Article 5 of the GDPR lays down the principles that govern all personal data processing in the EU. These principles appear in virtually every EPSO data management competition — understanding them is non-negotiable.
The Seven Principles
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully (one of six legal bases in Article 6), fairly (no hidden or unexpected processing), and transparently (clear privacy notices). In EPSO exams, questions often ask you to identify which legal basis applies to a given scenario.
2. Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. The key word is "incompatible" — further processing for archiving in the public interest or scientific research is generally considered compatible.
3. Data Minimisation
Only collect data that is adequate, relevant, and limited to what is necessary. A common exam question: an EU institution collects employees' social media profiles for HR purposes — is this proportionate? (Usually not.)
4. Accuracy
Personal data must be accurate and kept up to date. Every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay. This links directly to the right to rectification (Article 16).
5. Storage Limitation
Data must be kept no longer than necessary for the purposes of processing. The regulation doesn't prescribe specific retention periods — this is determined by the controller based on the purpose. Exam tip: look for answers mentioning "purpose-based retention" rather than fixed time periods.
6. Integrity and Confidentiality
Data must be processed with appropriate security, including protection against unauthorised access, accidental loss, destruction, or damage. This is the principle behind encryption, access controls, and data breach notification requirements.
7. Accountability
The controller must be able to demonstrate compliance with all of the above principles. This is why organisations need Data Protection Officers, privacy impact assessments (DPIAs), and records of processing activities (ROPA).
Exam Tips
- Know the principles by name and number — EPSO questions reference them directly
- Understand that accountability is about demonstrating compliance, not just being compliant
- Purpose limitation and data minimisation are the most frequently tested
- Don't confuse storage limitation with data minimisation — they address different concerns