Six data protection principles form the basis of the processing of personal data and are of crucial importance. This processing must be based on these principles that can be found in Article 5(1) GDPR.
- The first principle concerns lawfulness, fairness and transparency. It requires that personal data are processed in a lawful, fair and transparent manner in relation to data subjects. Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand. Also, clear and plain language needs to be used in this regard. More specifically, this principle ensures data subject receive information on the identity of controllers and purposes of the processing of personal data.
- The second principle is that of purpose limitation. It means that personal data are to be collected only for specified, explicit and legitimate purposes and it is not allowed to process them further in a way that is not compatible with those purposes. One should bear in mind, however, that further processing for the purposes of the public interest, scientific or historical research or statistical purposes is not considered as incompatible with the initial purposes and is therefore allowed.
- As the third principle, we need to refer to data minimisation. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Essentially, it means that data cannot be processed unless it is needed to process them in order achieve the above-mentioned purposes.
- Accuracy is the fourth principle meaning that it is required to ensure that personal data are accurate and are kept up to date where it is necessary. Personal data that are inaccurate – considering the purposes for their processing – must be deleted or rectified without any delay.
- The fifth principle is storage limitation. It entails that personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing. Storing these data for longer periods is allowed when the processing of the data will aim at achieving purposes in the public interest, scientific or historical research purposes or statistical purposes. Nevertheless, also in these cases rights and freedoms of data subjects must be safeguarded.
- Finally, the sixth principle of integrity and confidentiality requires that in the processing of personal data appropriate security of personal data is ensured. This should include protection against unauthorised or unlawful processing, destruction and damage. Appropriate technical or organisational measures are to be taken in order to comply with this requirement: such data security measures can include the use of encryption and authentication and authorisation mechanisms.