Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy.
When you process personal data, you must comply with the following principles:
Principles of lawfulness, fairness and transparency
Personal data may only be collected, recorded, used and transferred in compliance with the Regulation, in good faith and transparently for the data subject.
Purpose limitation principle
The use of personal data must be rigorously confined to a purpose.
This purpose has to be determined before the processing begins. In addition, they have to be defined precisely and refer to one or more specific purposes (specified and explicit purposes). At the same time, they must correspond to one or more of the cases provided by law (legitimate purposes).
In principle, data should not be processed subsequently in a manner incompatible with the original purposes.
Principle of data minimisation
Personal data must be adequate, relevant and limited to what is necessary to achieve the chosen purposes.
Also known as the principle of necessity and proportionality, data minimization means that you should only process data that is necessary (and not only useful) to achieve the defined purposes.
Principle of accuracy
The collected data have to be accurate and updated if necessary.
The data processing can't be based on outdated or erroneous data. You must take all reasonable steps to ensure that incorrect data are rectified or deleted without delay.
Principle of retention limitation
You must not retain data for longer than is necessary for the achievement of the purposes for which they were collected and processed. At the end of the retention period, the data must be deleted or anonymised.
You must therefore determine a proportionate storage duration.
Principle of integrity and confidentiality
Personal data must be processed in such a way as to guarantee appropriate security of personal data.
Indeed, you must ensure the integrity and confidentiality of data, using appropriate technical and organizational measures, including against unauthorized or illegal processing and against loss, destruction or unintended alteration of data.
Principle of accountability
You must demonstrate your compliance (« accountability »).
As the controller, you have to put take appropriate measures to be able to demonstrate that the processing of personal data is carried out in compliance with the Regulation..