5. Principles relating to personal data processing

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are processed; personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 may be stored for longer periods insofar as the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

processed in a manner that ensures appropriate security of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 , including protection against unauthorised or unlawful processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Recitals

Recital 39

Any processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 should be lawful and fair. It should be transparent to natural persons that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 concerning them are collected, used, consulted or otherwise processed and to what extent the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are or will be processed. The principle of transparency requires that any information and communication relating to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of those personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and the purposes of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and further information to ensure fair and transparent processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 and how to exercise their rights in relation to such processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2. In particular, the specific purposes for which personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are processed should be explicit and legitimate and determined at the time of the collection of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 . The personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 could not reasonably be fulfilled by other means. In order to ensure that the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are not kept longer than necessary, time limits should be established by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 , including for preventing unauthorised access to or use of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 and the equipment used for the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2.

FAQs regarding this GDPR Article:

GDPR Fines based on this article

Title	GDPR Country	Number of involved data records	GDPR Fine
Unauthorized recording on toilet facility	Austria	unknown	25,000 €
Recording dashcam in road traffic	Germany	unknown	0 €
Improper disposal of customer data and unlawful video surveillance	Germany	unknown	6,500 €
Health data of a kindergarten teacher	Austria	1	600 €
Processing of sensitive data of prospective tenants without legal basis	Germany	9500	1,900,000 €
972,191 files encrypted after ransomware attack	United Kingdom	972191	117,295 €
Inappropriate use of contact tracing lists	Germany	unknown	170 €
Audio and video surveillance of employees, storage for too long, inadequate security measures	Germany	unknown	16,000 €
POLAS query on an online seller for private purposes	Germany	1	400 €
Queries from police information systems on colleagues	Germany	1	500 €
Use of the EWO system to determine the address of the ex-partner	Germany	1	600 €
Queries from police systems on persons in the family environment	Germany	unknown	1,800 €
unencrypted data	Italy	unknown	40,000 €
Storage period exceeded	France	several million	1,750,000 €
unlawful submissions to general practitioners	Italy	48	120,000 €
Too detailed video surveillance	Luxembourg	unknown	12,500 €
E-mail data freely accessible	Great Britain	550	29,183 €
Transfer of customer data despite objection	Germany	unknown	12,500 €
dentist refuses examination	Italy	1	20,000 €
Making video recordings of young women and girls without legal basis	Germany	unknown	5,000 €
Data protection penalty against Vfb Stuttgart	Germany	70000	300,000 €
Transfer of an employee’s health data to over 3,000 customers without a legal basis	Germany	1	10,110 €
Penalty on computer mail order	Germany	unknown	10,400,000 €
Fine against Italian municipality	Italy	1	4,000 €
Ticketmaster UK Limited – hacker attack	Great Britain	9400000	1,392,525 €
GDPR fine after Facebook posting	Austria	unknown	600 €
Allseas MARINE S.A. – 15,000 euro fine	Greece	unknown	15,000 €
Eni gas e luce SpA – 11.5 million fine	Italy	7200	11,500,000 €
SC Enel Energie SA – 6000 euros fine	Romania	unknown	6,000 €
Entirly Shipping & Trading SRL – 10,000 euro fine	Romania	unknown	10,000 €
Hora Credit IFN SA – 14,000 euros fine	Romania	unknown	14,000 €
Austrian Post: 18 million DSGVO fine	Austria	3 million	18,000,000 €
DSGVO fine for new owner of Delivery Hero	Germany	unknown	195,407 €
GDPR Fine for merchant	Belgium	unknown	10,000 €
Penalty for processing personal data	Greece	unknown	150,000 €
Penalty against Financial Institution in Bulgaria	Bulgaria	unknown	5,100 €
Italy: Penalty for Facebook	Italy	57	1,000,000 €
Penalty against Romanian bank	Romania	337 042	130,000 €
Germany: DSGVO fine for police officer	Germany	1	1,400 €
Spain: Soccer App spies on Fans	Spain	unknown	250,000 €
Penalty for missing deletion deadlines	Denmark	385000	201,000 €
Belgium: Mayor violates GDPR for voting campaigns	Belgium	unknown	2,000 €
Penalty against real estate law firm	France	29440	400,000 €
Lithuania: Data Breach at a payment service provider	Lithuania	9.000	61,500 €
Poland: GDPR penalty for sports association	Poland	585	12,950 €
Fine against newspaper	Cyprus	5	3,000 €
Fine against Bounty Limited	Great Britain	34 267 889	465,000 €
Penalty against True Vision Productions	Great Britain	1990	140,000 €
Penalty against medical practice	Bulgaria	1	500 €
Italy: Energy provider violates GDPR	Italy		2,018,000 €
Fine against Bisnode Polska	Poland	5 700 000	220,000 €
Penalty against Bulgarian consulting firm	Bulgaria	1	5,000 €
Penalty against Jusos Baden-Württemberg	Germany	168	2,500 €
First GDPR fine in Denmark	Denmark	8873333	161,000 €
Penalty for refusal to provide data	Hungary	1	3,200 €
Data graveyard: 14.5 million euro fine	Germany	unknown	14,500,000 €
Penalty against telephone provider	Bulgaria	1	27,000 €
Penalty against private person	Germany	160	2,628 €
Penalty for failure to shred files	Czech Republic	300	1,200 €
Penalty against car rental	Czech Republic	unknown	1,200 €
CNIL imposes 50 million fine on Google	France	unknown	50,000,000 €
Penalty for Carphone Warehouse for lack of data protection	Great Britain	3 348 869	460,000 €
Penalty for erroneous publication of health data	Germany	unknown	80,000 €
Penalty for unauthorized video surveillance	Austria	unknown	2,200 €
Penalty against Bulgarian bank	Bulgaria	1	500 €
Penalty against Uber	Great Britain	2 700 000	440,000 €
France: GDPR breach in consulting office	France	unknown	20,000 €
Penalty against private person because of dashcam	Austria	unknown	330 €
Unauthorized video surveillance on company premises	Cyprus	unknown	5,000 €
Penalty against British Bible Society	Great Britain	417 000	115,000 €
Cyprus: GDPR fine for Infocredit	Cyprus	0	25,000 €

CHAPTER II Principles