
  • For the conduction of studies by research entities, ensuring, whenever possible, the anonymization of personal data;
  • When necessary for the performance of a contract or preliminary proceedings related to a contract to which the data subject is a party, at the request of the data subject;
  • For the regular exercise of rights in judicial, administrative or arbitral procedures;
  • For the protection of the life or physical safety of the data subject or a third party;
  • For the protection of health, in procedures carried out by health professionals or sanitary entities;
  • When necessary to serve the legitimate interests of the controller or of third parties, except in the event of prevalence of fundamental rights and liberties of the data subject, which requires protection of the personal data;
  • When the fundamental rights and liberties of the data subject requires personal data protection;
  • For credit protection including provisions of relevant legislation.

The personal data shall be eliminated after termination of the processing thereof, within the scope and technical limits of the activities. The storage of personal data after the processing is authorized for the following purposes:

  • Compliance with a legal or regulatory obligation by the controller;
  • Study by a research entity, ensuring, whenever possible, the anonymization of the personal data;
  • Transfer to third parties, provided that all legal requirements set forth in the Law are complied with;
  • Exclusive use of the controller, with forbidden access to third parties, and provided the data has been anonymized.

In addition, sectoral legislation, such as the consumer code, national tax code, labor legislation, among others, provides different rules regarding data storage.

Specifically for internet application, the Internet Law establishes that application service providers must keep records of internet access (i.e., the set of information regarding date and time of use of a particular internet application from a particular IP address) applications under secrecy, in a controlled and safe environment, for a minimum term of six months and in the provision of internet connections, the autonomous system administrator shall keep records of the connection logs under secrecy for at least one year.

Bulgaria Small Flag Bulgaria

(i) In Bulgaria, controllers and processors must process personal data in accordance with the principles set out in GDPR:

  • Lawfulness, fairness, and transparency – the personal data must be processed fairly, lawfully, and in a transparent manner. This means that for any processing of PII there should be legal basis, otherwise the processing would be unlawful. (see below)
  • Purpose limitation – the personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Data minimisation – the personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accuracy – the personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Storage limitation – the personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Integrity and confidentiality – the personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • Accountability – the controller shall be responsible for, and be able to demonstrate compliance with all the above-listed principles.

    (ii) In particular, one of the legal bases for processing as per Article 6 GDPR must be satisfied in order for the processing of personal data to be lawful:

  • Data subject (the concerned natural person) has granted his/her consent; OR
  • If processing of personal data is necessary:
    - For the performance of a contract to which the data subject is a party or to take steps at the data subject’s request prior to entering into a contract.; OR
    - For compliance with a legal obligation to which the controller is subject; OR
    - To protect the vital interests of the data subject or another natural person. OR
    - For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; OR
    - For the purposes of the controller’s or a third party’s legitimate interests, except if the data subject’s interests or fundamental rights and freedoms override the controller’s interests, especially if the data subject is a child.

Switzerland Small Flag Switzerland

Based on the legality principle, FADP requires a legal basis for the data processing by federal bodies. Federal bodies are solely permitted to process personal data if explicitly justified by law.

Contrary to the GDPR, FADP does not require a legal basis for any data processing by private persons. FADP solely requires that any data processing complies with the “General Data Protection Principles” as set out in art. 4 et seq. FADP. The general data protection principles are the following:

  • Legality Principle: Personal data may only be processed lawfully (art. 4 para. 1 FADP). Prohibited is, for example, the illegal data collection, such as illegal communication recording, etc. The prohibitions may either be set out in the FADP or in other Swiss statutes, such as the Swiss Criminal Code.
  • Good Faith and Proportionality Principle: The processing must be carried out in good faith and must be proportionate (see art. 4 para. 2 FADP). The principle of proportionality is one of the most relevant principles. It means, for example, that data retention must be proportional, i.e. personal data must only be retained as long as necessary. From the principle of good faith the FDPIC has derived the duty to notify data breaches. Such a notification duty is otherwise not explicitly mentioned in the FADP.
  • Purpose Limitation: Personal data may only be processed for the purpose indicated at the time of collection, that is evident from the circumstances, or that is provided for by law (see art. 4 para. 3 FADP).
  • Transparency Principle: The collection of personal data and, in particular, the purpose of its processing must be evident to the data subject (see art. 4 para. 4 FADP). The transparency principle is one of the most relevant principles in the FADP. The FADP contains no explicit active information duty that is similar than the one in art. 13 et seq. GDPR – except for sensitive personal data and personality profiles (see art. 14 FADP). As long as the data processing is transparent, no active and comprehensive information is required. However, in practice it is quite common to have data privacy notices in place.
  • Consent Requirements: If the consent of the data subject is required for the processing of personal data, such consent is valid only if given voluntarily on the provision of adequate information. Additionally, consent must be given expressly in the case of processing of sensitive personal data or personality profiles (art. 4 para. 5 FADP).
  • Accuracy Principle: Anyone who processes personal data must make certain that it is correct. He must take all reasonable measures to ensure that data that is incorrect or incomplete in view of the purpose of its collection is either corrected or destroyed (art. 5 FADP).

Spain Small Flag Spain

The GDPR establish the regulatory framework of data protection for all EU member states, establishing different principles related to the processing of personal data. These principles are: a) lawfulness, fairness and transparency in relation to the data subject; b) purpose limitation under which all data processed shall be collected for specified, explicit and legitimate purposes; c) data minimisation according to which all data shall be adequate, relevant and limited to the purposes for which they are processed; d) accuracy and data updating; e) storage limitation of the data for no longer than is necessary for the purposes for which they are processed; and f) integrity and confidentiality, ensuring appropriate security of the personal data;

Encompassing the previous principles, the GDPR includes two guidelines which shall be respected by all entities in the processing of data, which are ‘accountability’ and ‘privacy by design and by default’, according to which the Controllers shall observe the regulations on data protection from the beginning of any operation and shall be able to demonstrate compliance with them.

Spanish legislation on data protection applies the same principles of the GDPR.

Chile Small Flag Chile

Personal data shall be removed or cancelled when there are no legal grounds for its storage or when the data has expired.

Regarding financial data shall not be processed in the following cases:

  • After 5 years since the corresponding obligation was enforceable;
  • In case of debts incurred during a period of unemployment;
  • Obligations that have been paid or extinguished by other legal means; and
  • Debts related to electricity, water, telephone, gas and highways.

In the case of government entities which process personal data on rulings for felonies, administrative infringements or disciplinary failures, it should not be communicated after the statute of limitations applicable to the criminal or administrative action, or the sanction has elapsed, or once the penalty has been served. This is without prejudice to the fact that in Chile, the right to be forgotten has not been regulated by law.

China Small Flag China

The PI Specification sets out following seven basic principles for personal information controllers/processors to follow when carrying out personal information processing activities :7

  1. Accountability. A personal information controller shall be accountable for any damages to the legal rights and interests of personal information subjects caused by its personal information processing activities
  2. Purpose Specification. A personal information controller shall have lawful, justified, necessary and clear purposes for processing personal information.
  3. Solicitation for Consent. A personal information controller shall explicitly specify the purpose, methods, scope and rules in processing personal information, and seek the authorization of the personal information subject.
  4. Proportionality (minimum necessary). A personal information controller shall only retain the minimum amount of personal information necessary to achieve the purpose(s) authorized by the personal information subject and shall delete the personal information once it fulfills the purpose(s).
  5. Transparency. A personal information controller shall, unambiguously and in plain language and reasonable manner, disclose the scope, purpose(s), rules of its personal information processing to the public.
  6. Security. A personal information controller shall be equipped with security capability in line with the security risk it faces and take adequate management and technological measures to safeguard the confidentiality, integrity and availability of the personal information.
  7. Subject Participation. A personal information controller shall provide the personal information subject with means to access, correct and delete his or her personal information and the method to withdraw his or her consent and delete the count.

7 - PI Specification. 4.

Germany Small Flag Germany

The GDPR is based on 7 principles for the legally compliant storage and processing of personal data. These principles are laid down in Art. 5 GDPR:

  1. lawfulness, fairness and transparency
  2. purpose limitation
  3. data minimization
  4. accuracy
  5. storage limitation
  6. integrity and confidentiality
  7. accountability

In the light of these principles, any processing of data must be based on a legal basis. Therefore, processing of personal data shall be lawful only if one of the following conditions is met (Art. 6 GDPR):

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Furthermore, the principle of data minimization (Art. 5(1)(c) GDPR) is applicable, according to which the processing must be limited to the necessary extent required for the purpose of the data processing. Generally, this means that personal data must be deleted if their processing has fulfilled the purposes for which they were originally gathered. As soon as the purpose of the storage expires, the legitimation ends as well. Moreover, Art. 17 GDPR grants the data subject a right to erasure and imposes requirements for the deletion of data on the controller. While the data subject can require the deletion of personal data concerning him at any time, the controller will have to delete personal data without undue delay on any of the following grounds, even without a respective claim by the data subject (Art. 17 (1) GDPR):

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of
Article 9(2), and where there is no other legal ground for the processing

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

India Small Flag India

Privacy Rules

Processing of PII is subject to the following restrictions: -

(a) Privacy policy - A body corporate which collects, receives, stores, deals or handles PII needs to have a privacy policy. The policy should be published on the website, and should include - purpose of collection, intended usage of information, circumstances in which information may be disclosed and security practices & procedures for securing against unauthorized access.

(b) Knowledge of the Data Subject - The body corporate is required to take reasonable steps to ensure that the Data Subjects are aware that their information is being collected, the purpose for collection, intended recipient of such information, and names and addresses of agencies collecting & retaining the information.

(c) Purpose limitation - PII collected can only be used for the purpose for which it is collected.

(d) Opportunity to review - Data Subjects are entitled to review the information provided by them and correct any inaccuracy or deficiency.

(e) Opportunity to not provide & withdraw consent - Prior to collecting PII, Data Subjects have an opportunity not to provide such information. They can also withdraw previously given consent.21

Certain other stipulations apply only to sensitive PII. Details in this regard are given in response to Query 6 below.

Privacy Bill

In relation to PII, the Privacy Bill contains following provisions: -

(a) Consent – Prior consent by the Data Subject for processing of PD.22

(b) Privacy policy - The data fiduciary is required to provide a privacy policy. More extensive requirements are prescribed.

(c) Fair and reasonable processing – There is a duty owed by data fiduciaries towards the Data Subjects, for processing of their data in a fair and reasonable manner that respects their privacy.

(d) Purpose limitation – Express recognition of purpose limitation principle, i.e. PD should be processed only for the purpose specified by the data fiduciary or for any other incidental purpose reasonably expected by the Data Subject to be connected to such specified purpose. The test for any incidental usage is from the lens of the Data Subject and what they can reasonably expect. We expect that a widely worded 'catch-all' consent may not be valid under the Privacy Bill.

(e) Storage limitation - The data fiduciary can retain PD only until necessary to satisfy the purpose for which it was processed. Data fiduciaries have to conduct periodic reviews to determine whether retention of PD continues to be necessary.

(f) Data quality – Data fiduciary to take reasonable steps to ensure that the PD processed is complete, accurate, not misleading and updated, in view of the intended purpose.23

21 - Body corporates are entitled to not provide goods or services for which any information is sought – in respect of which consent has not been provided or has been withdrawn.

22 - Note that the requirement to procure consent for processing of PII is not present under the existing regime i.e. the Privacy Rules.

23 - While this obligation has been imposed on the data fiduciaries under the Privacy Bill, the actions that may need to be undertaken by the data fiduciaries to comply with this obligation need to be ascertained. This may be important since correction of incorrect data, completion of incomplete data and updating of out of date data is within the domain of the Data Subject. The Data Subject also has the right of correction under the Privacy Bill.

Indonesia Small Flag Indonesia

MCI Regulation 20/2016 adopts several principles related to the general processing of Personal Data:

  • Lawful basis for processing
    The key principle in general processing of Personal Data is to obtain consent from the relevant Data Subject. Unless provided otherwise by laws and regulations, use of any information through electronic media which involves Personal Data of a person must be made with the approval of the relevant person. Several exceptions where a consent may be waived is when certain Personal Data has been disclosed or published through the Electronic System for public services and when a lawful interception is exercised for law enforcement purposes.
  • Purpose limitation
    It is important that the purpose of processing Personal Data is in accordance and have been expressly stated during the collection of Personal Data. Under MCI Regulation 20/2016, ESO is not allowed to carry out any personal data process which is not within the scope of processing purposes spelled out within the Data Subject’s consent form.
  • Data minimisation

    MCI Regulation 20/2016 regulates ESO to only obtain and gather information which are relevant and conform with purposes disclosed to the Data Subject during the collection of Personal Data. Determination of such relevant information may be decided by a Supervisory Agency or Sectoral Regulator.

  • Retention Period

    With regard to the Personal Data retention period, MCI Regulation 20/2016 refers to laws and regulations as set out by the relevant Supervisory Agency and Sectoral Regulator. However, should there be no statutory that specifically govern it, MCI Regulation 20/2016 sets out that the retention period of Personal Data shall be kept for at least 5 (five) years, starting from the last date the relevant Data Subject was considered a User.

  • Transparency

    There are two provisions in MCI Regulation 20/2016 that manifest in the transparency principle. Firstly, the Data Subject is entitled to get access or opportunity for obtaining history of Personal Data which is being transferred to ESO, to the extent in accordance with the prevailing laws and regulations. Secondly, the ESO is required to notify the Data Subject in the event of data breaches.

Portugal Small Flag Portugal

Any processing of PII must obey to the following principles laid down mainly in articles 5 and 6 of the GDPR:

a) Lawfulness (which requires that a legal basis is established to process PII, such as, consent, performance of a contract, compliance with a legal obligation, protection of vital interests, public interest, legitimate interests, without prejudice of the Portuguese Data Protection Act introducing more specific requirements for the processing and other measures to ensure lawful and fair processing), fairness and transparency;

b) Purpose limitation, under which PII shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those principles;

c) Data minimization that demands PII to be adequate, relevant and limited to what is necessary in relation to the purposes for which such PII is processed;

d) Accuracy in order to ensure that PII is accurate and kept up to date;

e) Storage limitation, pursuant to which PII shall be kept for no longer than is necessary for the purposes for which they are processed;

f) Integrity and confidentiality to ensure PII is protected against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures;

g) Accountability in the sense that the controller is not only responsible for but also must be able to demonstrate that the processing of PII is compliant with the above principles.

5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there rules relating to the form, content and administration of such consent?

It is up to the controller to decide in advance what will be the legal basis upon which the processing relies on. However, when making this decision, controllers should bear in mind Article 29 Working Party Guidelines on Consent (WP259rev.01) according to which “if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent” as “the controller cannot swap from consent to other lawful bases”. Thus, consent should be the legal basis to rely on when no other lawful bases apply.

Consent is required for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. In many occasions, consent is also the lawful basis required for processing o special categories of personal data (ex.: interventional studies or clinical trials in humans, call recording, location data and biometric data outside an employment relationship).

The GDPR does not require any specific form and content nor establishes rules for consent’s administration but the Portuguese Data Protection Law may introduce restrictions or special provisions in this regard particularly for processing of special categories of personal data.

Despite the above, consent must be free, specific, informed and unambiguous by means of a statement or a clear affirmative action being incumbent upon the controller to prove that the data subject has validly consented to the processing of his/her PII.
The GDPR also foresees in its article 7.2 that if consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Furthermore, controller must ensure that data subjects can easily withdraw consent at any time.

Finally, WP259rev.01 above referred provides guidance relating to the form, content and administration of consent that controllers, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.

United Kingdom Small Flag United Kingdom

A controller will be responsible for, and must be able to demonstrate compliance with, the fundamental data protection principles, namely to:-

  • process personal data lawfully, fairly and transparently;
  • ensure the purposes of processing are specified, explicit and legitimate;
  • ensure the processing of personal data is adequate, relevant and not excessive;
  • keep personal data accurate and up to date;
  • not keep personal data longer than necessary; and
  • process personal data in a secure manner.

There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with the principles by having appropriate, documented records, processes, policies and training.

A controller must provide a 'fair processing notice' setting out how the data will be used and disclosed, the lawful basis for the processing and the individual's rights amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.

A controller must also establish a legal basis for processing personal data, and show that one of the following applies:

  • individual has given their consent to the processing;
  • processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for the compliance with a legal obligation;
  • processing is necessary to protect the vital interest of the data subject or another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
  • processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party except where such rights and freedoms of the data subject (particularly where the data subject is a child).

There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above where the data is special category data. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law. Full details are set out in Article 9 of the GDPR and Parts 1 and 2 of Schedule 1 of the DPA 2018.

Sweden Small Flag Sweden

Yes, there are restrictions on, and principles related to, the general processing of personal data.

The controller must always have lawful basis in order to process personal data. Article 6 of the GDPR outlines the following six (6) available lawful bases for the general processing of personal data:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Which basis is most appropriate to use will depend on the controller’s purpose of the processing and relationship with the data subject.

Supplementary provisions are found in the Data Protection Act, which state in respect of the lawful bases in article 6(1)(c) and 6(1)(e) of the GDPR, that the legal obligation and public interest respectively, must follow from statute, collective bargaining agreement or decision based on statute.

The controller must also make sure that its processing of personal data complies with the following six (6) principles relating to processing of personal data (article 5(1) of the GDPR):

  • Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject;
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Greece Small Flag Greece

Principles relating to processing of personal data are provided in article 5 of the GDPR and concern:

  • lawfulness, fairness and transparency,
  • purpose limitation,
  • data minimization,
  • accuracy,
  • storage limitation, and
  • integrity and confidentiality

Another principle which should be also mentioned concerns accountability, which refers to the explicit liability of the controller to demonstrate compliance with all the aforementioned principles.

In order to comply with the principle of lawfulness, processing activities must be based on one of the legal bases under article 6 referring to personal data or article 9 referring to special categories of personal data of the GDPR.

Moreover, the HDPA adopted, before the entry into force of the GDPR, certain regulatory acts, directives, opinions and decisions in order to regulate specific personal data processing across various business sectors. The directives and opinions serve as interpretational guidance of the existing legal framework, further specifying certain provisions. The most important among these are the following:

  • Regulatory Act No 1/1999 on the obligation of the controllers to inform the data subjects,
  • Directive No 115/2001 on the processing of personal data of employees,
  • Directive No 1/2005 on the safe destruction of personal data,
  • Directive No 1/2011 on the use of CCTV systems for the protection of persons and goods,
  • Directive No 2/2011 on electronic consent,
  • Opinion No 6/2013 on the access of third parties to public documents containing personal data,
  • Opinion No 1/2016 on the terms and conditions of ‘opt-out’ of unwanted communication for direct marketing or for other advertising purposes.

Turkey Small Flag Turkey

As a general principle under the Law No. 6698, the processing of personal data without obtaining the explicit consent of the data subject is prohibited. However, there are certain derogations from such general rule provided thereunder, which are set forth as conditions for processing personal data without obtaining the explicit consent of the data subject.

These conditions shall be deemed applicable where the data processing;

a. is expressly envisaged under the laws;
b. is necessary in order to protect the life or physical integrity of the data subject or another person in cases where the data subject is physically or legally incapable of giving consent;
c. is necessary for the conclusion or performance of a contract, provided that the processing is directly related to the parties of the contract;
d. is necessary for compliance with a legal obligation to which the data controller is subject;
e. shall be conducted on information that has already been disclosed to the public by the data subject;
f. is necessary for the establishment, exercise, or protection of a right;
g. is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject shall not be overridden.

Austria Small Flag Austria

Each processing operation must comply with the principles set out in art. 5 GDPR. The controller is responsible for compliance with these principles and must be able to demonstrate such compliance upon request.

The principle of prohibition subject to possible authorization applies to data protection. The processing of personal data is, as a basic principle, prohibited and may only be carried out where authorized by law. The cases, in which such is permissible (legal bases), are set forth in art. 6 GDPR.

France Small Flag France

Any entity falling into the scope of application of the French DPA 1978 must comply with the fundamental data protection principles (French DPA 1978, Article 4). Personal data must be:

  • processed lawfully, fairly and transparently;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and where necessary kept up to date;
  • not be kept longer than necessary; and
  • processed in a secure manner.

There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with data protection principles by having appropriate, documented records, processes, policies and training.

A controller must provide a 'fair processing notice' setting out how the data will be used and disclosed, the lawful basis for the processing and the individual's rights amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.

A controller must also establish a legal basis for processing personal data, and show that one of the following applies:

  • individual has given their consent to the processing;
  • processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for the compliance with a legal obligation;
  • processing is necessary to protect the vital interest of the data subject or another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
  • processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party except where such rights and freedoms of the data subject (particularly where the data subject is a child).

There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above where the data is special category data. These include but are not limited to processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, health, social security and social protection law. Full details are set out in Article 9 of the GDPR and Articles 6 and 44 of the French DPA 1978.

United States Small Flag United States

In general, U.S. law does not impose comprehensive restrictions on or requirements related to the processing of PII by private industry outside of government contracting, and there is no requirement that entities that process PII establish a “legal basis” for such processing. Certain federal and state laws may require consent from an individual prior to collecting or otherwise processing certain types of PII or PI under certain circumstances. In some cases, specific disclosures regarding the processing activity must be provided prior to processing, but these obligations are not omnibus in nature. Numerous state and federal records retention laws may apply to PII and PI collected or retained in various circumstances, but there are no universally applicable data retention periods for PII and PI. The FTC has recognized and encouraged the use of the Fair Information Practice Principles (FIPPs), which serve as guidelines for handling and safeguarding electronic PII, and application of FIPPs is required by the federal government and its contractors in many instances. These principles include notice, choice, consent, access, integrity, security and accountability.

Malaysia Small Flag Malaysia

The PDPA 2010 embodies seven data protection principles which are set out in Section(s) 6 to 12 of the PDPA 2010, namely:

(i) General Principle – Any processing of personal data requires consent for the data subject;
(ii) Notice and Choice Principle – Data subject shall be notified by written notice of the purpose for which data is collected and processed;
(iii) Disclosure Principle – No personal data shall be disclosed to any third party without the consent of the data subject;
(iv) Security Principle – Practical steps are required to be taken to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(v) Retention Principle – Personal data shall not be kept longer than is necessary for the fulfilment of the original purpose that it was obtained for;
(vi) Data Integrity Principle – Obligation to take reasonable steps to ensure that personal data is accurate and kept-up-to-date;
(vii) Access Principle – A data subject shall be given access to his personal data and be able to make corrections where it is inaccurate or incomplete.

The PDPA does not stipulate a specific duration for which Personal Data shall be kept. The PDPA however states that Personal Data shall not be kept longer than is necessary for the fulfilment of its purpose of processing. The Data User shall take all reasonable steps to ensure that all Personal Data is destroyed or permanently deleted when it is no longer required for the purpose for which it is to be processed.

Gibraltar Small Flag Gibraltar

The processing of PII is prohibited unless there is a lawful basis for it. Article 6(1) of GDPR sets out the lawful bases for processing PII as follows:

  • explicit consent has been given by the data subject;
  • the processing is necessary for a contract with the individual, or because they have asked for specific steps to be taken before entering into a contract;
  • the processing is necessary to comply with the law (not including contractual obligations);
  • the processing is necessary to protect the vital interests of the data subject or another person;
  • the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law; or
  • the processing is necessary for the data controller’s or data processor’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests especially where there data subject is a child.

The fair practice principles for the processing of PII (Article 5(1) of GDPR) are as follows:

  • data shall be processed fairly and lawfully;
  • data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose;
  • data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed;
  • data shall be accurate and, where necessary, kept up to date;
  • data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes. This is commonly accepted as 6 years but there is no firm rule on this point;
  • data shall be processed in accordance with the rights of data subject.

Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, data.

Data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of data.

Ireland Small Flag Ireland

A controller will be responsible for, and must be able to demonstrate compliance with, the fundamental data protection principles, namely to:

  • process personal data lawfully, fairly and transparently;
  • ensure the purposes of processing are specified, explicit and legitimate;
  • ensure the processing of personal data is adequate, relevant and not excessive;
  • keep personal data accurate and up to date;
  • not keep personal data longer than necessary; and
  • process personal data in a secure manner.

There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with the principles by having appropriate, documented records, processes, policies and training.

A controller must provide data subjects with a 'fair processing notice', setting out how relevant data will be used and disclosed, the lawful basis for the processing and the individual's rights, amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.

A controller must also establish a legal basis for processing personal data, and show that one of the following applies:

  • the individual has given their consent to the processing;
  • the processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
  • the processing is necessary for the compliance with a legal obligation;
  • the processing is necessary to protect the vital interest of the data subject or another natural person;
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
  • the processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject (particularly where the data subject is a child).

There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law.

Japan Small Flag Japan

Although there is no legal basis for processing personal data as in Article 6 of GDPR, to process personal information in Japan it is necessary to comply with the rules of Specifying a Utilization Purpose (Article 15, APPI), Restriction due to a Utilization Purpose (Article 16, APPI), Proper Acquisition (Article 17, APPI), and Notification, etc. of a Utilization Purpose when Acquiring (Article 18, APPI).

In addition, a business operator handling personal data shall strive to keep personal data accurate and up to date within the scope necessary to achieve a relevant utilization purpose, and to delete the personal data without delay when its utilization has become unnecessary (Article 19, APPI).

Updated: September 16, 2019