The Seven General Principles
All processing must abide by the GDPR's seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability, under which the controller must demonstrate compliance with the other six.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Lawfulness, fairness, transparency: there must be a legal basis, and notices must be concise, accessible, and in clear plain language (especially for children). Purpose limitation: collect for specified, explicit, legitimate purposes; do not further process incompatibly - though archiving in the public interest, scientific or historical research, or statistics is not incompatible.
Data minimization: adequate, relevant, limited to what is necessary; delete or anonymize what is no longer needed. Accuracy: keep data accurate and up to date; erase or rectify without delay. Storage limitation: keep no longer than necessary. Integrity and confidentiality: security appropriate to the risk.
Under Accountability, the controller is responsible for and must be able to demonstrate compliance with the other six principles - through documenting breaches (even unreported ones), keeping records of processing, and conducting DPIAs.