Lexicon > Data minimization
IT Glossary
The minimization principle is one of the six core principles of the GDPR, which are:
- Purpose limitation;
- Data minimization;
- Accuracy;
- Conservation Limitation;
- Integrity and Confidentiality;
- Responsibility.
This principle reflects the fact that the controller may only collect personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are processed.
In any case, the data must not be excessive in relation to the purpose of their processing.
Data minimization therefore depends on the processing concerned, and in particular on its purpose.
The data controller must critically examine whether the processing of the data is, on the one hand, appropriate to achieve the intended purpose and, on the other hand, adequate and necessary for this purpose.
The data processed must not be excessive and must be strictly necessary for the fulfilment of the specified purpose, so as to avoid any possible further processing.
Data minimization thus also contributes to the principle of data protection by default and by design.
The anonymization of personal data that are no longer strictly necessary for the original purpose of their processing may be a way for the controller to comply with the minimization principle.
Similarly, if the purposes for which the data are processed do not require the controller to identify the data subject, the controller should not seek to obtain further information in order to identify the data subject if this is not necessary for the purpose of the processing.
RGPD Point
“Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization).”
Article 5 of the GDPR
Point of jurisprudence
The CNIL was able to note that “The telephone number is not used by the company, which only sends out email canvassing, which the company does not dispute. The panel therefore considers that the telephone number should not have been collected and processed by the company in connection with the purchase of the databases in 2014 and 2015 and that it should, in any event, have been immediately deleted upon receipt of said databases.”
CNIL, December 7, 2020, N° SAN-2020-016
The Bouchara Law firm assists you in particular in :
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.
