The controller must comply with that established in the General Data Protection Regulation (GDPR) and be able to demonstrate that processing is performed in accordance with that Regulation (accountability).
The personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality’).