5. Principles relating to personal data processing

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are processed; personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 may be stored for longer periods insofar as the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

processed in a manner that ensures appropriate security of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 , including protection against unauthorised or unlawful processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Recitals

Recital 39

Any processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 should be lawful and fair. It should be transparent to natural persons that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 concerning them are collected, used, consulted or otherwise processed and to what extent the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are or will be processed. The principle of transparency requires that any information and communication relating to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of those personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 and the purposes of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 and further information to ensure fair and transparent processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 and how to exercise their rights in relation to such processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2. In particular, the specific purposes for which personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are processed should be explicit and legitimate and determined at the time of the collection of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 . The personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2 could not reasonably be fulfilled by other means. In order to ensure that the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 are not kept longer than necessary, time limits should be established by the controller‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. GDPR Article 4 Paragraph 7 for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 , including for preventing unauthorised access to or use of personal data‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person GDPR Article 4 Paragraph 1 and the equipment used for the processing‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. GDPR Article 4 Paragraph 2.

FAQs regarding this GDPR Article:

GDPR Fines based on this article

Title	GDPR Country	Number of involved data records	GDPR Fine
unencrypted data	Italy	unknown	40,000 €
Storage period exceeded	France	several million	1,750,000 €
unlawful submissions to general practitioners	Italy	48	120,000 €
Video surveillance is too detailed	Luxembourg	unknown	12,500 €
E-mail data freely accessible	Great Britain	550	29,183 €
dentist refuses examination	Italy	1	20,000 €
Data protection penalty against Vfb Stuttgart	Germany	70000	300,000 €
Penalty on computer mail order	Germany	unknown	10,400,000 €
Ticketmaster UK Limited – Hacker Attack	United Kingdom	9400000	1,392,525 €
GDPR fine after Facebook posting	Austria	unknown	600 €
Allseas MARINE S.A. – 15.000 Euro Fine	Greece	unknown	15,000 €
Eni gas e luce SpA – 11,5 Mio. Euro data protection fine	Italy	7200	11,500,000 €
6000 Euro Fine for SC Enel Energie SA	Romania	unknown	6,000 €
Entirly Shipping & Trading SRL – 10.000 Euro Bußgeld	Romania	unknown	10,000 €
Hora Credit IFN SA – 14.000 Euro Fine	Romania	unknown	14,000 €
18 Million Euros GDPR fine for Austrian Post Service	Austria	3 Million	18,000,000 €
GDPR fine for the new owner of a food delivery platform in Berlin	Germany	unknown	195,407 €
GDPR Fine for merchant	Belgium	unknown	10,000 €
Penalty for processing of personal data	Greece	unknown	150,000 €
Penalty against Financial Institution in Bulgaria	Bulgaria	unknown	5,100 €
Italy: Fine for Facebook	Italy	214.077 Profiles	1,000,000 €
Punishment against Unicredit Romania	Romania	337 042	130,000 €
Germany: GDPR fine for Police Officer	Germany	1	1,400 €
Spain: Soccer App spies on Fans	Spain	unknown	250,000 €
Penalty for missing deletion deadlines	Denmark	385000	201,000 €
Belgium: Mayor violates GDPR for voting campaigns	Belgium	unknown	2,000 €
Penalty against real estate office	France	29440	400,000 €
Lithuania: Data Breach at a payment service provider	Lithuania	9.000	61,500 €
Poland: GDPR penalty for sports association	Poland	585	12,950 €
Fine against newspaper	Cyprus	5	3,000 €
ICO fines Bounty Limited UK	United Kingdom	34 267 889	465,000 €
Punishment against True Vision Productions	United Kingdom	1990	140,000 €
Punishment against doctor’s office	Bulgaria	1	500 €
Italy: Energy provider violates GDPR	Italy		2,018,000 €
Fine against Bisnode Polska	Poland	5 700 000	220,000 €
Punishment against Bulgarian consulting company	Bulgaria	1	5,000 €
Punishment against Jusos Baden-Württemberg	Germany	168	2,500 €
First GDPR penalty in Denmark	Denmark	8873333	161,000 €
Penalty for denied data disclosure	Hungary	1	3,200 €
German real estate company hoards data – A GDPR fine follows	Germany	unknown	14,500,000 €
Penalty against telephone provider	Bulgaria	1	27,000 €
Penalty against private person in Germany	Germany	160	2,628 €
Penalty for missing file shredding	Czech Republic	300	1,200 €
Penalty against car rental	Czech Republic	unknown	1,200 €
CNIL imposes 50 million penalty over Google LLC	France	unknown	50,000,000 €
Punishment for Carphone Warehouse for lack of data protection	United Kingdom	3 348 869	460,000 €
Punishment for mistaken publication of health data	Germany	unknown	80,000 €
Punishment for inadmissible video surveillance	Austria	unknown	2,200 €
Fine against bulgarian bank	Bulgaria	1	500 €
Punishment against Uber	United Kingdom	2 700 000	440,000 €
France: GDPR violance in Consultation Office	France	unknown	20,000 €
Fine against individual in Austria	Austria	unknown	330 €
Illegal video surveillance	Cyprus	unknown	5,000 €
Punishment against British Bible Society	United Kingdom	417 000	115,000 €
Cyprus: GDPR fine for Infocredit	Cyprus	0	25,000 €

CHAPTER II Principles