# GDPR Article 5 — Principles relating to processing of personal data

> The six core principles every controller must satisfy: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity. Plus the accountability rule.

Citation: *Regulation (EU) 2016/679*  
Last reconciled with canonical source: 2026-04-25  
Canonical: https://eur-lex.europa.eu/eli/reg/2016/679/oj  
Source: https://consenttheater.org/law/gdpr/art-5/

---

## In plain language

Article 5 is the rulebook every other GDPR rule references back to. Six principles describe **how** personal data may be handled, and a seventh — the accountability principle — says the controller must be able to **demonstrate compliance** with all of them.

1. **Lawfulness, fairness, transparency.** Tell the user what you're doing, in plain language, and have a legal basis (Article 6) for it.
2. **Purpose limitation.** Collect data for a specific, named purpose. Don't quietly reuse it for something else.
3. **Data minimisation.** Collect only what you actually need for the named purpose.
4. **Accuracy.** Keep the data correct and up to date; correct or delete if not.
5. **Storage limitation.** Don't keep the data longer than necessary.
6. **Integrity and confidentiality.** Protect the data against unauthorised processing, loss, destruction or damage.

The accountability principle in 5(2) is the one that turns the others into operating requirements: it isn't enough to *do* the right thing, you have to be able to *prove* you did. Logs, records, documented decisions, DPIA outputs.

**UK:** Article 5 of the [UK GDPR](/law/uk-gdpr-and-pecr/) mirrors the EU text — same six principles plus accountability — and is enforced by the ICO. See the mapping page for the full picture.

## How we use this on consenttheater.org

- Our tracker observations are framed as factual reproducible measurements precisely because Article 5(2) accountability requires controllers to demonstrate compliance — observations like ours give them (and their auditors) something concrete to work with.
- The [data_leak category](/methodology/#categories) in our catalogue is essentially a flag for breaches of **5(1)(f) integrity and confidentiality**: data that flows to a third party without authorisation.

## Original text

Reproduced verbatim from *Regulation (EU) 2016/679*, published by the Publications Office of the European Union on [eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj). The official source is authoritative; this rendering is a navigation convenience.

> **1.** Personal data shall be:
>
> **(a)** processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
>
> **(b)** collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');
>
> **(c)** adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
>
> **(d)** accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
>
> **(e)** kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
>
> **(f)** processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
>
> **2.** The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

Prefer the canonical version? [Open this article on eur-lex.europa.eu →](https://eur-lex.europa.eu/eli/reg/2016/679/oj)

---

## Reproduction notice

The text reproduced on this page is taken from the consolidated version of *Regulation (EU) 2016/679*, an official act of the European Union. EU legislative texts are excluded from copyright protection (recital 22 of Directive (EU) 2019/790). ConsentTheater is not affiliated with, endorsed by, or sponsored by any EU institution. For binding legal use always consult the official source on [eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj). We re-verify each reproduction against the canonical text on the date shown at the top of this page.