Module 4 · Data processing principles (OECD + Article 5)
The GDPR's Article 5 principles - lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability - sit on top of the eight OECD principles. Breaching them can attract the highest-tier fines.
The eight OECD principles are: collection limitation, data quality, purpose specification, use limitation, openness, individual participation, accountability and security safeguards. The GDPR builds on them in Article 5.
| Principle | What it requires |
|---|---|
| Lawfulness, fairness and transparency | Process on a lawful basis, fairly, and openly |
| Purpose limitation | Collect for a specified purpose only; further use must pass a compatibility test (links between purposes, nature of data, method of collection, consequences, safeguards) |
| Data minimisation | Only data that is relevant and necessary |
| Accuracy | Keep data complete and up to date |
| Storage limitation | Retain only as long as necessary for the original purpose |
| Integrity and confidentiality | Process securely |
| Accountability | Be able to demonstrate compliance |
Further processing is allowed where it is not incompatible with the original purpose. The purpose limitation compatibility test weighs the link between purposes, the nature of the data, the method of collection, the consequences, and the safeguards in place.
Related EU laws to know: PSD2 (EDPB Guidelines 06/2020 on the PSD2/GDPR interplay), the Data Governance Act, Regulation (EU) 2018/1725 (covering EU institutions), and the EU Data Act.