The GDPR requires every processing of personal data to respect all of the seven principles listed in Art. 5 GDPR:
Lawfulness, fairness and transparency
Personal data of individuals must always be handled lawfully, fairly and in a transparent manner. It also includes informing and explaining to the individual how his/her data will be used.
Personal data collected for specified, explicit and legitimate purpose must not be processed further for a new incompatible purpose. The exemptions to this principle include processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay.
Personal data must not be kept in a form which permits a data subject’s identification, if such identification is no longer necessary for the processing purposes. The exceptions to this principle include data processing solely for archiving purposes in the public interest, scientific or historical research, or statistical purposes (provided that the appropriate technical and organizational measures to protect such data are implemented).
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate data security (including protection against unauthorized/unlawful processing and against accidental loss, destruction or damage), using appropriate technical or organizational measures.
The controller is responsible for GDPR compliance and must always be able to demonstrate such compliance.