§ GDPR · Article 5
GDPR Article 5: Obligations, Deadlines & Penalties
At a glance
Article 5 of the GDPR imposes 8 obligations on controller. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 5
Obligation 1
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
process
- Deadline
-
—
- Penalty
-
—
Obligation 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
collect
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible.
Obligation 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
limit
- Deadline
-
—
- Penalty
-
—
Obligation 4
Personal data shall be accurate and, where necessary, kept up to date.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
maintain
- Deadline
-
—
- Penalty
-
—
Obligation 5
Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
rectify
- Deadline
-
without delay
- Penalty
-
—
Obligation 6
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
limit storage
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Data may be stored longer for archiving, scientific, historical, or statistical purposes if appropriate measures are implemented.
Obligation 7
Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
secure
- Deadline
-
—
- Penalty
-
—
Obligation 8
The controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data.
Regulation (EU) 2016/679, Article 5, Article 5
- Obligated entity
-
controller
- Action required
-
demonstrate
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 5
Who must comply with Article 5 of the GDPR?
+
controller.
What does Article 5 of the GDPR require?
+
process collect limit
What is the compliance deadline for GDPR Article 5?
+
without delay