GDPR Lisianne Marzani November 10, 2017

Waterline’s Handy Dandy Summary of GDPR: Chapter 2

Today, we continue a series of blog posts that summarize how each of the GDPR articles may affect your business. These summaries can serve as an additional resource for those who need a quick and easy explanation. We kicked this series off last week with Chapter 1. Let us resume with Chapter 2.


CHAPTER 2: Principles

Article 5: Principles relating to processing of personal data

This lays out how personal data should be treated. It should be processed lawfully, fairly and transparently; collected for explicit and legitimate purposes, limited to what is necessary for said purposes, accurate and kept up to date, personally identifiable only as long as necessary, and secure.

It also states that the controller (the person or company that determine the means of processing personal data) must demonstrate compliance in all the above areas.

Article 6: Lawfulness of Processing

This explains what’s considered lawful processing of data. The person or data subject must have given consent; the processing fulfills the contract between business and consumer; or it’s necessary for compliance, to protect the consumer, or to act in the public interest. It also specifies that processing deemed necessary “for the purposes of the legitimate interests pursued by the controller or by a third party” is overridden by the interests or rights of the consumer—particularly if he or she is a minor—but that all of these requirements in turn are overridden when the data is being processed by public authorities. If the processing is for a purpose beyond what is expressly allowed by consent or Union/Member State law, the article lays out the conditions a controller must meet in order to demonstrate it is acting within the bounds of consent or law.

Article 7: Conditions for Consent

Article 7 says consent must have been given in very clear and plain language and that it will not be binding if it infringes on any aspect of GDPR. The article also says consent can only extend to the service specified and that it must be easy for the data subject to withdraw consent at any time.

Article 8: Conditions Applicable to Child’s Consent in Relation to Information Society Services

This specifies that a child is anyone under 16 and that a child’s consent must be authorized by someone with “parental responsibility” except when Union or Member State law says otherwise. Even then, GDPR will consider anyone under 13 a child. Article 8 also requires the controller to make every reasonable effort via available technology to verify consent has been given by someone with parental responsibility.

Article 9: Processing of Special Categories of Personal Data

Article 9 creates a special category for personal data—including genetic or biometric data—that reveals: race, politics, religion, philosophy, health, sexual orientation or trade union membership. Collection of such data is prohibited unless explicit consent has been given, the person has already made such data public, it’s member data processed by a not-for-profit body and kept within the confines of said body, or processing is necessary for a number of reasons—much of which pertain to public interest.

Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences

This says processing of any data related to criminal convictions or offenses must be carried out by official authorities or when it’s authorized by Union or Member State law and that any register of criminal convictions be kept under control of said official authority.

Article 11: Processing Which Does Not Require Identification

This is a small but important article that informs controllers of their obligation to jettison personally identifiable data once it’s no longer needed to fulfill their part of the contract with the consumer.

For the full text of GDPR: Chapter 2, go to:

After that, check out how Waterline Data can resolve a key challenge in complying with GDPR by helping you identify and understanding everything you need to know about your data, including origin:

Next week: Chapter 3.