7 GDPR Principles: Real-World Examples and Practical Insights from an Attorney

7 GDPR Principles: Real-World Examples and Practical Insights from an Attorney

In this article, I'll explain the 7 key GDPR principles, providing detailed examples for each one based on real-world cases and decisions. These practical examples will help you understand how each principle applies in real-life scenarios, guiding you as you take the first steps toward GDPR compliance.

Remember, the GDPR applies to any business that processes data identifying or potentially identifying an EU/ EEA resident. So, if you handle data from customers living in one of the GDPR countries, you must comply with GDPR requirements—even if your business is based outside the EU, like in the US.

Therefore, it's important to get familiar with these core GDPR principles to ensure your business stays compliant.

Key Takeaways

What are the 7 main principles of GDPR?

The 7 core GDPR principles are clearly outlined in Article 5 of the regulation:

  • Lawfulness, fairness, transparency;
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability

These 7 principles form the foundation of the GDPR, providing clear guidance on how personal data of GDPR countries' residents should be processed.

They embody the core values of the regulation and set the framework for more detailed, implicit GDPR principles that businesses must also follow (e.g., data protection by design and by default, customer communication, protection of data during international transfers).

Work with me
finger pointing to the word trust on a chalkboard

Principle 1 - Lawfulness, fairness and transparency

What is GDPR principle 1 about?

GDPR Principle 1 is about lawfulness, fairness, and transparency. It means you must collect and use personal data legally, treat it fairly, and be open with people about how their data is being used.

This includes informing them about what data you collect, how long you'll keep it and why you collect their data for (e.g., you need the data to execute your contract with your customer – You need their name and address to deliver their good).

The purpose of GDPR Principle 1 (lawfulness, fairness, and transparency) is to ensure that businesses handle personal data responsibly and ethically. It builds trust between businesses and consumers and protects consumers from unfair data treatment by allowing them to exercise their rights under the GDPR.

GDPR Principle 1 – Real-World Examples

Shadow banning or shadow blocking

Shadow banning or shadow blocking violates GDPR Principle 1.

Shadow banning is when you hide an user's content without telling them first. For example, a platform might hide a user's content to reduce spam or harmful content, quietly limiting their visibility without alerting them.

Vinted was fined € 2,385,276 by the Lithuanian Supervisory Authority for applying shadow banning on users.

This case teaches us that if you want to comply with GDPR Principle 1, you must alert the user before limiting their visibility on your platform. That is because

  • Users gave you consent for their data to be used in exchange for using your platform. Therefore, when you exclude them from the platform without their knowledge, you don't have any legal basis for collecting their data anymore;
  • You aren't transparent regarding how you will use their data and therefore aren't processing their data with fairness;
  • You also prevent them from exercising their rights under the GDPR (e.g., withdraw consent, delete data) as they don't even know they were banned from the platform.

Absence of clear privacy policies

Another more straightforward real-world example of violation of GDPR principle 1 is not having clear policies about how you are going to use their personal data.

Not having clear policies violates GDPR Principle 1 because it prevents transparency, making it unclear to users how their data is being used, processed, or protected. This lack of clarity undermines fairness and trust, as users are not informed about their rights or the data practices affecting them.

The municipality of Voorschoten was fined € 30,000 by The Dutch Data Protection Authority (DPA) in part due to their lack of clarity regarding the intent for the use of its customers' personal data and for holding their data for much longer than necessary.

woman wearing glasses working seriously on computer office environment

Principle 2 - Purpose limitation

What is GDPR principle 2 about?

GDPR Principle 2 is about purpose limitation. It means that you should only collect personal data for specified, legitimate purposes and not process the data you collected in a way that is incompatible with those purposes.

In practice, that means that you must clearly define and communicate the reasons why you collect certain data. If late on, you want to use the data for something else, you must request a new consent.

GDPR Principle 2 – A Real-World Example

Using data for purposes other than consent

As an e-commerce website owner, you cannot use the personal data (e.g., name, email) you collect from customers for order fulfillment for other purposes, such as marketing.

If you want to do so, you must request an additional consent from your customers.

Amazon was fined by the Luxembourg National Commission for Data Protection (CNPD) for these practices. However, Amazon has appealed the fine, so the final decision is still pending.

Principle 3 - Data minimization

What is GDPR principle 3 about?

GDPR Principle 3 is about Data Minimization. You should the minimum amount of personal data required to achieve the purposes for which the data is processed.

Therefore, you should avoid collecting excessive or unnecessary data that isn't directly needed for their specified objective.

GDPR Principle 3 – Real-World Examples

Intrusive employees surveillance measures

Tracking and recording every single of your employees' activities down to the minute is a violation of GDPR Principle 3.

Amazon was fined € 32 millions by the French Data Protection Authority in part due to the fact that they used such type of surveillance systems to measure employees' performance.

According to the French Authority, Amazon could have indeed achieved such performance measurements with less data and didn't need to record each of its employees' movement down to the minute. This is intrusive to the employee's privacy.

Collecting data unrelated to purpose

Collecting data unrelated to purpose of the consent has been considered a violation of GDPR Principles 2 and 3.

A company was fined by the French Data Protection Authority (CNIL) for collecting the date and place of birth and social security numbers of candidates for extra or host positions for television events.

The French Authority determined that this was not relevant to the purpose of the data collection, which was to evaluate the candidates' ability to perform.

gdpr principle red pin pointing to target with accuracy and precision
hand pointing to transparent phone case

Principle 4 - Accuracy

What is GDPR principle 4 about?

GDPR Principle 4 is about Data Accuracy. This means that personal data should be accurate and kept up to date and you should take every reasonable steps to ensure that inaccurate data is either corrected or deleted without delay.

In other words, your records should be updated when needed and reflect the most accurate data available.

GDPR Principle 4 – Real-World Examples

Keeping inaccurate and non-updated personal data

Keeping inaccurate and non-updated personal data violates GDPR Principle 4.

The Dutch Tax and Customs Administration was fined €3,700,000 by The Dutch Data Protection Authority (DPA) in part due to the fact that they kept inaccurate personal data and did not take reasonable steps to rectify or delete such data.

Ignoring user's request for rectifying inaccurate personal data

An example of non-compliance with GDPR principle 4 would be to ignore your user's request for rectifying inaccurate personal information you stored on them.

Principle 5 - Storage Limitation

What is GDPR principle 5 about?

GDPR Principle 5 is about Storage Limitation. That means that personal data should not be kept for longer than is necessary for the purposes for which it was collected.

Once the data is no longer needed to fulfill your purpose, it must be securely deleted or anonymized.

GDPR Principle 5 – A Real-World Example

Personal data from inactive users' accounts

Retaining personal data from inactive accounts for extended periods violates GDPR Principle 5.

Discord was fined €800,000 for keeping inactive users' data for an undetermined duration.

Since the accounts were inactive and the users no longer required the service, there were no valid purposes for retaining their data. As a result, the data should have been securely deleted.

Principle 6 - Integrity and Confidentiality

What is GDPR principle 6 about?

GDPR Principle 6 is about Integrity and Confidentiality, sometimes referred to as the Security principle.

That means that you should process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

In practice, that means implementing robust cybersecurity measures such as encryption, data anonymization or strong access controls to protect data from unauthorized access and data breaches.

GDPR Principle 6 – Real-World Examples

Using unencrypted plaintext format for processing users' passwords

Meta was fined €91 million by the Irish Data Protection Commission in part for storing certain passwords of social media users in plaintext in their databases instead of using encryption.

Bulk emails and negligence

An example of non-compliance would be to send bulk emails that contained special category data such as medical records of high risk group of patient.

The Tavistock & Portman NHS Foundation Trust was fined £78,400 by the UK Authority for having sent such types of emails.

The foundation did utilize BCC emails and provided regular cybersecurity training for its employees, but sending bulk emails is considered a vulnerable method for transferring data. This is especially true for sensitive data (e.g., health records). A more secure solution would have been to use software that sends individual emails.

man programmer working on computer and securing database cybersecurity

Principle 7 – Accountability

What is GDPR principle 7 about?

GDPR Principle 7 refers to the Accountability principle and is about having people (data controllers) within the company responsible for ensuring compliance with the GDPR and having systems in place to ensure GDPR compliance.

The idea is to ensure that actions taken by the business align with the GDPR's requirements, that there are documentations and records readily available for the authorities, regular staff training and risks assessments and someone dedicated to respond to GDPR requests.

GDPR Principle 1 – A Real-World Example

Absence of clear policies regarding deletion and storage of personal data

You need clear governance policies to comply with GDPR Principle 7.

Danske Bank was fined €1.3 million by the Danish Data Supervisory Authority for being unable to demonstrate that they had clear policies to lay out rules for deletion and storage of personal data.

Conclusion

Ultimately, the GDPR principles under Article 5 are here to set the tone and the spirit of the GDPR regulation.

As you can see, it is not black and white, and each situation is treated on a case-by-case basis by the national authority. The idea is always to ensure respect and ethical use of users' personal data.

Be sure to check your personal situation with an attorney to ensure that you comply with the GDPR requirements!

Disclaimer: This article is written by Valine Mayer-Trinh, a New York attorney with an LLM degree from Cornell and master’s degrees in business and financial law from top French law schools.

While I strive to provide accurate and up-to-date legal information, this article is for general informational purposes only and does not constitute legal advice. This is a platform for me to express my thoughts and reading this article does not create an attorney-client relationship.

Although I have extensive education in French law, please note that I am only licensed to practice in New York, not Europe. The legal landscape is complex, new regulations may emerge, and the application of existing laws can vary depending on specific circumstances. Therefore, I strongly encourage you to consult with an expert and qualified attorney to address your specific legal concerns.

Newsletter

Get more insights straight to your inbox







person subscribing by pressing on a blue technology button featuring a justice scale