Article 6 - General requirements

(1) Data Controllers must ensure that Personal Data which they process is:
(A) processed fairly, lawfully and securely;
(B) processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further processed in a way incompatible with those purposes or rights;
(C) adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed;
(D) accurate and, where necessary, kept up to date; and
(E) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further processed.
(2) Every reasonable step must be taken by Data Controllers to ensure that Personal Data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.
(3) A Data Controller must establish and maintain systems and controls that enable it to satisfy itself that it complies with the requirements of this Article.