1. General requirements
(1) Data Controllers shall ensure that Personal Data which they Process are —
(a) Processed fairly, lawfully and securely;
(b) Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed;
(d) accurate and, where necessary, kept up to date; and
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.
(2) Every reasonable step shall be taken by Data Controllers to ensure that Personal Data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further Processed, are erased or rectified.