Date: 17-Jul-2025

THE FUNDAMENTAL PRINCIPLES OF PERSONAL DATA PROTECTION

Compliance with data protection law builds trust

July 17, 2025

The core principles of personal data protection form the foundation of all processes involving the collection, processing, and management of personal data. Article 4 of the Law on Personal Data Protection (Law No. 06/L-082) sets out several fundamental principles that directly and indirectly impact all other rules and obligations set by the law.

For any data controller or processor, compliance with these principles is the first and most essential step to fulfilling their legal obligations under the Law.

The Key Principles Are:

Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner that does not compromise the dignity of the data subject.

Processing is considered lawful only if at least one of the following applies:

  • The data subject has given consent;
  • Processing is necessary for the performance of a contract;
  • Processing is required by legal obligation;
  • It protects the vital interests of the data subject or another individual;
  • It serves the public interest or official authority;
  • It is necessary for the legitimate interests pursued by the controller or a third party.

Example: A company processes client data to issue invoices.

Purpose Limitation

Personal data must be collected for specific, explicit, and legitimate purposes and cannot be further processed in a way that is incompatible with those purposes.

Example: If a company collects data for billing purposes, it cannot later use it for marketing unless it obtains separate, specific consent.

Data Minimization

Only the data that is adequate, relevant, and limited to what is necessary for the intended purpose should be collected and processed.

Example: Asking for a person’s name to register for an event is reasonable, but asking for their national ID number or home address may exceed the necessary scope.

Accuracy

Personal data must be accurate and kept up to date. Controllers and processors must take every reasonable step to correct or delete inaccurate data without delay.

Example: A client’s old email address should be updated or removed from the system.

Storage Limitation

Data should be kept only for as long as necessary to fulfill the purpose for which it was collected. Once the purpose is achieved, the data must be deleted, destroyed, anonymized, or blocked, unless otherwise required by specific legislation.

Example: After a service contract ends, the company cannot retain the client’s data indefinitely without legal grounds.

Integrity and Confidentiality

Personal data must be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using proper technical and organizational measures.

Example: A company conducting employee surveys uses pseudonymization, assigning each participant a code instead of their name. Only one person securely holds the list that matches codes to real names.

Accountability

The controller must be responsible for and able to demonstrate compliance with all the above principles throughout the data lifecycle from collection to storage, to deletion or destruction.

This means the controller not only has to implement the law but also prove it especially in front of the Information and Privacy Agency, using proper records, procedures, and safeguards.

Example: The Agency has imposed fines up to €50,000 on companies that failed to implement proper technical and organizational measures to ensure data security, violating the principle of integrity and confidentiality.

As a conclusion these principles are not just theoretical guidelines, they are binding legal standards.

Implementing them properly doesn’t just help avoid penalties. It builds trust with individuals and helps foster a responsible, privacy-conscious environment.

Author: Valmir Haziraj