We can summarise GDPR using the following principles: Right to information: personal data is collected for a specific legitimate purpose, and may not be used for other purposes. Organisations need to be fully transparent about this. Transparency: the person whose data is processed actively agreed to this and has been informed of his/her rights. Right of access to your data: every person has the right of access to his/her personal data and supplementary information. These data must be correct at all times. Every person has the right to correct his/her data. Right to be forgotten: every person has the right to request removal of his/her personal data without having to provide a specific reason for this. Retention period: personal data may not be retained longer than deemed necessary for a specific purpose. Data protection: all personal data must be protected against access by unauthorised persons or loss of data. Right to use data for one’s own goals: every person has the right to request his/her personal data and/or to use it for his/her own goals. Every person also has the right to move his/her data and/or to copy it to another organisation. Restriction of information: every person has the right to restrict or block access to his/her data.