§ GDPR · Article 5

GDPR Article 5: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 5 · All obligations · GDPR
At a glance
Article 5 of the GDPR imposes 8 obligations on controller. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 5

Obligation 1
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
process
Deadline
Penalty
Obligation 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
collect
Deadline
Penalty
Exemptions
Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible.
Obligation 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
limit
Deadline
Penalty
Obligation 4
Personal data shall be accurate and, where necessary, kept up to date. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
maintain
Deadline
Penalty
Obligation 5
Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
rectify
Deadline
without delay
Penalty
Obligation 6
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
limit storage
Deadline
Penalty
Exemptions
Data may be stored longer for archiving, scientific, historical, or statistical purposes if appropriate measures are implemented.
Obligation 7
Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
secure
Deadline
Penalty
Obligation 8
The controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. Regulation (EU) 2016/679, Article 5, Article 5
Obligated entity
controller
Action required
demonstrate
Deadline
Penalty
§ Frequently asked

Questions about Article 5

Who must comply with Article 5 of the GDPR? +
controller.
What does Article 5 of the GDPR require? +
process collect limit
What is the compliance deadline for GDPR Article 5? +
without delay
Need a cross-border briefing on GDPR Article 5?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles