Iubenda logo
Start generating


Table of Contents

What is data minimization?

The Principle of Data Minimization according to the GDPR

The “data minimization” concept states that a data controller should only gather personal information that is directly relevant and essential to achieving a particular objective. They should also only keep the data for as long as is required to fulfill that objective.

Data minimization

Article 5 of the GDPR outlines the fundamental data protection principles to be followed while processing personal data. It comprises data minimization, commonly known as “data avoidance.”

According to the GDPR’s data minimization standards, personal data must be:

adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

This implies you must meet the following standards.

1. The data gathering must be appropriate to the processing’s intended aims. 

For example, when someone subscribes to a newsletter, collecting the data subject’s address is not appropriate to the objective (sending the digital newsletter via e-mail), thus, you are not allowed to collect it in the newsletter subscription form. 

2. The gathering should be essential to complete the processing

For example, the goal of collecting biometric data as part of a fingerprint check at a building’s door is to prevent unauthorized individuals from entering.

3. The context in which the data is processed is equally essential. 

The fact that specific data is appropriate and required to achieve a goal is insufficient.

For example, a geolocation system may be put on a truck for optimal route planning, but it may only be operational during the driver’s working hours.

If these standards are not met, the data subjects are entitled to all of the rights outlined in Chapter III and Article 77 of the GDPR. They have the right, in particular, to have the data destroyed if it is no longer required for the processing’s purpose.

More on GDPR

This article is a part of our series on GDPR and GDPR compliance. Read also:

👉 GDPR cheat sheet: 15 things to know

How do you guarantee data minimization?

When processing data, you must ask yourself which data is required to fulfill the goal. Our Consent Database helps you record and manage GDPR & LGPD consent and privacy preferences for each of your users. It smoothly integrates with your consent collection forms, syncs with your legal documents, and includes a user-friendly dashboard for reviewing consent records of your activities.

Transparency is also critical. Do not bury references to data processing in lengthy contract texts or make contract completion contingent on granting consent for additional processing. Our Privacy and Cookie Policy Generator helps you quickly generate and manage your legal documents that are professional, self-updating, and customizable from 1700+ clauses, available in 11 languages, drafted by an international legal team, and up to date with the leading international legislation.

About us


GDPR compliance for your site, app and organization


See also