Chapter 2 of the General Data Protection Regulation (GDPR or Regulation 2016/679) zooms in on the key aspects, rules and aspects of personal data processing with attention for the special categories of data which we tackled in our article on personal data protection and the data subject.
The different articles of GDPR Chapter 2 (Articles 5-11) of the GDPR text, among others, stipulate the principles regarding personal data processing, the lawfulness of personal data processing, the conditions for consent regarding personal data processing (including consent of children), the processing of special categories of personal data (sensitive data, genetic data, biometric data…) and processing of personal data in relationship with criminal convictions and offences. In other words: an essential chapter with important principles to cover in your GDPR awareness trainings and key to understand and act upon in order to avoid GDPR fines and penalties.
Table of Contents
- The principles which are laid out in Chapter 2 in a nutshell (with links to the Articles and relevant Recitals)
- Article 5: principles relating to processing of personal data
- Article 6: lawfulness of processing
- Article 7: conditions for consent
- Article 8: conditions applicable to child’s consent in relation to information society services
- Article 9: Processing of special categories of personal data
- Article 10: Processing of personal data relating to criminal convictions and offences
- Article 11: Processing which does not require identification
- GDPR Chapter 2 explained in video
Article 5: principles relating to processing of personal data
The first paragraph of Article 5 summarizes six principles regarding (the processing of) personal data.
They are 1) lawfulness, fairness and transparency, 2) purpose limitation, 3) data minimisation, 4) accuracy, 5) storage limitation and 6) integrity and confidentiality. The second paragraph looks at accountability.
Article 5 of Chapter 2 is related with Recital 39 which covers some principles of data processing and lawfulness.
Article 6: lawfulness of processing
In the first paragraph of Article 6 you find six ‘conditions’ whereby, if at least one applies, data processing is considered lawful.
The second paragraph of Article 6 stipulates what Member States can and can’t decide, paragrapgh 3 mentions the legal basis and paragraph 4 contains important rules in case the processing for a purpose other than that for which the personal data have been collected or isn’t based upon consent of the data subject.
Article 7: conditions for consent
Article 7 of GDPR Chapter 2 is really your key data subject consent principle with 4 paragraphs that further detail the conditions for consent, including the right of the data subject to withdraw his/her consent.
Although there is more on consent in the GDPR. Check out following consent-related Recitals:
- Recital 32 (on consent indication, consent affirmation and consent purpose/scope)
- Recital 33 (consent and personal data processing for scientific research)
Article 8: conditions applicable to child’s consent in relation to information society services
Consent of children and parental responsibility are further established and the age of children is introduced. In general it’s under 16 years old but Article 8 gives a right to Member States to lower that age within the limits of that same Article 8.
Article 9: Processing of special categories of personal data
Article 9 explicitly forbids, in principle as there are some exceptions following further, the processing of personal data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and also the processing of genetic data and biometric data to identify a natural person. Also data concerning health, a natural person’s sex life or sexual orientation are forbidden.
Yet, in the second paragraph of Article 9 the exceptions to that general rule are outlined in 10 circumstances/conditions.
In Article 10 of GDPR Chapter 2, as the description already says, another group of special data is mentioned with specific rules: personal data in the scope of criminal offences and convictions.
And with Article 11 the principles of GDPR Chapter 2 are closed with a few additional stipulations.
In Chapter 3, the GDPR text next starts laying out the rights of the data subject.
GDPR Chapter 2 explained in video
So, that’s quite a lot. Fortunately there are ample of trainings, videos, blogs and much more on the GDPR.
Our preferred format is still video so here is a video from a seminar on GDPR Chapter 2, “General Principles, Processing Conditions, Privacy Notices” by Fox Williams (we are not related with them and do keep into account that, depending on the country you’re from there might be some details that are harder to understand).
GDPR Chapter 2 in little over 12 minutes (do watch the part on consent and legitimate interest, it’s important).
GDPR Chapter 2 image: Shutterstock – Copyright: Carlos Amarillo. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.