Today, everything is data or can be expressed in data. Data are not just an extension, but an integral part of people's digital selves, and at the same time, their misuse can seriously hurt the rights and freedoms of individuals. Informational self-determination and sovereignty are an aspect of basic freedom.
Therefore, personal data need to be protected against misuse in the same way every other right has to be protected.
In the EU, the legal basis for the protection of personal data is the General Data Protection Regulation (GDPR). Some key principles of the GDPR are:
- Every use of personal data needs either informed consent of the data subject or permission in law.
- Personal data may only be used for the purposes they have been initially collected for (purpose limitation).
- Every use of personal data must be limited to what is necessary for the purpose of processing (data minimization).
- Data must only be kept as long as necessary and then be deleted (storage limitation).
- Personal data must be processed in a way that ensures appropriate security, including protection against unlawful processing, accidental loss, destruction, or damage by appropriate technical or organizational measures (integrity and confidentiality).
- Personal data must be correct and up-to-date (accuracy).
- Data must be processed transparently. Data subjects must know which data are processed in which way and for what purpose (transparency).
To ensure compliance with these principles, the GDPR gives data subjects extensive rights vis-à-vis the controller of any data processing. Furthermore, data protection supervisory authority may also hold processors accountable.