The basic requirements can be summarized in the following points, which result in sub-obligations for personal data processors:
- Purpose limitation – it is not possible to use the data for processing other than those for which consent has been granted or we are not able to prove a legitimate interest or other legal title.
- Data minimization – only the data necessary to achieve the purpose (ie. delete data whose reason for storage we are unable to prove, do not store unnecessary data).
- Processing time limit – delete data if the reason for processing disappears.
- Transparency – the data subject must be informed truthfully, transparently and simply about the processing of his data.
- Restrictions on storage – the so-called retention period, the period during which the data can be stored for a given purpose and are determined for individual processing by the Shredding and Archiving Rules. Delete or anonymize data after a period of time. Shred physical documents. Each piece of data has a period after which it should be deleted, shredded, etc.
- Accuracy – update data regularly (correct stored data at the request of the data subject).
- Secure processing – protect client data, for example by encryption or locking