Introduction. What are the 7 principles of GDPR? Why are they important?

Article 5 of the GDPR explains the principles underlying the GDPR. For a correct application of the General Data Protection Regulation, you need to have a good understanding of these 7 principles. Without GDPR, there would be no foundation on which to build laws. Because people’s personal data is involved in so many things, you will have to deal with it in any service you provide, which presents you with a big challenge in terms of keeping that personal data. A good understanding of the 7 GDPR principles allows you to know your role as a data controller and what you need to do, helping you avoid breaches and
GDPR sanctions
. The text of the Regulation is so long and written in legal language that you may need someone to explain it to you. However, most of the laws in the GDPR boil down to these 7 principles, which means that if you understand them, you can get a general idea of the topic.

1. Principle of legality. Legality, fairness and transparency

The three components of this GDPR principle (legality, fairness and transparency) are closely linked.

What does “lawfulness” mean in GDPR?

According to the principle of “lawfulness” there must be a legal basis for processing the data, otherwise the processing is unlawful. There are six situations in which you are allowed to process personal data. If you don’t rely on one of these six cases when processing people’s personal data, you are in breach of the GDPR.

The six legal grounds for processing personal data are as follows:

  1. Consent; in this case, the data subject gives you permission to process the data.
  2. Contract; where there is a contract between you and the data owner that is necessary to process personal data.
  3. Legal obligation; in this case there is a law that obliges you to process some personal data.
  4. Vital interest; in this case, the processing is necessary for the life of the data subject, for example, if a hospital wants to see a patient’s medical history for urgent surgery.
  5. Public interest; if the processing is necessary for a task related to the public interest.
  6. Legitimate interest; where the processing is necessary to achieve a legitimate interest.

There is also another meaning of “lawfulness”, which means that you are not doing anything illegal by processing the data.

What is the meaning of “fairness”?

All aspects of the processing of personal data must be fair in the sense that you must process personal data as you expect and as you have agreed with the data subjects. To ensure that you treat data fairly, data processing must be tailored to the interests of data subjects.

Fairness requires that the persons concerned must be informed that their personal data are processed, including how they are collected, stored and usedto enable them to make informed decisions about their data and to exercise their data protection rights. In addition, the controller shall process the data only in ways that the data subject would reasonably expect and shall not use the data in a way that could adversely affect the data subject.

What is the meaning of “transparency”?

Transparency here can have a meaning close to “fairness” and means being honest and clear with data owners from the outset, you need to tell the people whose data you are processing who you are, what you are offering them and what you are doing with their data. This point is important, especially if the data subject intends to enter into a long-term agreement with you. To achieve transparency in your services, your privacy policy must be comprehensive and clear.

We refer to the principle of lawfulness that data are processed lawfully, fairly and transparently in relation to the data subject.

Read more about personal data, what categories of personal data exist and what else you need to know about them to be GDPR compliant.

2. Purpose limitation principle

Your processing of personal data must have a specific and explicit purpose from the outset, and this purpose must be fully clear from the outset. If you apply the first principle, especially the transparency part, you will realise much of the purpose limitation principle. However, the GDPR does not prevent you from processing personal data for purposes other than those mentioned in the Privacy Policy and agreed at the outset, but under certain conditions. You may process personal data for a new purpose that was not originally agreed upon if there is a relationship between the new purpose and the original purpose or if you have obtained the data subject’s permission for the new purpose.

If you are going to process data for purposes that are consistent with the original purpose agreed with the data subject, you do not need to find a legal basis from the 6 bases we mentioned in the first principle of the GDPR, whereas if you are processing data for a new purpose, you will need to base the data processing on a new legal basis and you need a new permission from the data owner.

We hold to the purpose limitation principle that data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes. Further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is not considered incompatible with the original purposes.

Need help implementing GDPR?
Use our online GDPR consulting services.

  • We assess your risks in every detail

  • We assist you step by step in implementation

  • We train your employees who process data

  • We provide you with standardised procedures and documents

3. Data minimisation principle

This principle states that the data processor must process the minimum amount of data that achieves its purpose, and the data must not process more than you need. This must be documented during data processing so that you can prove to the authorities that you only used the amount of data you needed. You need to be careful in applying this principle, especially if the data you process is special category data.

Example: a company has advertised that it needs to hire a person as a programmer, then when applicants for this job are given the job application form to fill in, the company asks for data such as whether they are married or not, this behaviour is considered a violation of the data minimisation principle, as the marital status of the person is not required when hiring a person as a programmer, which means that the company is trying to process more data than it needs.

You can collect data that is not useful at the moment, but may be needed in the future, for example, if the company collects information about the blood types of some customers working in hazardous activities such as construction, this information is not really useful at the moment, but may be mentioned in the future if one of the workers is injured and needs a blood transfusion. In this case, the company did not violate the principle of data minimisation, as the additional data it collected might be needed in the future.

We note from the data minimisation principle that only data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed will be processed.

4. Accuracy principle

You need to make sure that the data you process is true and accurate. If you have collected inaccurate information by mistake, but have corrected the error, it is preferable that this incident is recorded. It is not necessary that all data refer to the current time. For example, if a company records that one of its customers lives in Bucharest, but this person currently lives in Paris (previously lived in Bucharest), this is not considered an inaccuracy by the company, as this person has already lived in Bucharest for some time. This leads to another point, namely that personal data need not always be kept up to date, but this depends on the purpose for which the data is processed. If you are using the data for a purpose now, you should make sure that it is always up to date. For example, if you are a postal service that delivers some letters to your customers’ addresses, you should constantly check that a customer has not changed their home address.

This requires a procedure to edit/modify data when necessary. For example, a customer notifies us that they have changed their email address because their old email address has been compromised. As such, this change must be reflected immediately in our system, otherwise we risk disclosing the data subject’s personal data to others, thus breaching data security.

We adhere to the principle of accuracy that the data we process must be accurate and, where necessary, updated without delay.

5. Storage limitation principle

The GDPR ensures that personal data is not stored for longer than necessary for the purposes for which it is processed. The Regulation does not set a specific time limit that the data controller must respect, as this depends on the time you need to achieve your goal. Your commitment to the principle of storage limitation will help you achieve the principle of accuracy, as not keeping data you no longer need will get rid of outdated data that is not related to the purpose for which the data is processed.

If there is a legal retention period, that period must be respected, as is the case for invoices, 10 years, and payroll statements, 50 years, according to the accounting law.

In order not to violate the documentation laws enforced by the GDPR, you will need to establish a data retention policy. The retention policy tells people how long you will keep each category of data. It may not be necessary for small businesses, but nevertheless, these companies need to constantly monitor stored data and ensure that personal data that is no longer needed is deleted.

In some cases, the principle of storage limitation should not apply, such as cases involving data that the government may need for security purposes. For example, if a person opens an account at a bank, then if that person closes the account, the bank must keep the account data, as it may be needed for security reasons.

Once you have fulfilled your purpose for processing personal data, you can delete or encrypt it. You should be aware that although you delete personal data from the internet, but still keep it online, this is still data processing. Therefore, if you want to apply the principle of data limitation correctly, you must permanently delete data, whether online or offline. Another method instead of deletion is data encryption. Encrypted data in the context of GDPR is still personal data and must be treated equally well.

There is another case, other than data needed in the future, which allows the processor to keep them for a longer period of time after the purpose of their processing has been achieved. This is the case where the purpose of processing personal data is statistical or for the fulfilment of public interests. This should be the only purpose in order not to violate the GDPR. If you have other purposes than the above, this is a violation of the laws.

We note in the principle of storage limitation that data will not be stored for longer than is necessary for the purposes for which it is processed, and where the law does not provide for a retention period, we will, through an internal procedure, set a period as short as possible.

6. Principle of integrity and confidentiality

This principle in the GDPR ensures the security of personal information. When you process personal data, no one should be able to see it, including people working in your company. You need to have an adequate level of cyber security that is capable of protecting your data. You need to know that security of personal data is one of the key things in your company, because leaking any personal data belonging to citizens can expose them to real danger, and sometimes this risk is tantamount to an attack.

What needs to be protected?

Every aspect of data processing must be protected. This means you need to make sure of several things, such as:

  • no one has access to personal data (including company employees, except those who are authorised),
  • you need to be able to protect your data against damage and
  • you must be able to retrieve them in case of damage.

GDPR obliges us to ensure that our security measures are working well.

The GDPR requires data controllers to carry out periodic tests to ensure the level of protection within the company, but it does not specify how these tests are carried out as it depends on your business environment. It is very important to test all staff and make sure they have sufficient understanding and awareness of GDPR principles. Regular training of employees through GDPR training is very useful in this respect.

We note under the principle of integrity and confidentiality that personal data are processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures.

Read more about cybersecurity best practices (infographic included)

Do you need an external DPO?
Leave the GDPR challenges to GDPR Complete – team of professionals with legal expertise, IT security expertise and business management expertise

  • We exercise the function of DPO

  • Audit and Implement

  • We train staff

  • Communicate with the authority

7. Principle of accountability

You need to be able to prove that you apply the GDPR in all its aspects, not only to the authorities but also to data subjects. Data subjects have the right to ensure that you comply with GDPR laws. Also, if you use personal data in modern means, such as artificial intelligence, you must inform the data owners. Accountability includes explaining the details of your implementation of the Regulation and the measures you are taking to protect personal data. The GDPR does not set out specific requirements for accountability, but it does set out certain procedures to be followed, establishing data protection policies among the measures recommended by the GDPR. These include the measures that will be taken to protect personal data and the measures taken in the event of a breach.

For example, if you process data on a lawful basis, say, vital interest or consent, you need to be able to prove that you have that consent or that your purpose is in fact a vital interest. To be able to prove this, you must have accurately recorded the replay and details of the consent obtained from the data subject.


Personal data is all around you, so you will need to deal with it in any service you provide. This presents you with a big challenge in terms of keeping this personal data. Therefore, a good understanding of the 7 GDPR principles allows you to know your role as a data controller and what you need to do to comply with the General Data Protection Regulation and avoid GDPR breaches and sanctions.

If you need help with your company’s GDPR compliance, either through GDPR consulting or outsourced DPO services, contact us at and schedule a meeting with one of the GDPR experts on the GDPR Complete team.