Directive (EU) 2016/680 of the European Parliament and of the CouncilDangos y teitl llawn

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Article 4Principles relating to processing of personal data

1.Member States shall provide for personal data to be:

(a)processed lawfully and fairly;

(b)collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;

(c)adequate, relevant and not excessive in relation to the purposes for which they are processed;

(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;

(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

2.Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:

(a)the controller is authorised to process such personal data for such a purpose in accordance with Union or Member State law; and

(b)processing is necessary and proportionate to that other purpose in accordance with Union or Member State law.

3.Processing by the same or another controller may include archiving in the public interest, scientific, statistical or historical use, for the purposes set out in Article 1(1), subject to appropriate safeguards for the rights and freedoms of data subjects.

4.The controller shall be responsible for, and be able to demonstrate compliance with, paragraphs 1, 2 and 3.