3.2 The Seven Principles (Art. 5)

Key Takeaways

  • Article 5(1) sets six processing principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality
  • Article 5(2) adds the seventh principle, accountability, requiring controllers to demonstrate compliance, not merely achieve it
  • Purpose limitation bars further processing incompatible with the original purpose, though archiving, research, and statistics under Art. 89 are presumed compatible
  • Breaching the Article 5 principles attracts the higher fine tier of up to €20 million or 4% of total worldwide annual turnover, whichever is higher
Last updated: June 2026

The Backbone of the GDPR

Quick Answer: Article 5 sets out seven principles. Six sit in Article 5(1): lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. The seventh, accountability, is in Article 5(2). Breaching them triggers the higher fine tier — up to €20 million or 4% of total worldwide annual turnover, whichever is higher.

The exam treats these as a diagnostic instrument: read a scenario, identify the breached principle, then choose the remedy. The two-tier fine structure is itself testable — the lower tier (€10m / 2%) applies to administrative failures (e.g., Art. 8 children, Art. 11, Arts. 25–39, Art. 42–43), while breaches of the basic principles (Art. 5, 6, 7, 9), data subject rights (Arts. 12–22), and transfers (Chapter V) sit in the higher tier. Knowing the principle names in order is the fastest route through borderline questions, because every other duty in the regulation is an elaboration of one of these seven.

The Seven Principles at a Glance

PrincipleArticleCore requirementCommon breach
Lawfulness, fairness, transparency5(1)(a)Have a lawful basis; process fairly; tell subjects what you doHidden, deceptive, or dark-pattern collection
Purpose limitation5(1)(b)Collect for specified, explicit, legitimate purposes; no incompatible reuseRepurposing data without a compatibility check
Data minimisation5(1)(c)Adequate, relevant, and limited to what is necessaryCollecting fields you do not need
Accuracy5(1)(d)Keep data accurate and up to date; erase/rectify errors without delayActing on stale or wrong records
Storage limitation5(1)(e)Keep identifiable data no longer than necessaryNo retention schedule; indefinite storage
Integrity and confidentiality5(1)(f)Ensure appropriate securityNo encryption, weak access controls
Accountability5(2)Be responsible for, and able to demonstrate, complianceNo RoPA, policies, or evidence

A mnemonic many candidates use is "Lawful Purposes Mean Accurate Storage Is Accountable" — mapping in order to Lawfulness, Purpose limitation, Minimisation, Accuracy, Storage limitation, Integrity/confidentiality, Accountability. The exam never asks you to recite the list cold; it embeds one principle as the "least defensible" practice in a fact pattern and surrounds it with near-miss distractors.

A useful tactic is to ask three screening questions per scenario: Was the subject told and is there a basis? (lawfulness/fairness/transparency); Is more being collected or kept than needed? (minimisation/storage); and Can the controller prove any of this? (accountability). The principle that fails the cleanest of those screens is usually the intended answer.

Purpose Limitation and Compatible Use

Purpose limitation (Art. 5(1)(b)) requires purposes to be specified, explicit, and legitimate at the point of collection, and bars further processing incompatible with those purposes. To test compatibility, controllers weigh the factors in Article 6(4): the link between the original and new purposes; the context in which data was collected and the relationship with the subject; the nature of the data (especially special categories); the possible consequences of further processing; and the existence of safeguards such as encryption or pseudonymisation.

A statutory presumption helps: further processing for archiving in the public interest, scientific or historical research, or statistical purposes is not considered incompatible, provided Article 89 safeguards (e.g., minimisation, pseudonymisation) apply. Note that "not incompatible" still does not supply a lawful basis — you may also need Article 6.

Exam scenarios frequently hide a quiet repurposing: using support-ticket emails for a marketing blast, mining HR data for productivity scoring, or feeding customer records into a new analytics model. Each is a purpose-limitation problem, usually compounded by a missing lawful basis and a transparency failure — the question may ask which principle is most directly breached, so identify the primary defect rather than listing them all.

Minimisation, Accuracy, Storage Limitation and Accountability

These operational principles appear together in fact patterns:

  • Data minimisation (5(1)(c)) — collect only what is necessary for the stated purpose. A form demanding a full date of birth when a yes/no age-gate suffices breaches minimisation.
  • Accuracy (5(1)(d)) — take reasonable steps to keep data correct and to erase or rectify inaccurate data without delay; this principle underpins the right to rectification (Art. 16).
  • Storage limitation (5(1)(e)) — keep identifiable data no longer than necessary. The practical answer is a documented retention schedule with timely deletion or anonymisation; indefinite retention is the classic violation.

Together these push controllers toward "collect less, keep it correct, delete it sooner."

Accountability (Art. 5(2)) is the meta-principle: the controller must be responsible for, and able to demonstrate, compliance with all the others. It converts good intentions into evidence — records of processing (Art. 30), data protection by design (Art. 25), DPIAs (Art. 35), DPO appointment (Art. 37), and documented decisions. A controller whose processing is substantively lawful but who cannot prove it has still breached Article 5(2). On the exam, watch for the phrase "could not produce records when the supervisory authority asked" — that is an accountability failure even when nothing else is wrong.

Test Your Knowledge

A gym collects members' full home addresses, dates of birth, and emergency-contact details, then keeps every member record indefinitely even for people who cancelled years ago. The data is accurate and secure. Which Article 5 principle is most clearly breached?

A
B
C
D
Test Your Knowledge

A company has a lawful basis, secures its data, and keeps it accurate, but it cannot produce any records of processing, policies, or evidence of how it makes privacy decisions when its supervisory authority asks. Which principle does this failure most directly violate?

A
B
C
D