Article 4Principles relating to processing of personal data
1.Member States shall provide for personal data to be:
(a)processed lawfully and fairly;
(b)collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
(c)adequate, relevant and not excessive in relation to the purposes for which they are processed;
(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:
(a)the controller is authorised to process such personal data for such a purpose in accordance with Union or Member State law; and
(b)processing is necessary and proportionate to that other purpose in accordance with Union or Member State law.
3.Processing by the same or another controller may include archiving in the public interest, scientific, statistical or historical use, for the purposes set out in Article 1(1), subject to appropriate safeguards for the rights and freedoms of data subjects.
4.The controller shall be responsible for, and be able to demonstrate compliance with, paragraphs 1, 2 and 3.