[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fH1O2UtgkcS2ItOz_wYCcxgCuYGuvpH9OAWHrd9AXawo":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":15,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":48,"imageThumbUrls":49,"id":57},false,"Every [**processing of personal data**](https://www.dastra.eu/en/guide/data-processing-activity/56354) must comply with certain conditions: these are the **8 golden rules** of privacy and personal data protection. In this article, these 8 golden rules are described and explained, and correspond to 8 practical sheets that Dastra has made available to you.\r\n\r\nYou should have **4 good reflexes** to meet the requirements of the GDPR in this area:\r\n\r\n- ✔ **Only collect data that is really necessary**\r\n- ✔ **Be transparent with all your stakeholders**\r\n- ✔ **Think about people's rights, such as rights of access, erasure, or rectification**\r\n- ✔ **Secure your data**\r\n\r\nEnjoy your reading!\r\n\r\n## 1. Lawfulness of processing (Article 6 of the GDPR)\r\n\r\nProcessing is **lawful** only if, and insofar as, at least **one of the following 6 conditions** is met:\r\n\r\n▶ The data subject **has given consent to the processing** of their personal data for one or more specific purposes;\r\n\r\n▶ The processing is **necessary for the performance of a contract** to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;\r\n\r\n▶ The processing is **necessary for compliance with a legal obligation** to which the controller is subject;\r\n\r\n▶ Processing is **necessary in order to protect the vital interests** of the data subject or of another natural person;\r\n\r\n▶ Processing is **necessary for the performance of a task carried out in the public interest** or in the exercise of official authority vested in the controller;\r\n\r\n▶ The processing is **necessary for the purposes of the legitimate interests** pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child. See our guide to assessing legitimate interests.\r\n\r\n> Find out how to manage the [legal basis](https://www.dastra.eu/en/guide?q=legal+basis) in the Dastra App.\r\n\r\n## 2. Purpose of processing\r\n\r\nPersonal data collected may only be processed for a specific purpose that meets the following conditions:\r\n\r\n▶ **Precisely determined**\r\n\r\n▶ **Explicit**\r\n\r\n▶ **Legitimate**\r\n\r\n**The [purpose of processing](https://www.dastra.eu/en/guide/purpose-of-processing/56312) is the reason for using personal data**. Data is collected for a well-defined and legitimate purpose and is not further processed in a way incompatible with that initial purpose. **This purpose principle limits the way in which the data controller may use or re-use the data in the future**.\r\n\r\n## 3. Minimisation of data\r\n\r\nOnly data [**strictly necessary**](https://www.dastra.eu/en/guide/data-minimisation-principle/56347) to achieve the purpose may be collected and processed.\r\n\r\n## 4. Special protection for sensitive data\r\n\r\n[**Sensitive data**](https://www.dastra.eu/en/guide/sensitive-data/56319) may only be collected and processed under certain conditions.\r\n\r\n## 5. Limited retention of data\r\n\r\nAs soon as the purpose for which they were collected has been achieved, data may be :▶ **Archived**▶ **Deleted**▶ **Anonymised**\r\n\r\nIn all cases, a [retention period](https://www.dastra.eu/en/guide/data-retention-period/56323) must be defined and applied.\r\n\r\n## 6. Security obligation\r\n\r\n[**Security measures**](https://www.dastra.eu/en/guide/what-security-measures-should-be-applied-under-the-gdpr/56344) must be implemented to:\r\n\r\n▶ **Prevent the risk of a breach of security**\r\n\r\n▶ **Ensure the security of the data processed**.\r\n\r\n## 7. Transparency\r\n\r\nData subjects must be [informed](https://www.dastra.eu/en/guide/factsheet-informing-people-according-to-the-gdpr-the-transparency-principle/56360) about the use of their data and how they can exercise their rights.\r\n\r\n## 8. Individuals' rights\r\n\r\nData subjects have [numerous rights](https://www.dastra.eu/en/product-features/data-subject-requests) that allow them to retain control over their data:▶ **Right of access**\r\n\r\n▶**Right of rectification**\r\n\r\n▶**Right of erasure** \r\n\r\n▶**Right to object**\r\n\r\n▶**Right to data portability**\r\n\r\n▶**Right to limit processing**\r\n\r\n▶**Right to define the fate of data after death**\r\n\r\n▶**The right not to be the subject of an automated decision**.\r\n\r\n> These 8 golden rules are a guarantee of legal certainty for data controllers and a factor of transparency and trust for data subjects.","\u003Cp>Every \u003Ca href=\"https://www.dastra.eu/en/guide/data-processing-activity/56354\">\u003Cstrong>processing of personal data\u003C/strong>\u003C/a> must comply with certain conditions: these are the \u003Cstrong>8 golden rules\u003C/strong> of privacy and personal data protection. In this article, these 8 golden rules are described and explained, and correspond to 8 practical sheets that Dastra has made available to you.\u003C/p>\r\n\u003Cp>You should have \u003Cstrong>4 good reflexes\u003C/strong> to meet the requirements of the GDPR in this area:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>✔ \u003Cstrong>Only collect data that is really necessary\u003C/strong>\u003C/li>\r\n\u003Cli>✔ \u003Cstrong>Be transparent with all your stakeholders\u003C/strong>\u003C/li>\r\n\u003Cli>✔ \u003Cstrong>Think about people's rights, such as rights of access, erasure, or rectification\u003C/strong>\u003C/li>\r\n\u003Cli>✔ \u003Cstrong>Secure your data\u003C/strong>\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Enjoy your reading!\u003C/p>\r\n\u003Ch2 id=\"lawfulness-of-processing-article-6-of-the-gdpr\">1. Lawfulness of processing (Article 6 of the GDPR)\u003C/h2>\r\n\u003Cp>Processing is \u003Cstrong>lawful\u003C/strong> only if, and insofar as, at least \u003Cstrong>one of the following 6 conditions\u003C/strong> is met:\u003C/p>\r\n\u003Cp>▶ The data subject \u003Cstrong>has given consent to the processing\u003C/strong> of their personal data for one or more specific purposes;\u003C/p>\r\n\u003Cp>▶ The processing is \u003Cstrong>necessary for the performance of a contract\u003C/strong> to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;\u003C/p>\r\n\u003Cp>▶ The processing is \u003Cstrong>necessary for compliance with a legal obligation\u003C/strong> to which the controller is subject;\u003C/p>\r\n\u003Cp>▶ Processing is \u003Cstrong>necessary in order to protect the vital interests\u003C/strong> of the data subject or of another natural person;\u003C/p>\r\n\u003Cp>▶ Processing is \u003Cstrong>necessary for the performance of a task carried out in the public interest\u003C/strong> or in the exercise of official authority vested in the controller;\u003C/p>\r\n\u003Cp>▶ The processing is \u003Cstrong>necessary for the purposes of the legitimate interests\u003C/strong> pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child. See our guide to assessing legitimate interests.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Find out how to manage the \u003Ca href=\"https://www.dastra.eu/en/guide?q=legal+basis\">legal basis\u003C/a> in the Dastra App.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch2 id=\"purpose-of-processing\">2. Purpose of processing\u003C/h2>\r\n\u003Cp>Personal data collected may only be processed for a specific purpose that meets the following conditions:\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>Precisely determined\u003C/strong>\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>Explicit\u003C/strong>\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>Legitimate\u003C/strong>\u003C/p>\r\n\u003Cp>\u003Cstrong>The \u003Ca href=\"https://www.dastra.eu/en/guide/purpose-of-processing/56312\">purpose of processing\u003C/a> is the reason for using personal data\u003C/strong>. Data is collected for a well-defined and legitimate purpose and is not further processed in a way incompatible with that initial purpose. \u003Cstrong>This purpose principle limits the way in which the data controller may use or re-use the data in the future\u003C/strong>.\u003C/p>\r\n\u003Ch2 id=\"minimisation-of-data\">3. Minimisation of data\u003C/h2>\r\n\u003Cp>Only data \u003Ca href=\"https://www.dastra.eu/en/guide/data-minimisation-principle/56347\">\u003Cstrong>strictly necessary\u003C/strong>\u003C/a> to achieve the purpose may be collected and processed.\u003C/p>\r\n\u003Ch2 id=\"special-protection-for-sensitive-data\">4. Special protection for sensitive data\u003C/h2>\r\n\u003Cp>\u003Ca href=\"https://www.dastra.eu/en/guide/sensitive-data/56319\">\u003Cstrong>Sensitive data\u003C/strong>\u003C/a> may only be collected and processed under certain conditions.\u003C/p>\r\n\u003Ch2 id=\"limited-retention-of-data\">5. Limited retention of data\u003C/h2>\r\n\u003Cp>As soon as the purpose for which they were collected has been achieved, data may be :\u003Cbr />\r\n▶ \u003Cstrong>Archived\u003C/strong>\u003Cbr />\r\n\u003Cbr />\r\n▶ \u003Cstrong>Deleted\u003C/strong>\u003Cbr />\r\n\u003Cbr />\r\n▶ \u003Cstrong>Anonymised\u003C/strong>\u003C/p>\r\n\u003Cp>In all cases, a \u003Ca href=\"https://www.dastra.eu/en/guide/data-retention-period/56323\">retention period\u003C/a> must be defined and applied.\u003C/p>\r\n\u003Ch2 id=\"security-obligation\">6. Security obligation\u003C/h2>\r\n\u003Cp>\u003Ca href=\"https://www.dastra.eu/en/guide/what-security-measures-should-be-applied-under-the-gdpr/56344\">\u003Cstrong>Security measures\u003C/strong>\u003C/a> must be implemented to:\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>Prevent the risk of a breach of security\u003C/strong>\u003C/p>\r\n\u003Cp>▶ \u003Cstrong>Ensure the security of the data processed\u003C/strong>.\u003C/p>\r\n\u003Ch2 id=\"transparency\">7. Transparency\u003C/h2>\r\n\u003Cp>Data subjects must be \u003Ca href=\"https://www.dastra.eu/en/guide/factsheet-informing-people-according-to-the-gdpr-the-transparency-principle/56360\">informed\u003C/a> about the use of their data and how they can exercise their rights.\u003C/p>\r\n\u003Ch2 id=\"individuals-rights\">8. Individuals' rights\u003C/h2>\r\n\u003Cp>Data subjects have \u003Ca href=\"https://www.dastra.eu/en/product-features/data-subject-requests\">numerous rights\u003C/a> that allow them to retain control over their data:\u003Cbr />\r\n▶ \u003Cstrong>Right of access\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right of rectification\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right of erasure\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right to object\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right to data portability\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right to limit processing\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>Right to define the fate of data after death\u003C/strong>\u003C/p>\r\n\u003Cp>▶\u003Cstrong>The right not to be the subject of an automated decision\u003C/strong>.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>These 8 golden rules are a guarantee of legal certainty for data controllers and a factor of transparency and trust for data subjects.\u003C/p>\r\n\u003C/blockquote>\r\n","The 8 Golden Rules of Data Protection","Any processing of personal data must comply with certain conditions: these are the 8 golden rules of data privacy.",646,4,0,null,"en","the-8-golden-rules-of-data-privacy-compliance","Any processing of personal data must comply with certain conditions: these are the 8 golden rules of data privacy. This article describes and explains these 8 golden rules.","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-27T14:56:26.142","2023-12-27T15:56:24.7873319","2026-02-04T10:05:17.7402578",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[],"https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-original.jpg",[50,51,52,53,54,55,56],"https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-1000.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-1500.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-800.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-600.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-300.webp","https://static.dastra.eu/content/bff15dd3-e28b-4f21-bac6-ca19295d998e/9-100.webp",56358]