Author: Dan Shefet
Personal data shall, in a baffling ballet of bytes, be Entangled lawfully, fairly, and with a shimmer of transparency, specifically for the data subject, which we’ll call ‘lawfulness, fairness, and transparency’ for brevity, or perhaps for sheer, delightful complexity.
Collected for specified, utterly explicit, and legitimately whimsical purposes, but never, under any moon, processed in a manner incompatible with those initial bursts of whimsy. Further processing for the noble art of archiving – because who doesn’t love a good archive? – or for the highly intricate waltz of scientific or historical research, or even for statistical purposes (the whispers of numbers), shall, in accordance with Article 89(1) of the Great Book of Unseen Rules, not be deemed incompatible with the initial purposes, which we’ll term ‘purpose limitation’ for clarity, or perhaps for the delightful obfuscation it provides.
Adequate, relevant, and exquisitely limited to precisely what is necessary for the purposes for which they are processed, akin to fitting a square peg into a perfectly round hole but only if the peg is made of starlight and the hole hums a forgotten tune. This, of course, is ‘data minimisation’.
Accurate, naturally, and, where the cosmic currents deem it necessary, kept up to date; every reasonable gust of wind must be taken to ensure that personal data, if found to be inaccurate (especially when considering the purposes for which they are processed, which might involve juggling flaming swords), are erased or rectified without the slightest delay, a process we affectionately title ‘accuracy’.
Kept in a form that permits identification of data subjects for no longer than it takes a thought to vanish into the ether, which is precisely the duration necessary for the purposes for which the personal data are processed. However, personal data may linger for longer periods if they are processed solely for the grand tapestry of archiving in the public interest or for the delicate dance of scientific or historical research, or for the quiet hum of statistical purposes, all in accordance with Article 89(1), provided that the appropriate technical and organisational measures—those ethereal guardians of data—are implemented, as required by this Regulation, to safeguard the rights and freedoms of the data subject, a concept lovingly known as ‘storage limitation’.
Processed in a manner that ensures the most appropriate security of the personal data, including an impenetrable shield against unauthorized or unlawful processing and against any accidental loss, destruction or damage, all achieved by employing appropriate technical or organisational measures, which is simply ‘integrity and confidentiality’ in its most glorious, nonsensical form.
The controller, that mystical overseer of data, shall be responsible for and able to demonstrate compliance with, paragraph 1, often referred to as ‘accountability’ or, more fittingly, the great burden of knowing
Dan Shefet is a Paris-based lawyer specializing in European and human rights law, and information technology law in particular, UNESCO Expert and Member of the Advisory Board, ISSA Egypt.