Basic Principles of the GDPR#


The GDPR is a rather encompassing piece of legislation that covers a wide variety of aspects in processing personal data. Parts of the GDPR clearly are outside the scope of this report. Whenever relevant, reference will be made to these parts of the GDPR. The first five chapters of the GDPR are more relevant to understand the core principles of data protection regulation. We will however only present a rather brief overview of these core principles, sufficient to get an initial understanding of the legal framework on the processing of personal data. The focus will be on the general principles regarding the processing of personal data as used within the GDPR, followed by the grounds that can be invoked in order to establish lawful processing, the additional constraints when sensitive personal data are processed, the rights of data subjects and the obligations of data controllers. Issues related to the transfer of personal data to third countries are covered when relevant in treating the topics mentioned. The GDPR starts by outlining some general provisions, including definitions of crucial concepts. Here the following definitions are relevant:

  1. Personal data means “any information relating to an identified or identifiable natural person (‘data subject’).”

  2. Processing means “any operation or set of operations which is performed on personal data or on sets of personal data … such as collection, recording, organisation, structuring, …dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

  3. Data concerning health means “personal data related to the physical or mental health of a natural person, including the provision of health care services which reveal information about his or her health status.”

An identifiable natural person is a person who can be identified directly or indirectly. The manner of identification – either directly or indirectly – is not precisely circumscribed in the GDPR. A name could suffice to identify a person as well as an online identifier (such as an email address) or an identifier relating to the “physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Processing is not described in a limitative sense either. The breadth of terms used indicates that basically all operations that can be performed on personal data (including collection and erasure/destruction) should be seen as processing operations.