There are basic principles which determine how personal data should be processed. The controller is required to demonstrate compliance with them (‘principle of accountability’). The most important ones state that personal data should be:
It means that personal data processing should always have its legal basis. The controller must be able to indicate which situation allowed by GDPR justifies processing of personal data. Moreover, according to the principle of transparency any information and communication relating to the processing of those personal data should be easily accessible and easy to understand. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing, which should be fair and transparent in respect of the natural persons and their right to obtain confirmation and communication of processed personal data which directly concerns them.
According to the principle of purpose limitation, these purposes should fulfil GDPR’s requirements at the time of the collection of the personal data.
The principle of the so-called data minimisation requires that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
The controller is obliged to establish time limits for the purposes of erasure or periodic review of the processed personal data. Personal data, which are inaccurate, should be rectified or deleted.
There are some exceptions to the principle of storage limitation. Personal data may be stored for longer periods if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The controller should ensure appropriate security and confidentiality of personal data, including for the prevention of unauthorised access to or use of personal data, along with the equipment used for the processing.