Chapter 6 covers the data processing principles now expressly listed in Article 5 of the GDPR. These principles did not start with the GDPR: they were first set out in Convention 108 (the first international legally binding data protection instrument) and were carried into the Data Protection Directive. The GDPR redefines and reinforces the existing principles and adds the accountability principle as a new, express requirement.
The principles are not new inventions of the GDPR. They trace back to Convention 108 and were carried into the Data Protection Directive. What the GDPR does is redefine, reinforce and expressly add accountability - putting the burden of proof on organisations to demonstrate compliance.
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability (added expressly by the GDPR)
🔑 Six listed + accountability
Article 5(1) lists six principles; accountability sits in Article 5(2) as a separate, express duty. Together that makes the seven heavily-examined principles.
Key terms - quick answers
What is “Article 5”?
The GDPR article that expressly lists the data processing principles controllers must follow.
What is “Convention 108”?
Council of Europe convention - the first international legally binding document to prescribe data protection principles.
What is “Data Protection Directive”?
Directive 95/46/EC, the pre-GDPR EU instrument that incorporated the fundamental data protection principles.
What is “Accountability principle”?
The duty of controllers to demonstrate (and prove) their compliance with the other principles. Added expressly by the GDPR.