🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Understand everything about the principle of minimization

Home GDPR GDPR: Understand everything about the principle of minimization

"Minimize" is a phrase used in common parlance to reduce the importance of something.
In terms of data protection, article 5.1 of the GDPR gives a completely different definition of this principle which concerns data collection.
In 5 minutes and a coffee, let's discover this principle and what it means together! ☕️

The response to the survey "According to the GDPR, collected data must be...? "

To introduce the subject, we offered you a survey on February 22 on our LinkedIn page, asking you how data should be according to the principle of minimization.
You were strong! Out of 204 voters, 89% of you had "Adequate, relevant and limited". Together we will find out why following the article.

The principles relating to the processing of personal data

Minimization is one of the 5 principles that the data controller must respect to implement processing in compliance with the GDPR.
Indeed, according to article 5.1 of the GDPR, the processing of personal data must meet several principles:

We are in the process, during our blog articles and our 1 minute episodes to understand everything, of presenting and explaining each of these principles in detail. Follow us so you don't miss any. Next week we will discuss the principle of security!

Understand the principle of minimization

In application of the GDPR, to respect the principle of minimization, the personal data collected must be adequate, relevant and limited with regard to the purposes pursued by the data controller.
In simpler terms the less data I collect the better off I am. Only the data necessary to meet the purpose of the processing carried out must be collected.

For example, if a user wants to subscribe to a newsletter, you only need to ask what is necessary for sending it. In our case, the user's email address is more than sufficient.

Data category

The categories of data to be collected are specific to each data processing operation. The relevance of data is therefore assessed on a case-by-case basis. This is why it is necessary to first determine the purpose of your processing. Once the purpose has been determined, you are able to identify the data you will need to meet the purpose of the processing. Then remember to collect as little data as possible and be precise about its relevance.
For example, only record the month and day of birth of your customer to send them a promotional offer on their birthday, in the event that knowing your customer's age is not useful to you. You must ask yourself the following question each time: Can I continue to achieve the objective pursued by my processing without collecting this or that data? If the answer is yes, some data is superfluous, so you are collecting more data than necessary.

Justification and documentation


However, if other data needs to be collected, remember to justify the choice and inform people of the reasons why you are collecting this data.
In all cases, document your thoughts and the justifications for your choices on the chosen data collection scope.?


There are 2 advantages for your body to this minimization:

  • The information collected will be more easily verifiable and quick to update
  • In the event of a data breach, unauthorized persons will have access to little information, the risk for the persons concerned will then be limited regarding the data perimeter concerned.

Sanction by the CNIL?‍♂️

In 2020, a trade union organization contacted the CNIL concerning evaluation files of RATP agents, used during arbitration meetings. . RATP has implemented data processing relating to the evaluation of agents; in order to create a file identifying people likely to obtain a promotion. As part of this processing, the RATP made a record of the number of days of strike of each agent, distinguishing it from the number of days of absence. To follow up on the complaint it had received, the CNIL carried out checks and noted a certain number of breaches of the applicable regulations.
It also found compliance gaps regarding data retention period and security.

The decision of the CNIL

Following these checks, the supervisory authority considered that the indication of the total number of days of absence was sufficient data
to achieve the intended purpose. Conversely, knowing the reason for the absences and in particular those relating to the agents' strike days was considered excessive and not necessary in view of the initial purpose of the file in question. Beyond the fact that this collection is not relevant, it could also be highly detrimental to the agent in question. The right to strike being a fundamental freedom guaranteed by the constitution, its exercise must not be able to be used against the agent in the context of making a decision regarding his advancement.
For the aforementioned reasons, the CNIL imposed a fine of 400,000 euros and made its decision public.

Data Comply One (formerly Mission RGPD) facing the principle of minimization

Having trouble with your processing log? You don't have time to think about and concretely set up your treatment register? Or do you lack the means to be compliant?

✅ With Data Comply One (formerly Mission RGPD), you simply identify the purposes of your processing and the data collected. Thanks to our pre-filled templates, you will find proposals for writing purposes and sub-purposes ready to use. You can obviously modify them if necessary and even create your own templates.
Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject