Data Protection Principles
Article 5 of the GDPR establishes seven foundational principles that govern all processing of personal data. These principles are the backbone of the regulation -- every other GDPR obligation derives from or supports compliance with these principles.
Non-compliance with the principles in Article 5 is subject to the higher tier of administrative fines: up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is greater (Article 83(5)(a)).
| # | Principle | Article | Requirement | Implementation Guidance |
|---|---|---|---|---|
| 1 | Lawfulness, Fairness and Transparency | Art. 5(1)(a) | Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. | Identify a valid lawful basis under Article 6 before processing begins. Provide clear, plain-language privacy notices explaining what data is collected, why, and how it will be used. Ensure processing does not have unjustified adverse effects on the data subject. Document the lawful basis relied upon for each processing activity in your Record of Processing Activities (Art. 30). |
| 2 | Purpose Limitation | Art. 5(1)(b) | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. | Define and document the specific purpose for each processing activity before collection begins. When considering secondary use, apply the compatibility test under Article 6(4), assessing: the link between original and new purposes, the context of collection, the nature of the data, possible consequences, and existence of appropriate safeguards. Further processing for archiving in the public interest, scientific or historical research, or statistical purposes is presumed compatible (Art. 5(1)(b)). |
| 3 | Data Minimisation | Art. 5(1)(c) | Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. | Collect only the personal data fields strictly necessary for the stated purpose. Conduct periodic reviews of data collection forms, API payloads, and database schemas to identify and remove unnecessary fields. Apply pseudonymisation or anonymisation where full identification is not required. Before adding a new data field, document why it is necessary for the specific processing purpose. |
| 4 | Accuracy | Art. 5(1)(d) | Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay. | Implement processes for data subjects to review and update their personal data (supporting the right to rectification under Art. 16). Establish data quality checks at the point of collection and at regular intervals. When accuracy is contested, mark the data as disputed and restrict processing until accuracy is verified. Maintain audit trails of corrections. |
| 5 | Storage Limitation | Art. 5(1)(e) | Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. | Define and document retention periods for each category of personal data based on the processing purpose, contractual obligations, and legal requirements. Implement automated deletion or anonymisation routines that execute when retention periods expire. Personal data may be stored for longer periods insofar as it will be processed solely for archiving in the public interest, scientific or historical research, or statistical purposes, subject to appropriate safeguards (Art. 89(1)). |
| 6 | Integrity and Confidentiality | Art. 5(1)(f) | Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. | Implement technical measures such as encryption (at rest and in transit), access controls, pseudonymisation, and regular security testing. Implement organisational measures including security policies, staff training, incident response procedures, and access reviews. The measures must be appropriate to the risk, considering the state of the art, cost of implementation, nature and scope of processing, and the risks to data subjects (Art. 32). Maintain records of security measures and conduct regular reviews. |
| 7 | Accountability | Art. 5(2) | The controller shall be responsible for, and be able to demonstrate compliance with, the principles set out in paragraph 1. | Maintain comprehensive documentation including: Records of Processing Activities (Art. 30), Data Protection Impact Assessments (Art. 35), data breach records (Art. 33(5)), consent records, processor agreements (Art. 28), and evidence of staff training. Appoint a Data Protection Officer where required (Art. 37). Implement data protection by design and by default (Art. 25). The burden of proof for compliance rests with the controller -- if challenged by a supervisory authority, the organisation must produce evidence demonstrating adherence to each principle. |
Key Relationship: Accountability and Documentation
The accountability principle (Art. 5(2)) requires controllers to not only comply with the other six principles but to actively demonstrate that compliance. This is operationalised through the documentation requirements in Articles 24, 25, 28, 30, 32, 33, 35, and 37-39. Supervisory authorities regularly request evidence of compliance during investigations, and the absence of documentation is itself a compliance failure.
Disclaimer
This page provides general information about GDPR principles and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.