Course sections



There are basic principles which determine how personal data should be processed. The controller is required to demonstrate compliance with them (‘principle of accountability’). The most important ones state that personal data should be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject,

It means that personal data processing should always have its legal basis. The controller must be able to indicate which situation allowed by GDPR justifies processing of personal data. Moreover, according to the principle of transparency any information and communication relating to the processing of those personal data should be easily accessible and easy to understand. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing, which should be fair and transparent in respect of the natural persons and their right to obtain confirmation and communication of processed personal data which directly concerns them.

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

According to the principle of purpose limitation, these purposes should fulfil GDPR’s requirements at the time of the collection of the personal data.

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

The principle of the so-called data minimisation requires that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

  • accurate and, where necessary, kept up to date;

The controller is obliged to establish time limits for the purposes of erasure or periodic review of the processed personal data. Personal data, which are inaccurate, should be rectified or deleted.

  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

There are some exceptions to the principle of storage limitation. Personal data may be stored for longer periods if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  • processed in a manner that ensures appropriate security – i.e. protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The controller should ensure appropriate security and confidentiality of personal data, including for the prevention of unauthorised access to or use of personal data, along with the equipment used for the processing.