GDPR Chapter 2: processing personal data – principles, lawfulness, consent and categories

Chapter 2 of the General Data Protection Regulation (GDPR or Regulation 2016/679) zooms in on the key aspects, rules and aspects of personal data processing with attention for the special categories of data which we tackled in our article on personal data protection and the data subject.

The different articles of GDPR Chapter 2 (Articles 5-11) of the GDPR text, among others, stipulate the principles regarding personal data processing, the lawfulness of personal data processing, the conditions for consent regarding personal data processing (including consent of children), the processing of special categories of personal data (sensitive data, genetic data, biometric data…) and processing of personal data in relationship with criminal convictions and offences. In other words: an essential chapter with important principles to cover in your GDPR awareness trainings and key to understand and act upon in order to avoid GDPR fines and penalties.

GDPR text chapter 2 - personal data processing principles and consent

The principles which are laid out in Chapter 2 in a nutshell (with links to the Articles and relevant Recitals)

Article 5: principles relating to processing of personal data

The first paragraph of Article 5 summarizes six principles regarding (the processing of) personal data.

They are 1) lawfulness, fairness and transparency, 2) purpose limitation, 3) data minimisation, 4) accuracy, 5) storage limitation and 6) integrity and confidentiality. The second paragraph looks at accountability.

Article 5 of Chapter 2 is related with Recital 39 which covers some principles of data processing and lawfulness.

Article 6: lawfulness of processing

In the first paragraph of Article 6 you find six ‘conditions’ whereby, if at least one applies, data processing is considered lawful.

The second paragraph of Article 6 stipulates what Member States can and can’t decide, paragrapgh 3 mentions the legal basis and paragraph 4 contains important rules in case the processing for a purpose other than that for which the personal data have been collected or isn’t based upon consent of the data subject.

Here, on top of Recital 39, also check out Recital 40 (data subject consent as the basis of lawful personal data processing).

Article 7: conditions for consent

Article 7 of GDPR Chapter 2 is really your key data subject consent principle with 4 paragraphs that further detail the conditions for consent, including the right of the data subject to withdraw his/her consent.

Although there is more on consent in the GDPR. Check out following consent-related Recitals:

  • Recital 32 (on consent indication, consent affirmation and consent purpose/scope)
  • Recital 33 (consent and personal data processing for scientific research)

Article 8: conditions applicable to child’s consent in relation to information society services

Article 8 builds further upon the fact that special protection is needed for children as stipulated in Recital 38.

Consent of children and parental responsibility are further established and the age of children is introduced. In general it’s under 16 years old but Article 8 gives a right to Member States to lower that age within the limits of that same Article 8.

Article 9: Processing of special categories of personal data

Article 9 explicitly forbids, in principle as there are some exceptions following further, the processing of personal data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and also the processing of genetic data and biometric data to identify a natural person. Also data concerning health, a natural person’s sex life or sexual orientation are forbidden.

Yet, in the second paragraph of Article 9 the exceptions to that general rule are outlined in 10 circumstances/conditions.

For genetic data do take a look at Recital 34 and for personal health data Recital 35 is important.

Article 10: Processing of personal data relating to criminal convictions and offences

In Article 10 of GDPR Chapter 2, as the description already says, another group of special data is mentioned with specific rules: personal data in the scope of criminal offences and convictions.

Article 11: Processing which does not require identification

And with Article 11 the principles of GDPR Chapter 2 are closed with a few additional stipulations.

In Chapter 3, the GDPR text next starts laying out the rights of the data subject.

GDPR Chapter 2 explained in video

So, that’s quite a lot. Fortunately there are ample of trainings, videos, blogs and much more on the GDPR.

Our preferred format is still video so here is a video from a seminar on GDPR Chapter 2, “General Principles, Processing Conditions, Privacy Notices” by Fox Williams (we are not related with them and do keep into account that, depending on the country you’re from there might be some details that are harder to understand).

GDPR Chapter 2 in little over 12 minutes (do watch the part on consent and legitimate interest, it’s important).



GDPR Chapter 2 image: Shutterstock – Copyright: Carlos Amarillo. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.