The “data minimization” concept states that a data controller should only gather personal information that is directly relevant and essential to achieving a particular objective. They should also only keep the data for as long as is required to fulfill that objective.
Article 5 of the GDPR outlines the fundamental data protection principles to be followed while processing personal data. It comprises data minimization, commonly known as “data avoidance.”
According to the GDPR’s data minimization standards, personal data must be:
This implies you must meet the following standards.
For example, when someone subscribes to a newsletter, collecting the data subject’s address is not appropriate to the objective (sending the digital newsletter via e-mail), thus, you are not allowed to collect it in the newsletter subscription form.
For example, the goal of collecting biometric data as part of a fingerprint check at a building’s door is to prevent unauthorized individuals from entering.
The fact that specific data is appropriate and required to achieve a goal is insufficient.
For example, a geolocation system may be put on a truck for optimal route planning, but it may only be operational during the driver’s working hours.
If these standards are not met, the data subjects are entitled to all of the rights outlined in Chapter III and Article 77 of the GDPR. They have the right, in particular, to have the data destroyed if it is no longer required for the processing’s purpose.
This article is a part of our series on GDPR and GDPR compliance. Read also:
When processing data, you must ask yourself which data is required to fulfill the goal. Our Consent Database helps you record and manage GDPR & LGPD consent and privacy preferences for each of your users. It smoothly integrates with your consent collection forms, syncs with your legal documents, and includes a user-friendly dashboard for reviewing consent records of your activities.
GDPR compliance for your site, app and organization