The Processing Principles in Practice

Domain three, European data processing, carries between thirteen and twenty-one scored questions, the second-heaviest weighting. It revisits the principles from Article 5, but now from the operational angle: how do you actually do processing the right way? The Body of Knowledge restates fairness and lawfulness, purpose limitation, proportionality, accuracy, storage limitation or retention, and integrity and confidentiality.

We covered the bare principles in Domain two; here we apply them, which is where the exam's scenario questions live. The difference in mindset is this: Domain two asks what the principle says, Domain three asks whether a described practice complies with it.

Start with fairness and lawfulness. Lawfulness in practice means you can point to a specific Article 6 basis for every processing activity, which we cover in detail next lecture. Fairness is subtler and the exam tests it precisely because people forget it: even if you have a lawful basis, the processing can still be unfair if it operates in ways the person would not reasonably expect, or that produce unjustified adverse effects.

Using data collected for fraud prevention to quietly score someone for marketing might have a basis on paper yet still be unfair. So fairness is an independent hurdle. When a scenario feels like a bait-and-switch, the fairness principle is usually in play.

Purpose limitation deserves its own beat because Domain three operationalises it. You specify your purposes up front, and if you later want to use the data for something new, you must check whether the new purpose is compatible with the original one. Article 6(4) gives the compatibility test: consider the link between the original and new purposes, the context in which the data was collected, the nature of the data, especially if it is special-category, the possible consequences for the person, and the safeguards you apply, like encryption or pseudonymisation.

If the new use is compatible, you can proceed on the original basis; if it is incompatible, you generally need a fresh lawful basis or the person's consent. Watch for archiving, research, and statistics, which the GDPR treats as presumptively compatible further purposes, provided appropriate safeguards are in place. A clean way to remember the rule: the original purpose is a box, and you may only reuse the data inside that box, or in a box close enough to be compatible; jumping to an unrelated box needs fresh permission.

Proportionality is the principle that quietly decides a lot of best-answer questions. It asks whether the processing is a proportionate means of achieving the purpose, or whether a less intrusive option would do. Closely related is data minimisation: collect and process only what is adequate, relevant, and limited to what is necessary.

So if a scenario offers an option that achieves the goal while touching less data, less intrusively, that is usually the right answer, because it is the proportionate one. When the exam asks for the best approach to a privacy problem, default to the least intrusive option that still meets a legitimate purpose. That instinct will earn you points across the whole exam.

The remaining principles, applied. Accuracy in practice means having processes to keep data current and to correct it, which is also how you honour the right to rectification. Storage limitation in practice means setting defined retention periods and actually deleting or anonymising data when they expire, rather than hoarding it; an indefinite retention policy is a classic violation.

And integrity and confidentiality in practice means embedding the Article 32 security measures we covered, encryption, access control, resilience, into the processing itself rather than bolting them on afterward. Notice how Domain three keeps connecting principles to concrete obligations and rights; that web of connections is exactly what makes the best answer best.

So Domain three is the principles in action. Lawfulness means a real Article 6 basis, and fairness is a separate hurdle, no surprises, no unjustified harm. Purpose limitation forbids incompatible reuse, judged by the Article 6(4) compatibility test, with archiving and research presumptively compatible.

Proportionality and minimisation push you toward the least intrusive option that meets the purpose, which is usually the exam's best answer. And accuracy, retention, and security must be built into how you process. Next, we go deep on the engine of lawful processing itself, the six lawful bases of Article 6.

First, go test yourself on the processing principles.