Data Minimisation
Article 5 (1) (c) GDPR — only what is necessary
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Data minimisation is one of the six GDPR principles (Article 5 (1) (c)). Personal data may only be processed where it is adequate, relevant and limited to what is necessary for the purpose.
What is data minimisation?
Practical examples of data-minimisation breaches:
- Requesting date of birth on newsletter sign-up — not necessary
- Full postal address for purely online delivery of digital products
- Copy of ID card for a standard job posting
Practical example
Online shop: an address is required for shipping. For newsletter sign-up the email address is sufficient. A telephone number is not required. If the shop makes the telephone number a mandatory field on newsletter sign-up — this is a breach of data minimisation.
Frequently asked questions
How does data minimisation differ from storage limitation?
Data minimisation = which data. Storage limitation = how long. Both are anchored in Article 5.
Fine for a breach?
Article 83 (5) (a) — up to EUR 20 million or 4% of worldwide group turnover.
Can I expand the scope later?
Only with a new legal basis and information provided to the data subjects.