Article 4*

Article 4 – Principles relating to personal data processing

Commission Proposal

Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

(c) adequate, relevant, and not excessive in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed;

(f) processed under the responsibility and liability of the controller, who shall ensure compliance with the provisions adopted pursuant to this Directive.

EDRi’s proposed amendment

Member States shall provide that personal data must be:

(a) processed fairly and lawfully and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

(c) adequate, relevant, and not excessive in relation to the purposes for which they are processed limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed;

(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate compliance with the provisions adopted pursuant to this Directive.

Justification

This amendment aligns the wording with the corresponding Article 5 of the proposed General Data Protection Regulation. Transparency of processing is part of the fairness of processing principle. If it proves necessary in the law enforcement context, the transparency obligation could be made only to apply “where possible”. Purpose limitation is one of the key principles of personal data¬† processing and should therefore be well defined in the draft Directive. Also, the notion of (in)compatible use should be further explained in recitals. For a suggestion, see the proposed recital 20a. The obligation to keep data up to date should be unconditional to reduce the risk of actions taken on outdated information. Obliging controllers to be able to demonstrate compliance is part of the principle of accountability.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: