We can summarise GDPR using the following principles:
- Right to information: personal data is collected for a specific legitimate purpose, and may not be used for other purposes. Organisations need to be fully transparent about this.
- Transparency: the person whose data is processed actively agreed to this and has been informed of his/her rights.
- Right of access to your data: every person has the right of access to his/her personal data and supplementary information. These data must be correct at all times. Every person has the right to correct his/her data.
- Right to be forgotten: every person has the right to request removal of his/her personal data without having to provide a specific reason for this.
- Retention period: personal data may not be retained longer than deemed necessary for a specific purpose.
- Data protection: all personal data must be protected against access by unauthorised persons or loss of data.
- Right to use data for one’s own goals: every person has the right to request his/her personal data and/or to use it for his/her own goals. Every person also has the right to move his/her data and/or to copy it to another organisation.
- Restriction of information: every person has the right to restrict or block access to his/her data.