Under the GDPR there are six data protection principles. A data controller must comply with all six general principles when processing personal data:
- Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes).
- Data minimisation - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes).
- Integrity and confidentiality - Personal data must be kept securely.