GDPR Data Processing Principles

Article 5 of the GDPR establishes seven foundational principles that govern all processing of personal data. These principles are not merely aspirational — they are legally binding obligations with direct enforcement consequences. Infringement of the principles carries the upper-tier penalty ceiling of EUR 20 million or 4% of global annual turnover under Article 83(5)(a).

The six principles in Article 5(1) are: lawfulness, fairness, and transparency (Article 5(1)(a)); purpose limitation (Article 5(1)(b)); data minimisation (Article 5(1)(c)); accuracy (Article 5(1)(d)); storage limitation (Article 5(1)(e)); and integrity and confidentiality (Article 5(1)(f)). The seventh principle — accountability — is established in Article 5(2), which requires the controller not only to comply with the six principles but to be able to demonstrate that compliance.

These principles operate as a coherent system. Purpose limitation constrains what data may be collected (data minimisation), how long it may be kept (storage limitation), and what security measures are appropriate (integrity and confidentiality). Accountability provides the overarching mechanism through which compliance with all other principles must be evidenced. The EDPB has consistently emphasised that the principles must be assessed holistically — compliance with one principle does not excuse non-compliance with another.

Article 5(1)(a) combines three requirements into a single principle. Lawfulness requires that every processing operation has a valid legal basis as enumerated in Article 6(1). The six lawful bases are: consent of the data subject (Article 6(1)(a)); performance of a contract (Article 6(1)(b)); compliance with a legal obligation (Article 6(1)(c)); protection of vital interests (Article 6(1)(d)); performance of a task in the public interest or exercise of official authority (Article 6(1)(e)); and legitimate interests of the controller or a third party, except where overridden by the interests, rights, or freedoms of the data subject (Article 6(1)(f)). The lawful basis must be determined before processing begins and cannot be retrospectively changed.

Fairness requires that personal data is not processed in ways that are unduly detrimental, unexpected, or misleading to the data subject. This is a standalone requirement — processing may have a valid lawful basis yet still be unfair. The EDPB has interpreted fairness as requiring controllers to consider the reasonable expectations of data subjects, the power imbalance between controller and data subject, and the potential consequences of processing.

Transparency requires that data subjects are provided with clear, concise, and accessible information about processing activities. Articles 13 and 14 specify the information that must be provided at the point of data collection (direct collection) or within a reasonable period (indirect collection). Privacy notices must be in clear and plain language, particularly when addressed to children. The principle extends beyond formal notices to encompass the overall comprehensibility and accessibility of the controller's data processing practices.

Article 5(1)(b) requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This principle operates in two stages: first, at the point of collection, the purposes must be clearly defined and communicated to data subjects; second, any subsequent processing must be assessed for compatibility with the original purposes.

Article 6(4) provides a compatibility test for further processing on a basis other than consent or Union/member state law. The test considers: the link between the original and proposed purposes; the context in which the data was collected (particularly the data subject's relationship with the controller); the nature of the data (especially whether special categories or criminal data are involved); the possible consequences of the intended further processing for data subjects; and the existence of appropriate safeguards such as encryption or pseudonymisation.

The Regulation provides a carve-out for archiving in the public interest, scientific or historical research, and statistical purposes under Article 89(1). Processing for these purposes is not considered incompatible with the initial purposes, provided that appropriate technical and organisational safeguards are in place — particularly the principle of data minimisation and, where possible, pseudonymisation. This exception is essential for enabling legitimate research and public-interest archiving while maintaining data protection standards.

Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle mandates a proportionality assessment: controllers must evaluate whether each data element collected is genuinely necessary for the specified processing purpose, and must not collect data 'just in case' or for potential future uses that have not been defined.

Data minimisation has practical implications across the data lifecycle. At the collection stage, forms, APIs, and intake processes should request only the minimum data required. During processing, access controls should ensure that personnel and systems can only access data necessary for their function. For data architecture, controllers should consider pseudonymisation (Article 4(5)) and anonymisation as techniques to reduce the identifiability of data where full identification is not required for the processing purpose.

The principle is closely related to data protection by design and by default (Article 25). Article 25(2) specifically requires that, by default, only personal data which are necessary for each specific purpose are processed — applying to the amount of data collected, the extent of processing, the period of storage, and accessibility. This means that default settings in systems and applications should be configured to process the minimum personal data necessary, and any expansion of processing scope requires a conscious, justified decision.

Article 5(1)(d) requires that personal data be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

The accuracy principle is context-dependent — what constitutes 'accurate' data depends on the processing purpose. Medical records require a higher standard of accuracy than marketing preferences. Controllers must establish mechanisms for verifying data accuracy, both at the point of collection and on an ongoing basis. This may include validation rules, periodic data quality reviews, and processes for data subjects to update their information.

The accuracy principle is directly linked to the right to rectification under Article 16, which gives data subjects the right to obtain the rectification of inaccurate personal data without undue delay, and the right to have incomplete personal data completed, including by means of providing a supplementary statement. Controllers must have processes in place to handle rectification requests efficiently and to propagate corrections to any recipients to whom the data has been disclosed (Article 19).

Article 5(1)(e) requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to implementation of appropriate technical and organisational measures.

Compliance with storage limitation requires controllers to establish and enforce data retention policies that define retention periods for each category of personal data and processing purpose. Retention periods should be based on the minimum period necessary to fulfil the processing purpose, legal retention requirements (e.g., tax records, employment records), statute of limitations for legal claims, and regulatory expectations in the relevant sector.

Once the retention period expires, personal data must be securely deleted or irreversibly anonymised. Pseudonymisation — replacing identifying attributes with tokens while retaining a re-identification key — is not sufficient for compliance with storage limitation, as pseudonymised data remains personal data under the GDPR. Only true anonymisation, where re-identification is no longer reasonably possible, removes data from GDPR scope. Controllers should implement automated retention management and periodic reviews to prevent indefinite data accumulation.

Article 5(1)(f) requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures. This principle is operationalised through Article 32, which specifies the security of processing obligations.

Article 32(1) requires controllers and processors to implement technical and organisational measures appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. Article 32(1) specifically identifies four measures as examples: pseudonymisation and encryption of personal data; the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

The 'appropriate to the risk' standard is crucial — the GDPR does not prescribe specific technologies or controls. Instead, it requires a risk-based approach where the security measures implemented are proportionate to the risks presented by the processing. Processing of special categories of data (Article 9) or data relating to criminal convictions (Article 10) will generally require more robust security measures than processing of basic contact information.

Article 5(2) establishes the accountability principle: the controller shall be responsible for, and be able to demonstrate compliance with, the six principles set out in Article 5(1). This is often called the 'seventh principle' and represents one of the GDPR's most significant innovations. It shifts the burden of proof from data subjects and supervisory authorities to controllers — a controller must affirmatively demonstrate compliance, not merely claim it.

The accountability principle is operationalised through several specific GDPR provisions. Records of processing activities (Article 30) require controllers and processors to maintain detailed records of their processing operations, including purposes, data categories, recipients, transfers, retention periods, and security measures. Data protection impact assessments (Article 35) must be conducted prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons — including systematic monitoring, large-scale processing of special categories, and automated decision-making with legal effects.

The appointment of a Data Protection Officer (Articles 37-39) is mandatory in specified circumstances and recommended as best practice in others. Codes of conduct (Article 40) and certification mechanisms (Article 42) provide voluntary accountability tools that controllers and processors may adopt to demonstrate compliance. Data protection by design and by default (Article 25) requires controllers to integrate data protection into the design of processing activities from the outset.

In practice, accountability requires a comprehensive data protection governance programme: documented policies and procedures, staff training and awareness, regular compliance auditing, vendor management programmes, incident response plans, and continuous monitoring. The EDPB has emphasised that accountability is not a one-time exercise but an ongoing obligation that requires active management and regular review.