ANNEX A DATA PROCESSING PRINCIPLES
1. Purpose limitation: Personal Data may be Processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the Data Subject.
2. Data quality and proportionality: Personal Data must be accurate and, where necessary, kept up to date. The Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further Processed.
3. Transparency: Data Subjects must be provided with information necessary to ensure fair Processing (such as information about the purposes of Processing and about the transfer), unless such information has already been given by the Data Exporter.
4. Security and confidentiality: Technical and organisational security measures must be taken by the Data Controller that are appropriate to the risks, such as against unlawful or unauthorised Processing of Personal Data and against accidental loss or destruction of, or damage to, such Personal Data. Any person acting under the authority of the Data Controller, including a Data Processor, must provide sufficient guarantees that such technical measures shall be complied with.
5. Rights of access, rectification, erasure or blocking: Data Subjects have the right to be provided with written confirmation as to whether Personal Data relating to them are being Processed, provided that such requests are made at reasonable intervals. Data Subjects must also be able to have their Personal Data rectified, erased or blocked, as appropriate, where it is Processed against the requirements of the Regulations. A Data Subject must also be able to object to the Processing of the Personal Data relating to him if there are reasonable grounds for such an objection, and such grounds relate to his particular situation.
6. Sensitive Personal Data: The Data Importer shall take such additional measures (e.g. relating to security) as are necessary to protect Sensitive Personal Data in accordance with its obligations under Clause 3 or the Data Exporter's obligations under the Regulations.
7. Data used for marketing purposes: Where data are Processed for the purposes of direct marketing, effective procedures should exist allowing the Data Subject at any time to object to having his data used for such purposes.
8. Automated Decisions: The Data Importer shall not make any Automated Decisions concerning Data Subjects, except when —
(i) such decisions are made by the Data Importer in entering into or performing a contract with the Data Subject; and
(ii) the Data Subject is given an opportunity to discuss the results of a relevant Automated Decision with a representative of the parties making such decision or otherwise to make representations to those parties; or
(b) where otherwise provided by the Regulations.