🎪 Where to find Transcend at the 2024 RSA Conference →

Table of contents

Article 32
California Privacy Protection Agency
California Consumer Privacy Act
Personally Identifiable Information
Colorado Privacy Act
General Data Protection Regulation
Utah Consumer Privacy Act
Verifiable Consumer Request
Facebook Limited Data Use
Global Privacy Control
California Privacy Rights Act
Record of Processing Activities
Virginia Consumer Data Protection Act
Data Mapping
Consent
Authorized Agents
Do not sell/Do not share
Schrems II
Dark Patterns
Tracking Cookies
Pseudonymization
HIPAA
Gramm-Leach-Bliley Act
GDPR Rights
GDPR Principles
GDPR Personal Data
Do Not Track
Data Subject Access Request
Data Subject
Data Processor
Data Controller
Article 9
Article 6
Article 30
Article 28
LGDP (Brazil's Privacy Law)
Glossary Page

GDPR Principles

The General Data Protection Regulation (GDPR) gives EU citizens and residents more control over their data—implementing data rights and increasing oversight for organizations processing personal data.

A complex piece of legislation with 99 articles that cover everything from the definition of consent to rules on data portability, the GDPR has seven unifying principles.

Lawfulness, Fairness, and Transparency

Data processing must be done “lawfully, fairly, and transparently”—meaning data controllers need to identify and document at least one lawful basis for any personal data processing. They must also provide detailed information about their data processing in an easily accessible format that uses clear language.

Purpose Limitation

Purpose of processing should be determined at the time of collection and any subsequent use should be limited to that purpose.

If it becomes necessary to use the data for another purpose, this should only occur if the new purpose is compatible with the original one. Data collected for one purpose may not be used for another purpose without consent from the individual, unless it’s otherwise permitted by law.

Data Minimization

Data minimization requires that companies only collect the information they need to complete a specific task.

Under this principle, the personal data you collect should be limited and relevant to what’s strictly necessary. In other words, if you don't need all of it, don't keep all of it!

By minimizing the amount of personal data collected, controllers can also reduce data security risk and further protect individuals' rights.

Storage Limitation

Data controllers must ensure personal data is stored in a format that allows for data subject identification only as long as is strictly necessary.

Personal data may be stored for longer periods only if it's used for archival purposes, historical or scientific research, or statistical analysis—all of which are still subject to the relevant safeguards required by GDPR.

Accuracy

Data controllers must ensure personal data is accurate and up-to-date. If the data is found to be inaccurate, the data controller must correct or erase the data.

Integrity and Confidentiality

Data controllers must protect personal data using security measures appropriate for the context. These measures must work to prevent data loss, destruction, and unauthorized or illegal processing.