To understand GDPR better it is useful to know what are the data protection principles set forth in the GDPR.
- Lawfulness, fairness and transparency. Clause 1(a) of Article 5 of the GDPR requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
- Purpose limitations. According to Clause 1(b) of Article 5 of the GDPR, personal data can only be obtained for “specified, explicit and legitimate purposes”. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
- Data minimisation. According to Clause 1(c) of Article 5 of the GDPR, data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, i.e. no more than the minimum amount of data should be kept for specific processing.
- Clause 1(d) of Article 5 of the GDPR sets forth that data must be “accurate and where necessary kept up to date”.
- Storage limitations. According to Clause 1(e) of Article 5 of the GDPR, it is expected that personal data is “kept in a form which permits identification of data subjects for no longer than necessary”, i.e. data no longer required should be removed.
- Integrity and confidentiality. Clause 1(f) of Article 5 of the GDPR requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.