GDPR: Data protection principles (2024)

The 7 principles of the GDPR.

Personal data shall be:

See Also

The UK GDPR

processed lawfully, fairly and in a transparent manner in relation to the data subject(‘lawfulness, fairness and transparency’)
collected for specified, explicit and legitimate purposes and not further processed ina manner that is incompatible with those purposes; further processing for archivingpurposes in the public interest, scientific or historical research purposes orstatistical purposes shall, in accordance with Article 89(1), not be considered to beincompatible with the initial purposes (‘purpose limitation’)
adequate, relevant and limited to what is necessary in relation to the purposes forwhich they are processed (‘data minimisation’)
accurate and where necessary, kept up to date; every reasonable step must betaken to ensure that personal that are inaccurate, having regard to the purposes forwhich they are processed, are erased or rectified without delay (‘accuracy’)
kept in a form which permits identification of data subjects for no longer than isnecessary for the purposes for which the personal data are processed; personaldata may be stored for longer periods insofar as the personal data will beprocessed solely for archiving purposes in the public interest, scientific or historicalresearch purposes or statistical purposes in accordance with Article 89(1) subject toimplementation of the appropriate technical and organisational measures requiredby this Regulation in order to safeguard the rights and freedoms of the data subject(‘storage limitation’)
processed in a manner that ensures appropriate security of the personal data,including protection against unauthorised or unlawful processing and againstaccidental loss, destruction or damage, using appropriate technical ororganisational measures (‘integrity and confidentiality’)
the organisation must be responsible for the data it holds, demonstratingcompliance with the other principles (‘accountability’)