Principles of Personal Data Processing and Protection
Controller is responsible for ensuring compliance with the basic principles of processing the personal data. Basic principles of processing the personal data are as follows:
1) Any processing of personal data must be carried out lawfully and fairly. For the Data Subject the collecting, using, consulting or other processing must be transparent in order to prevent violation of the fundamental rights of the data subject.
2) Personal data can be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3) The processed personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4) Personal data must be correct and, if necessary, updated. Incorrect personal data (including incorrectness from viewpoint of the processing purposes) must be immediately erased or rectified.
5) Personal data must be retained in the form that enables identification of the Data Subject for no longer than is necessary for the purposes for which the personal data are processed; exceptions and conditions of their application are set by the Regulation and Act.
6) Personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation and Act. Such measures shall include the introduction of adequate procedures for protection of personal data. The measures shall be reviewed and updated where necessary by the Controller.
The Controller is required to have a specific protection of personal data by design, which consists in the adoption of appropriate technical and organizational measures, in particular in the form of pseudonymisation, for effective implementation of adequate safeguards for the protection of personal data and compliance with the fundamental principles. The Controller must take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of processing the personal data.
The Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed minimising the amount of personal data collected and the extent of their processing, retention times and availability of personal data. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.