The Principles of Lawful Processing (Article 5)

If you remember one Article from this entire course, make it Article 5. It states the principles relating to processing of personal data, and everything else in the GDPR is really an elaboration of them. Article 5(1) sets out six principles, and Article 5(2) adds a seventh, accountability.

The exam tests these constantly, both as recall and as the hidden reason behind a scenario's right answer. And they carry weight: breaching the basic principles falls under the higher fine tier, up to twenty million euros or four percent of global turnover. So let's walk all seven, with an example for each, the way the exam will make you apply them.

The first principle, in Article 5(1)(a), bundles three ideas. Lawfulness means you must have a valid legal basis for the processing, one of the six in Article 6, which we will study in Domain three. Fairness means you must not process data in ways people would not reasonably expect, or that cause unjustified harm; no hidden agendas.

Transparency means you must tell people, in clear and plain language, what you are doing with their data. These three travel together, and if a scenario describes data being used secretly or in a surprising way, this principle is usually the one being broken. And note the link to the lawful bases: lawfulness here is the gateway to Article 6, so a scenario with no valid basis fails this very first principle before you even reach the others.

The second principle, purpose limitation in Article 5(1)(b), says you must collect data for specified, explicit, and legitimate purposes, and not further process it in a way incompatible with those purposes. If you collected an email to send an order confirmation, you cannot simply repurpose it for unrelated marketing. The third principle, data minimisation in Article 5(1)(c), says the data you process must be adequate, relevant, and limited to what is necessary for the purpose.

Do not collect a customer's date of birth if the service does not need it. These two principles are exam favourites because so many real-world violations, scope creep and over-collection, are violations of them.

The fourth principle, accuracy in Article 5(1)(d), requires personal data to be accurate and, where necessary, kept up to date; inaccurate data must be erased or rectified without delay. The fifth, storage limitation in Article 5(1)(e), requires that data be kept in identifiable form for no longer than is necessary for the purpose. Once you no longer need it, you must delete it or anonymise it; you do not keep records forever just in case.

These connect to data subject rights, accuracy underlies the right to rectification, and storage limitation underlies the right to erasure, which we will study shortly. The exam likes to test indefinite retention as a storage-limitation breach.

The sixth principle, integrity and confidentiality in Article 5(1)(f), is the security principle: you must protect personal data against unauthorised or unlawful processing and against accidental loss, using appropriate technical and organisational measures. We will see this principle expanded into Article 32 in the next lecture. And the seventh principle, accountability in Article 5(2), is the one that ties the GDPR together.

It says the controller is not only responsible for complying with the other six principles but must be able to demonstrate that compliance. It is not enough to be compliant; you must be able to prove it, through records, policies, and documentation. Accountability is why so much of the GDPR is about paperwork you can show a regulator, your records of processing, your data protection impact assessments, your policies, and your consent logs.

When a scenario describes an organisation that is doing the right thing in practice but cannot prove it, that is an accountability gap, and the exam treats it as a real failing in its own right.

So here are the seven, in order: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Memorise them, then practise spotting which one a scenario breaks, because that is how the exam uses them. Remember that breaching these basic principles attracts the higher fine tier, and that accountability means you must be able to demonstrate compliance, not merely claim it.

Next, we expand the security principle into its operational home, Article 32, and the rules for managing the vendors who process data for you. First, go test yourself on the seven principles.