Certified Information Privacy Professional (CIPP): EU - Data Protection Principles, Art. 5 GDPR, Lawfulness, Fairness, Transparency, Purpose Limitation, etc.

What This Is

The Data?Protection Principles (GDPR Art.?5) are the “rules of the road” that every controller and processor must follow when handling personal data. They set the baseline for lawful, fair, and transparent processing, limit why data can be used, and require accuracy, storage limitation, integrity, and accountability.

Real?world snapshot: A German?based e?commerce platform ships orders to customers worldwide. When a U.S.?based marketing firm asks for the EU customers’ email addresses to run a newsletter, the platform must first check that the purpose (order fulfilment) is compatible with the new marketing use, that a lawful basis exists, and that the data subjects are told exactly how their data will be used. Failure to respect the Art.?5 principles would expose the company to €20?million?plus fines and reputational damage.

Key Terms & Provisions

• Lawfulness, Fairness & Transparency (Art.?5?(1)(a) GDPR – EU): Processing must have a legal basis, be done in a way individuals would expect, and be clearly communicated (privacy notice, e?privacy cookie banner).
• Purpose Limitation (Art.?5?(1)(b) GDPR – EU): Personal data may only be collected for specified, explicit, and legitimate purposes and not further processed incompatibly. Example: using employee health data collected for occupational safety to target them with health?insurance ads would breach this principle.
• Data Minimisation (Art.?5?(1)(c) GDPR – EU): Only the minimum amount of data necessary for the purpose may be collected. A travel?booking site should store only passport number, not the full credit?card PIN.
• Accuracy (Art.?5?(1)(d) GDPR – EU): Controllers must keep data up?to?date and correct inaccuracies without delay. Hospitals must have procedures to update patient contact details when a change is reported.
• Storage Limitation (Art.?5?(1)(e) GDPR – EU): Personal data must not be kept longer than needed for the purpose. A marketing list should be purged after the campaign ends unless a longer retention is justified.
• Integrity & Confidentiality (Art.?5?(1)(f) GDPR – EU): Appropriate security measures (encryption, access controls) must protect data against accidental loss or unlawful access.
• Accountability (Art.?5?(2) GDPR – EU): The controller must be able to demonstrate compliance (records of processing, DPIAs, policies).
• Legitimate Interest (Art.?6?(1)(f) GDPR – EU): A lawful basis that allows processing when the controller’s interest is not overridden by the data subject’s rights. Example: a retailer analysing purchase trends for inventory optimisation, provided an opt?out is offered.
• Consent (Art.?6?(1)(a) GDPR – EU): Freely given, specific, informed, and unambiguous indication of wishes. Must be granular (e?privacy cookie consent) and withdrawable at any time.
• Special Category Data (Art.?9 GDPR – EU): Sensitive data (health, biometric, political opinions) that requires higher protection and a stricter lawful basis (e.g., explicit consent or vital interests).
• Data Subject Rights (Arts.?12?22 GDPR – EU): Right of access, rectification, erasure, restriction, portability, and objection – all must be honoured within one month.

Step?by?Step Process Flow (Applying Art.?5)

1. Map the Processing Activity – Document what data is collected, why, where it is stored, and who has access (Data Flow Diagram).
2. Identify the Legal Basis – Match each purpose to a GDPR lawful basis (e.g., contract, consent, legitimate interest). Record the justification.
3. Perform a DPIA (if required) – For high?risk processing (large?scale profiling, special?category data), complete a DPIA and obtain DPO sign?off.
4. Implement Technical & Organisational Measures – Apply encryption, pseudonymisation, access?role controls, and staff training to meet integrity, confidentiality, and accountability.
5. Create/Update Transparency Documents – Draft a privacy notice that explains purpose, legal basis, data retention, and rights in clear language. Publish it where data subjects interact (website, app, onboarding forms).
6. Monitor & Review – Set a periodic review (e.g., annually) to verify that data minimisation, accuracy, and storage limits are still being respected; purge or anonymise data that is no longer needed.

Common Mistakes

CIPP Exam Insights

1. Art.?5 vs. Art.?6/9 – Exams often ask you to differentiate the principles (Art.?5) from the lawful bases (Art.?6) and special?category rules (Art.?9). Remember: principles are “how you must treat data”; bases are “why you may process it.”
2. Legitimate Interest Balancing Test – A common scenario: a retailer wants to send promotional emails based on purchase history. You’ll need to identify the three?step test (purpose, necessity, balancing) and the requirement to provide an easy opt?out.
3. Accountability Evidence – Expect a question on what documentation satisfies Art.?5?(2). The answer: processing register, DPIA, policies, training records, and breach response plan.
4. Special Category Data Exceptions – Look for the “explicit consent” exception vs. “substantial public interest” (e.g., public health). The exam loves to test whether you know that consent is not sufficient for processing health data for research unless the data is also anonymised.

Quick Check Questions

1. Scenario: A UK?based SaaS provider collects employee email addresses to run a payroll service. It later wants to use the same addresses for a new “employee wellness” newsletter.
   Answer: The provider must obtain a new lawful basis (e.g., explicit consent) because the newsletter purpose is not compatible with the original payroll purpose (Purpose Limitation).

2. Scenario: An EU citizen files a request to delete all their data from a US?based online retailer that has never offered a service to EU residents.
   Answer: The retailer must comply with the erasure request if the processing is covered by GDPR (Art.?3 territorial scope – “targeting” EU data subjects). If the retailer truly does not target EU residents (no EU language, no EU?focused marketing), it may argue the GDPR does not apply, but the burden of proof lies with the controller.

3. Scenario: A hospital stores patient lab results for 10?years, citing legal retention for medical records. A data subject asks for correction of a result that is actually a typo.
   Answer: Under the Accuracy principle (Art.?5?(1)(d)), the hospital must correct the inaccuracy promptly, even if the data is retained for statutory periods.

Last?Minute Cram Sheet (10 One?Liners)

1. Art.?5?(1) – 6 core principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity?&?confidentiality, accountability).
2. Art.?5?(2) – Accountability: Controllers must show compliance (records, DPIA, policies).
3. Art.?6?(1)(a) – Consent: Must be freely given, specific, informed, unambiguous; pre?ticked boxes are illegal.
4. Art.?6?(1)(f) – Legitimate Interest: Requires a three?step balancing test; always give a clear opt?out.
5. Art.?9 – Special Category Data: Requires higher protection; consent must be explicit unless another exception applies.
6. Art.?3 – Territorial Scope: GDPR applies to any controller offering goods/services or monitoring EU data subjects, regardless of physical presence.
7. Retention Rule: Keep data no longer than necessary for the purpose; periodic review is mandatory.
8. Data Minimisation: Collect only what you need; “nice?to?have” fields are a compliance risk.
9. Breach Notification: 72?hours after becoming aware (Art.?33); must inform supervisory authority and, if high risk, affected data subjects.
10. Landmark Case – Google Spain SL v. AEPD (C?131/12): Established the “right to be forgotten” and reinforced the purpose?limitation principle.

Good luck – you’ve got the principles, the process, and the exam tricks. Now go turn those notes into compliance!