If an entity or individual uses your personal data, it may interfere with your human right to private life, namely, the right to control the use of your private information which is one of its aspects, but also a separate fundamental right in many jurisdictions. In order to optimally protect you in such situations, data users must process your data lawfully and follow certain obligations regarding appropriate data processing.

Lawful data processing

Every data processing activity interferes with your privacy. However, if the data processing is lawful, it will not result in a violation of your right to private life. For data processing to be lawful, it has to meet certain criteria and be based on one of the legal basis (such as consent, contract, legal duty, public interest or legitimate interests). 

Fair and transparent data processing

Fair and transparent data processing requires that your personal data is processed in a fair and transparent way. Transparency can be ensured by informing you about the purpose of your data processing:

  • what kind data will be (is) processed
  • in what manner it will be (is) done

You also have to be informed about who is processing your data and how to reach this institution or person in case you want to access your data or submit a question or request.

You are entitled to access your data at any moment. Covert data processing is prohibited. However, there may be exceptions provided by law, for example, where operational activities are carried out without a person’s knowledge.

Purpose of data processing

Your data can only be processed for a specific and lawful purpose, defined before the processing has started. Your data can be used for other purposes or given to other persons and entities only if it is permitted by law or if you have consented to it.

example Use of a person’s data for another purpose is allowed if it does not violate the rights of this person and is carried out for the needs of scientific or statistical research. In addition, the data user is obliged to disclose a person’s data to public authorities in specific situations provided by law, for example, if you are suspected of having committed a crime.

Duration of data storage

Your data shall not be kept longer than is necessary for the purposes for which the information was collected and processed. When the initial purpose has been fulfilled, the data should be deleted or anonymised.

If you believe that there is no further need for the data user to keep your personal data, you may request that it be deleted. However, in accordance with the law, your data may be kept for future scientific or statistical use, as well as for archiving purposes in public interest.

Relevancy and accuracy of data

Data users are obliged to collect and process only relevant and accurate personal data which is closely related to the purpose for which the processing was needed. Data should not be incomplete, outdated or false. If your personal data has been changed, you can request that it be rectified and updated by the data user.

Data minimization

Data minimization means that data users may process only those of your personal data which are actually necessary to achieve the purposes for which they are processed. Therefore the controller needs to consider before processing whether the same goal can be achieved without the use of personal data or with the use of less personal data.


The principle of accountability means that the data users must not only follow data protection rules, but also be able to demonstrate that they have adopted appropriate organizational and technical measures to guarantee that data protection rules are followed in any processing.

Human Rights Guide

A European platform for human rights education