Article 5 GDPR (Principles Relating To Processing of Personal Information)

Understanding Article 5 of GDPR

Article 5 of GDPR sets the stage for the foundational principles individuals and organizations must adhere to in processing personal data.

The following are the 7 GDPR guiding principles

  1. Lawfulness, fairness and transparency (Article 5(1)(a) GDPR)
  2. Purpose limitation (Article 5(1)(b) GDPR)
  3. Data minimisation (Article 5(1)(c) GDPR)
  4. Accuracy (Article 5(1)(d) GDPR)
  5. Storage limitation (Article 5(1)(e) GDPR)
  6. Integrity and confidentiality (Article 5(1)(f) GDPR)
  7. Accountability (Article 5(2) GDPR)

Lawfulness, fairness and transparency (Article 5(1)(a) GDPR)

The principle of lawfulness, fairness and transparency requires that companies collect, store and process personal data in a way that is legal, that is fair to the data subjects and that they are truthful and transparent about their activities.

Purpose limitation (Article 5(1)(b) GDPR)

The principle of purpose limitation requires that companies have a specific purpose when collecting and processing personal data.

In addition, the purpose must be presented to individuals in a specific and explicit way so the individual can properly consent to the purpose.

Evidently, the purpose must be for legitimate purposes.

Data minimisation (Article 5(1)(c) GDPR)

The principle of data minimisation requires that companies who need to collect personal data limit their collection to only the data they truly need to render their services.

A company should not collect more than what is necessary to achieve the purpose of the data processing.

Accuracy (Article 5(1)(d) GDPR)

Accuracy is a principle requiring that companies, to the extent reasonable, keep the personal data on data subjects accurate and up-to-date.

If the data is not accurate or necessary, the personal data must be erased or rectified. 

Storage limitation (Article 5(1)(e) GDPR)

The principle of storage limitation has to do with how long companies can retain and hold on to personal data.

Under this principle, companies should not store personal data in a form that can lead to the identification of an individual for longer than it is necessary.

The exception for the storage of personal data for longer periods relates to storage for archiving purposes in the interest of the public, related to scientific, historical or statistical purposes.

When companies store data, they must implement proper technical and organizational security measures to ensure the personal data is properly protected.

Integrity and confidentiality (Article 5(1)(f) GDPR)

The principle of integrity and confidentiality is an essential component of the data protection and privacy law represented by GDPR.

Companies are required to adopt measures, polices and procedures in such a way that the personal data is protected against:

  1. Accidental loss
  2. Illegal processing
  3. Unauthorized processing
  4. Destruction
  5. Damage 

Accountability (Article 5(2) GDPR)

The principle of accountability is a principle requiring companies to show and demonstrate compliance with GDPR.

If your organization is subject to GDPR, you must be able to show positive steps and actions taken to comply with the obligations contained in GDPR.

Recitals applicable to Article 5 of GDPR

Relevant Recitals: 39

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation


GDPR Text: Article 5 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679)