FORMAL ANSWER

The principles of personal data processing include ensuring: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation, as well as integrity. In addition, the controller must be able to demonstrate compliance with these principles, which is known as the accountability principle.

PRACTICAL ANSWER

To implement the principles of lawfulness, fairness and transparency, you should 1. identify the legal bases for processing (e.g. under Art. 6 or 9 GDPR) and 2. fulfil the information obligation and communicate transparently with the data subjects (Art. 12, 13 and 14 GDPR — see the answer to the question: "What is the information obligation?").

To implement the purpose limitation principle, personal data must not be processed in a manner incompatible with the purposes for which they were collected. For example: if we have entered into a business contract with someone, we cannot use their data to contact them for private purposes. Similarly, separate consent must be obtained for sending commercial information by electronic means.

To implement the data minimisation principle, you must not collect more data than is necessary. For example, if we sell someone a valuable item, we may collect their PESEL number for the purposes of signing the contract, but we must not photocopy their identity document.

To implement the accuracy principle, you must verify the accuracy of personal data and, where necessary, update it. In addition, if someone calls requesting access to their data, we must verify their identity (e.g. by asking questions about their history of dealings with us), because otherwise we risk disclosing their data to an unauthorised person.

To implement the storage limitation principle, personal data must be deleted as soon as they are no longer needed (e.g. someone has unsubscribed from a newsletter mailing list, or we have performed a contract and the limitation period for claims has expired).

To implement the integrity and confidentiality principle, data must be secured so that they do not fall into unauthorised hands and are not lost or altered. Information security is, however, a broader issue and is linked to the obligation to carry out a risk analysis (see the question: "What does the obligation to carry out a risk analysis and DPIA involve?").

To implement the accountability principle, you must not only achieve GDPR compliance but also have evidence of it. Above all, it is worth formalising the personal data protection system within the organisation, describing it through policies, procedures, clauses and regulations. In the event of an inspection, these will allow you to present clearly how personal data are handled within the organisation.

MORE:

• You can find more information in the guide: How to process personal data