Iubenda logo
Start generating


Table of Contents

What are the 7 principles of GDPR?

The General Data Protection Regulation was drafted keeping in mind some fundamental principles, that should guide your data collection and data processing activities. In this post, we explain what are the 7 principles of GDPR and what they mean in practice.

what are the 7 principles of gdpr

What are the 7 principles of GDPR

GDPR Principle #1: Lawfulness, Fairness and Transparency

Lawfulness means that all the processes concerning your users’ data should be carried out on a recognized lawful basis.

These processes should also be fair and transparent, that is, you must abide by your privacy policy and use your users’ data only in the way you’ve shared with them.

GDPR Principle #2: Purpose Limitation

The principle of purpose limitation is connected to the one of transparency: in your privacy policy, you must clearly state what are the purposes of your collection and processing activities, and thus use the data only for those purposes.

GDPR Principle #3: Data Minimization

Even though, according to the GDPR, it’s better to use anonymous data, where personal data is needed, it should be limited to what is necessary for your purpose. So you must collect the minimum data possible.

Besides the 7 principles of GDPR, check out this short summary of GDPR requirements:

This article is a part of our series on GDPR and GDPR compliance. Read also:

👉 How to be GDPR-compliant

GDPR Principle #4: Accuracy

The data you store should be accurate and up-to-date.

GDPR Principle #5: Storage Limitations

The data you store should be up-to-date, but you can’t store it forever.

The GDPR requires that you set a time limit – the shortest possible – and that you explain why you need to store your users’ data for that period of time. When the time comes, you must erase or review the data you stored.

GDPR Principle #6: Integrity and Confidentiality

According to the principles of integrity and confidentiality, you should store your users’ data securely, protecting them from unlawful processing or accidental loss, destruction or damage. You should also protect your users’ identity. Through anonymization, for instance.

GDPR Principle #7: Accountability

The GDPR requires that, under certain circumstances, you should keep a “full and extensive” documentation of all your activities.

Even if your processing activities somehow fall outside these situations, you still have to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period. This is mandatory for everyone.

Curious to learn more?

Check our complete guide to the GDPR: everything you need to know to comply!

About us


GDPR compliance for your site, app and organization


See also