An organisation that holds or uses your personal data is responsible for ensuring that the information is:
- collected for specific, explicit and legitimate purposes
- used for those legitimate purposes in a fair and transparent manner
- adequate and relevant to the use intended
- accurate and up to date
- kept only for as long as necessary for the use
- protected securely against misuse and against accidental loss, damage or destruction
The organisation must also be able to demonstrate that it meets its responsibilities if the supervisory body that regulates it asks for evidence.