The GDPR requires the following principles for processing personal data. Personal data shall be:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with the purpose;
- Adequate, relevant, and limited to what is necessary in relation to the purpose for which the data is processed;
- Accurate and necessary, kept up to date, and ensuring any inaccurate data is destroyed or rectified;
- Kept in a form which allows for identification of data subjects for no longer than is necessary for the purpose for which the data is processed (note that personal data may be stored for periods longer than the intended purpose for archival/record retention purposes provided appropriate safeguard measures are in place);
- Processed in a manner that ensures appropriate security of the personal data, including against loss, destruction or damage, or unauthorized disclosure.