Under the GDPR, a data controller must comply with 7 key principals of data protection. These principals are the core values that underpin the European Data Protection Laws. These principals carry many similarities with those found in the Data Protection Act.

Before we get into the principals it is important to understand the definition of a Data Controller:

‘A data controller is the natural or legal person who, alone or jointly with other persons, determines the purpose and means of processing of personal data. The data controller must comply with all obligations set out in the GDPR’


Personal data must be processed lawfully, fairly and in a transparent manner. This means the data controller must:

  • Not breach any statuary or contractual obligations when processing the personal data; (have legitimate grounds for processing personal data)
  • Provide a data subject with ‘fair processing notice’ which sets out how personal data will be used; (ensure that it is transparent and open with data subjects)
  • Ensure that it can rely on a relevant processing condition (not process personal data in a way which wouldn’t be expected by the data subject)


Personal data must be collected for specific, explicit and legitimate purposes and not be further processed in a manner that is incompatible with these purposes.


Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This means that the categories of personal data processed should be relevant to the purpose.


Personal data must be accurate and up to date. This requires data controllers to put in place policies and procedures for ensuring that personal data is accurate and updated as required.


Personal data must be retained for no longer than is necessary.


Personal data must be processed in a manner that ensures appropriate security and protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational security measures.


The data controller must be responsible for, and be able to demonstrate compliance with other principals. This is known as the accountability principle.


A data controller must provide detailed information to data subjects regarding any intended processing of personal data. This information is usually given in a ‘fair processing notice’, or ‘privacy notice’.

Data controllers must have transparent and easily accessible notices and provide information in a concise form, using clear and plain language.

A privacy notice must contain the following:

  • The identity of the data controller;
  • The purpose of the processing;
  • The contact details of the data controller;
  • The contact details of the data protection officer;
  • The legal basis of the processing;
  • The data retention period;
  • A reference to the data subject’s rights under the GDPR; and
  • Information to international transfers and the safeguards applied to such transfers.


A data controller must be able to rely on a ‘processing condition’ when processing personal data. This forms the legal basis for the processing.

The processing conditions set out in the GDPR include:

  • The data subject has given consent to the processing of his/her personal data;
  • Processing is necessary to enter into, or for the performance of, a contract with the data subject;
  • Processing is necessary for compliance with a legal obligation imposed on the data controller;
  • Processing is necessary for the purposes of legitimate interests of the data controller or a third party, except where such interests are overridden by the interests of the data subject.

If the processing is of a special category of data, an additional processing condition must also be satisfied. These are different from the processing conditions for personal data and include:

  • The data subject has given explicit consent to the processing;
  • The processing is necessary for the purposes of obligations under employment law; or
  • The processing is necessary in order to protect the vital interests of the data subject or another person.