GDPR: principles relating to the processing of personal data

To help understand the requirements of the GDPR and what agents need to do in order to ensure that they’re compliant, it’s helpful to understand the general principles relating to the processing of personal data. Article 5 of the GDPR sets out the main responsibilities for organisations when they’re processing personal data.


The principles

In accordance with Article 5, personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the individual.

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that’s incompatible with those purposes.

  3. adequate, relevant and limited to what’s necessary in relation to the purposes for which it is processed.

  4. accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data is accurate.

  5. kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the data is processed.

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical or organisational measures.


Who’s responsible for complying with those principles?

It’s the controller that’s responsible for, and able to demonstrate compliance with the above principles.