Skip to content

EU data protection guidelines

I was pointed to Paolo Guardia’s excellent Data Protection, Information Privacy, and Security Measures: an Essay on the European and the Italian Legal Frameworks. Here’s an excerpt:

Data Protection Principles

Data protection regulations in the EU set the main principles that establish how data processing shall be performed. We can summarize privacy principles as follows:

Fair and Lawful Processing: the collection and processing of personal data shall neither unreasonably intrude upon the data subjects’ privacy nor unreasonably interfere with their autonomy and integrity, and shall be compliant with the overall legal framework.

Consent: personal data shall be collected and processed only if the data subject has given his explicit consent to their processing.

Purpose Specification: personal data shall be collected for specified, lawful and legitimate purposes and not processed in ways that are incompatible with the purposes for which data have been collected.

Minimality: the collection and processing of personal data shall be limited to the minimum necessary for achieving the specific purpose. This includes that personal data shall be retained only for the time necessary to achieve the specific purpose.

Minimal Disclosure: the disclosure of personal data to third parties shall be restricted and only occur upon certain conditions.

Information Quality: personal data shall be accurate, relevant, and complete with respect to the purposes for which they are collected and processed.

Data Subject Control: the data subject shall be able to check and influence the processing of his personal data.

Sensitivity: the processing of personal data, which are particularly sensitive for the data subject, shall be subject to more stringent protection measures than other personal data.

Information Security: personal data shall be processed in a way that guarantees a level of security appropriate to the risks presented by the processing and the nature of the data.

Will the pervasive data mining on the web ever become compliant?


  1. Would a wiki that collect name, homepage, affiliation of researchers and their line of work be possible? I can find Steven Strogatz birthday on Wikipedia. Is this "personal data"? (and I can even find the religious membership of a president-elect on Wikipedia – this is sensitive personal data) Researchers would typically not give consent, the collection may not be for a specific purpose and the data may not be accurate, relevant or complete. I guess the data is already public…

  2. Keith O'Rourke says:

    > already public…

    There are now requirements for disclosure of apparent or possible conflicts of interest by researchers made by many journals.

    There were/are arguments that it would be unethical to survey authors of published articles without getting their informed consent. This would allow them to refuse to disclose information and the surveyer would not be allowed to identify those who refused.

    I do think publishing an article "automatically" waives certain privacy rights…