A controller must ensure the processing of personal data complies with all six of the following general principles:
1. Lawfulness, fairness, and transparency - Personal data must be processed lawfully, fairly and in a transparent manner;
2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);
3. Data minimization - Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;
5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and
6. Integrity and confidentiality - Personal data should be kept secure.