Chapter 2: Principles
Principles
Principles relating to processing of personal data
Lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity & confidentiality; accountability.
Lawfulness of processing
Processing is lawful only with at least one legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Conditions for consent
Consent must be freely given, specific, informed, unambiguous; demonstrable; withdrawable as easily as given.
Conditions applicable to child's consent for information society services
Children under 16 (or as low as 13 per Member State) require parental consent for online services.
Processing of special categories of personal data
Prohibits processing of sensitive data (health, biometrics, race, religion, etc.) absent specific exceptions.
Processing of personal data relating to criminal convictions and offences
Such processing only under official authority or specific legal authorisation.
Processing which does not require identification
Controllers not obliged to maintain identifying information solely to comply with GDPR.