„Lawfulness, processing in good faith, transparency“

In addition to the justification of the processing on one of the legal bases mentioned in Article 6 GDPR, the processing must be carried out transparently "in good faith". The principle of transparency includes the obligation of the controller to provide data subjects with comprehensive and comprehensible information about the processing in clear and plain language. Individuals should be informed about the risks, rules, safeguards and rights relating to the processing of personal data and how they can assert their rights in this regard (see also Recital 39 GDPR).

„Purpose limitation“

Personal data must be processed for a specific purpose. The purposes of the processing must already be determined at the time of collection and communicated to the data subjects. The data collected may then only be processed for these specified purposes. If you have collected data from participants for the implementation of a training programme, you may not simply use this data for other purposes, for example to send advertising to participants. 

„Data minimisation“

Only the amount of personal data required for the respective purpose should ever be collected. Always scrutinise which data you really need for the application. For example, only an e-mail address is required to send a newsletter. In this case, the mandatory provision of name, address or date of birth would be inadmissible. 

„Correctness“

The controller must ensure that the data it collects is correct. This implies that data subjects must have the opportunity to correct their data. Incorrect data must be deleted. 

„Memory limitation“

Personal data may only be stored for as long as it is needed for the purpose of processing. If the purpose expires, it must be deleted unless there are other legal regulations that justify or require longer storage (e.g. national legislation).

According to this regulation, personal data of participants should actually be deleted after the end of a training programme. However, there may be reasons that allow the institute to keep the data in the system:

• The aim is to enable participants to request a training certificate again. 
  
• Participants have personal access to an e-learning platform through which they can book further courses. 
• The institute requires the participants' data for accountability to public authorities (e.g. for publicly funded training courses). 

The institution is obliged to define appropriate deletion periods for the respective data. The government may have different retention periods, meaning that certain parts of the data records must be deleted earlier than others. In this case, the institution is responsible for finding out about the relevant regulations and implementing them. 

„Integrity and confidentiality“

Data protection also means data security. Anyone who processes personal data is also responsible for the security of this data. This primarily means security against unauthorised access or transmission to third parties. The controller must ensure the security of the processing.

„Accountability“

In case of doubt, the controller must be able to prove the implementation of the GDPR. They must be able to prove that suitable and effective measures have been implemented to ensure the protection of personal data.