7. Five Key Principles of Data Protection*:
7.1 Data Controllers are expected to ensure that Personal Data which they process are:
a) processed fairly, lawfully and securely;
b) processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights;
c) adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed;
d) accurate and, where necessary, kept up to date; and
e) kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.
7.2 Further information on each principle is set out below.
Principle 1. Processed fairly, lawfully and securely
7.3 The Data Protection Regulations requires the Data Controller to process Personal Data fairly, lawfully and securely. The main purpose of this requirement is to protect the interests of the Data Subjects whose Personal Data is being processed.
7.4 This principle applies to all actions that a Data Controller undertakes with Personal Data. In practice, it means:
a) to have legitimate grounds for collecting and using the Personal Data;
b) do not use the data in ways that have unjustified adverse effects on the individuals concerned;
c) to be transparent about how they intend to use the data, and give individuals appropriate privacy notices when collecting their Personal Data;
d) to handle people’s Personal Data only in ways they would reasonably expect; and
e) to make sure they do not commit any unlawful actions with the data.
Principle 2. Processed for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights
7.5 The Data Controller must be open about their reasons for obtaining Personal Data, and that what they undertake with the information is in line with the reasonable expectations of the individuals concerned. In practice, the Data Controller must:
a) be clear from the outset about why they are collecting Personal Data and what they intend to do with it;
b) comply with the Data Protection Regulation’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their Personal Data; and
c) ensure that if they wish to use or disclose the Personal Data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
Principle 3. Adequate, relevant and not excessive in relation to the purposes for which they are collected or further Processed
7.6 The Data Controller must only collect the Personal Data that they need for the purposes that have been specified. They are also required to ensure that the Personal Data they collect is sufficient for the purpose for which it was collected. In practice, it means that the Data Controller should ensure that:
a) they hold Personal Data about an individual that is sufficient for the purpose they are holding it for in relation to that individual; and
b) they do not hold more information than they need for that purpose.
Principle 4. Accurate and, where necessary, kept up to date
7.7 To comply with this requirement, the Data Controller should:
a) take reasonable steps to ensure the accuracy of any Personal Data they obtain;
b) ensure that the source of any Personal Data is clear;
c) carefully consider any challenges to the accuracy of information; and
d) consider whether it is necessary to update the information.
Principle 5. Kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed
7.8 The Data Controller is required to retain Personal Data no longer than is necessary for the purpose that they obtained it for. They are expected to ensure that Personal Data is disposed of when no longer needed to reduce the risk that it will become inaccurate, out of date or irrelevant. In practice, it means that Data Controllers will need to:
a) review the length of time that Personal Data is kept;
b) consider the purpose or purposes they should hold the information for in deciding whether (and for how long) to retain it;
c) securely delete information that is no longer needed for this purpose or these purposes; and
d) update, archive or securely delete information if it goes out of date.
* Section 1(1) of the ADGM Data Protection Regulations 2015.