Yiuno

Personal Data Protection

10 min read

Personal Data Protection

The legal and ethical principle that individuals have the right to control how their personal information is collected, used, stored, and shared — and that anyone processing that data must have a valid reason and handle it responsibly.

What is it?

Personal data protection is the foundational principle behind every major data privacy law in the world. It starts from a simple premise: information about a person belongs, in a meaningful sense, to that person. Anyone who wants to process it — collect, store, analyse, share, or delete it — must justify why and follow rules about how.

“Personal data” is broader than most developers think. It’s not just names and email addresses. Under the GDPR and its equivalents, personal data is any information that can identify a living person, directly or indirectly. An IP address is personal data. A cookie ID is personal data. A location trail is personal data. Even data that seems anonymous can become personal if it can be linked back to someone.1

The laws that enforce this principle — the EU’s GDPR, Switzerland’s nDSG (FADP), California’s CCPA, Brazil’s LGPD — differ in detail but share the same seven core principles, first codified in Article 5 of the GDPR.2

In plain terms

Personal data protection is like a library’s borrowing rules. The library (your application) can hold books (data), but each book belongs to a borrower (the data subject). You need their card (consent or legal basis) to check it out, you must return it when due (storage limitation), and you can’t lend it to someone else without asking (purpose limitation).

At a glance

How does it work?

The seven core principles

These principles originate from the GDPR’s Article 5 but are echoed in the Swiss nDSG, the CCPA, and international frameworks like the Council of Europe’s Convention 108+.2

1. Lawfulness, fairness, and transparency

You must have a legal basis to process personal data. The six legal bases under GDPR are: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. The Swiss nDSG takes a different approach — processing is lawful by default unless a justification ground is violated (personality rights).3

Think of it like...

Before entering someone’s house, you need a reason to be there: you were invited (consent), you’re delivering something they ordered (contract), or you’re a firefighter responding to a call (legal obligation). You can’t just walk in because the door is open.

2. Purpose limitation

Data collected for one purpose cannot be repurposed for another without a new legal basis. If someone gives you their email for account login, you cannot use it for marketing without separate consent.

3. Data minimisation

Collect only what you need for the stated purpose. Don’t add “nice to have” fields to your forms. Don’t log data “just in case.”

Developer rule of thumb

For every field in your database schema, you should be able to answer: “Why do I need this specific piece of data, and what happens if I don’t have it?” If the answer is “nothing happens,” don’t collect it.

4. Accuracy

Personal data must be accurate and kept up to date. If someone’s information changes, your system should provide a way to correct it.

5. Storage limitation

Data must not be kept longer than necessary. This means building retention policies into your data layer — automated deletion schedules, not just a TODO for later.

6. Integrity and confidentiality

Data must be protected against unauthorised access, accidental loss, or destruction. This is where encryption, access controls, and security architecture meet data protection law.

7. Accountability

The data controller (you, the builder) must be able to demonstrate compliance with all of the above. This means records of processing activities, documented decisions, and audit trails.1

Data subject rights

The person whose data you process (the “data subject”) has enforceable rights:2

RightWhat it meansYour obligation
Access”What data do you have about me?”Provide a copy within 30 days
Rectification”This data is wrong — fix it”Correct inaccurate data promptly
Erasure”Delete my data”Delete unless you have a legal obligation to keep it
Portability”Give me my data in a usable format”Export as JSON, CSV, or similar
Objection”Stop processing my data for this purpose”Stop unless you have compelling grounds
Restriction”Keep it but don’t use it”Mark data as restricted, stop active processing

Concept to explore

Data subject rights have deep architectural implications — they require your system to locate, export, correct, and delete specific individuals’ data on request. This is much harder to retrofit than to design in from the start. See privacy-by-design for how to build these capabilities into your architecture.

Think of it like...

Different countries have different traffic laws, but they all agree on the basics: stop at red lights, don’t drive into people, follow the rules of the road. Data protection laws are the same — the details vary, but the principles are universal.

FrameworkJurisdictionKey difference
GDPREU/EEAConsent must be opt-in, explicit, and withdrawable
nDSG (FADP)SwitzerlandProcessing is lawful by default; consent needed only for sensitive data or high-risk processing
CCPA/CPRACaliforniaFocus on right to opt-out of data sale, not opt-in consent
LGPDBrazilVery close to GDPR; ten legal bases instead of six
CoE Convention 108+InternationalFramework convention — sets minimum standards, not detailed rules

Why do we use it?

Key reasons

1. It’s the law. GDPR fines can reach 4% of global annual turnover or EUR 20 million. Swiss nDSG imposes personal criminal liability on responsible individuals — up to CHF 250,000.

2. It’s the right thing to do. People deserve control over their information. Building respectful systems is an ethical obligation, not just a legal one.

3. It produces better software. Data minimisation leads to simpler schemas. Purpose limitation leads to cleaner APIs. Retention policies prevent database bloat. Privacy constraints are engineering constraints — and good constraints produce good design.

When do we use it?

  • When your application collects any information from or about users
  • When you aggregate data from public or third-party sources about identifiable people
  • When you store cookies, device fingerprints, IP addresses, or analytics data
  • When you share data with third parties (analytics providers, payment processors, API partners)
  • When you build features that display or transmit information about individuals
  • When you process data from one jurisdiction while operating in another

Rule of thumb

If you can answer “whose data is this?” with a person’s name — even theoretically — data protection principles apply. The threshold is lower than you think.

How can I think about it?

The hotel guest analogy

When a guest checks into a hotel, the hotel collects their name, ID, and credit card (lawfulness — contractual necessity). The hotel uses this data to provide the room and process payment (purpose limitation). It doesn’t photocopy the entire passport (minimisation). If the guest’s name is misspelled, they can ask for it to be corrected (accuracy). After checkout, the hotel keeps records for the legally required period and then destroys them (storage limitation). The guest’s data is kept in a safe, not pinned to the lobby noticeboard (security). And the hotel can show an auditor exactly what data it holds and why (accountability).

Your application is the hotel. Your users are the guests. The seven principles are your operating standards.

The medical record analogy

A doctor records only what’s clinically relevant (minimisation), for the purpose of treatment (purpose limitation), keeps it accurate and up to date (accuracy), stores it securely (confidentiality), and retains it for the legally mandated period (storage limitation). The patient can request their records at any time (access right) and ask for corrections (rectification).

Replace “doctor” with “developer” and “clinical record” with “user data.” The obligations are the same — just codified differently.

Concepts to explore next

ConceptWhat it coversStatus
privacy-by-designBuilding data protection into architecture from the startcomplete
data-provenanceTracking where data comes from and what rights attach to itcomplete
re-identification-riskWhen aggregated or “anonymous” data can identify peoplecomplete
data-protection-impact-assessmentFormal risk assessment before processingcomplete

Some cards don't exist yet

A broken link is a placeholder for future learning, not an error.

Check your understanding

Where this concept fits

Position in the knowledge graph 

graph TD
    A[Data Governance] --> B[Personal Data Protection]
    A --> C[Privacy by Design]
    A --> D[Data Provenance]
    B --> E[Data Subject Rights]
    B --> F[Legal Basis for Processing]
    B --> G[Cross-border Transfers]
    style B fill:#4a9ede,color:#fff

Related concepts:

Sources

Further reading

Resources

Footnotes

  1. GDPR Advisor. (2026). Understanding the 7 Core GDPR Principles. GDPR Advisor. 2

  2. Kukie.io Team. (2026). The 7 Core Principles of GDPR Data Processing Explained. Kukie.io. 2 3

  3. ZeonEdge. (2026). Data Privacy Engineering and GDPR Compliance in 2026: A Developer’s Complete Guide. ZeonEdge.

Graph View

Backlinks