Javascript is required

The 8 golden rules of data privacy compliance

The 8 golden rules of data privacy compliance
Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
27 December 2023·4 minutes read time

Every processing of personal data must comply with certain conditions: these are the 8 golden rules of privacy and personal data protection. In this article, these 8 golden rules are described and explained, and correspond to 8 practical sheets that Dastra has made available to you.

You should have 4 good reflexes to meet the requirements of the GDPR in this area:

  • Only collect data that is really necessary
  • Be transparent with all your stakeholders
  • Think about people's rights, such as rights of access, deletion, or rectification
  • Secure your data

Enjoy your reading!

1. Lawfulness of processing (Article 6 of the GDPR)

Processing is lawful only if, and insofar as, at least one of the following 6 conditions is met:

▶ The data subject has consented to the processing of his/her personal data for one or more specific purposes;

▶ The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;

▶ The processing is necessary for compliance with a legal obligation to which the controller is subject;

▶ Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

▶ Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

▶ The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child. See our guide to assessing legitimate interests

Find out how to manage legal basis in the Dastra application.

2. Purpose of processing

Personal data collected may only be processed for one purpose:

Precisely determined



The purpose of processing is the reason for using personal data. Data is collected for a well-defined and legitimate purpose and is not further processed in a way incompatible with that initial purpose. This purpose principle limits the way in which the data controller may use or re-use the data in the future.

3. Minimisation of data

Only data strictly necessary to achieve the purpose may be collected and processed.

4. Special protection for sensitive data

Sensitive data may only be collected and processed under certain conditions.

5. Limited retention of data

As soon as the purpose for which they were collected has been achieved, data may be :

In all cases, a retention period must be defined and applied.

6. Security obligation

Security measures must be implemented to:

Prevent the risk of a breach of security

Ensure the security of the data processed.

7. Transparency

Individuals must be informed about the use of their data and how they can exercise their rights.

8. Individuals' rights

Individuals have numerous rights that allow them to retain control over their data:
Right of access

Right of rectification

Right of deletion

Right to object

Right to portability

Right to limit processing

Right to define the fate of data after death

The right not to be the subject of an automated decision.

These 8 golden rules are a guarantee of legal certainty for data controllers and a factor of transparency and confidence for data subjects.

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.