Article 5

Principles relating to processing of personal data

1.   Personal data shall be:


processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);


collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);


adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);


accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);


kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);


processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.   The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

What does it mean?

The GDPR regulates personal data use, which is a complicated topic. These principles are a soft measure and a way to ensure all data processing is done according to the law’s intentions. You should always have these principles in mind when processing personal data. 

Article 5 is an excellent guideline for evaluating your processing activities against the GDPR. 

If there is one thing to remember about the GDPR, it should be these seven principles.

The accountability principle requires you to document your compliance with the principles laid out in article 5. This is an essential requirement and can seem somewhat arbitrary. 

For every processing activity you already have or plan to start, you should design your processing to comply with these principles. 

One way of doing this is to include a description of your compliance with these principles in your records of processing activities (article 30). In many ways, following the requirements in article 30 lets you comply with the accountability principle in article 5. 


Employees should follow these principles within your organisation. Therefore training your employees in these principles becomes a tool for compliance and an excellent way to improve data security in practice. Demonstrating that you have trained your employees in these principles is one of the several steps you can take to demonstrate compliance with the accountability principle.

You should always follow the law and its intentions. You should transparently process personal data so that the subject knowingly can consent or engage with your business. You should process the personal data of clients and employees fairly and in a manner expected.  

The original purpose of your collection of data and processing should be respected. For example, if you collect email addresses for your business newsletter, you should respect the original purpose of this data collection, i.e. sending a newsletter on behalf of your business. You should not share these emails with companies or use them for purposes other than those already informed to your data subjects.

Your processing of personal data should be limited to what is necessary to fulfil your purpose with your data processing. In general, the processing of personal data should be on a “need-to-have” basis and not “nice-to-have”. 

The data processing should be accurate. Accuracy entails having organisational procedures, systems and technical implementations to ensure that ou should make sure that the data is correct and updated. 

You cannot store personal data longer than necessary. You define your necessity based on the processing activity’s purpose and legal requirements to storage limitations. Many processing activities have legal ties to, e.g. labour laws, and these should be followed.

Your business must ensure the integrity of personal data and, therefore, the trustworthiness and accuracy of data over time.

Your business should process personal data with confidentiality, and unauthorised individuals should not have access to your customers’ or employees’ data. 

Unauthorised individuals can be hackers, thieves, or ordinary employees who have no reason to access specific personal data.

You can ensure the integrity and confidentiality of personal data by implementing appropriate technical and organisational measures.

An appropriate level of security may vary internally within the company between the different purposes you have for processing data. It may also vary between companies as they all have various processing activities. 

You can assess whether you have an appropriate level of security by conducting a risk assessment of your personal data processing activities. 

With the result of a risk assessment in hand, you can evaluate which areas of your business may require additional security.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.



Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!