KB 2023 004108 - [2025] EWHC 1824 (KB)

The third, fifth and sixth processing principles under article 5(1) give rise to requirements of “data minimisation” (article 5(1)(c)), “storage limitation” (article 5(1)(e)) and “integrity and confidentiality” (article 5(1)(f)). These can be seen (both individually and collectively) as giving expression to the requirement of proportionality: the processing of personal data should be limited to that which is “necessary” in relation to the purpose of that processing, kept in a form which permits identification of that data subject/s for no longer than is “necessary”, and processed in a manner that ensures appropriate security. I address the question of necessity below, but there is a potential relevance to these principles of concepts of anonymisation and pseudonymisation. The former will mean that the data subject is no longer identifiable and, as such, the data is no longer “personal data” (per article 4(1)), which would thus limit the processing. Where that is not possible, pseudonymisation might provide appropriate security of the personal data (the reduction of risks referenced by recital (28)).