Article 5 sets out the seven fundamental principles for the lawful processing of data. They are the principles of:
- ‘lawfulness, fairness and transparency’ (a). According to Recital 39 of the GDPR, the principle requires that any information related to the processing is easily accessible and easy to understand. As a result, the language used must be clear and plain. This because data subjects must be aware of all risks, safeguards and rights related to the processing. Furthermore, it must be clear how they can exercise these rights. In particular, the data subject must understand what the purposes of the data processing are.
- ‘purpose limitation’ (b). The controller can only collect and process data for clearly articulated purposes. Consequently, they cannot use data for “anything”. The principle of purpose limitation in Article 5(1)(b) is also complicated in relation to the subjects of AI, “Big data” and machine Learning.
- ‘data minimisation’ (c). You cannot collect and keep more data than necessary. This means that you should not process data that you do not absolutely need.
- ‘accuracy’ (d). The controller must make sure that the data is accurate, relevant and keep it up to date.
- ‘storage limitation’ (e). As with Article 5(1)(c) the principle of storage limitation states that data must be necessary.
- ‘integrity and confidentiality’ (f). The purpose of GDPR is to safeguard the integrity and confidentiality of individuals. Therefore, the last principle of article 5 sets that out.
Finally, article 5(2) sets out the principle of ‘accountability. The controller must follow and document the principles mentioned above.