Data Protection Principles
Introduction
Section titled “Introduction”Article 5 of the GDPR establishes seven key principles that must guide all personal data processing activities. Emily Helps is designed to support compliance with these fundamental principles.
The Seven Principles
Section titled “The Seven Principles”1. Lawfulness, Fairness, and Transparency
Section titled “1. Lawfulness, Fairness, and Transparency”Requirement: Personal data must be processed lawfully, fairly, and in a transparent manner.
How Emily Helps Complies:
- Clear privacy notices inform users about data processing
- All processing activities have a documented legal basis
- Users can access information about how their data is used
- Data collection forms include clear explanations
- Privacy policy is easily accessible
Your Responsibilities:
- Maintain up-to-date privacy notices
- Provide clear information at the point of data collection
- Ensure users understand why their data is being collected
2. Purpose Limitation
Section titled “2. Purpose Limitation”Requirement: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
How Emily Helps Complies:
- Data fields are associated with specific purposes
- System prevents use of data for unrelated purposes
- Audit logs track data access and usage
- Role-based access controls limit data visibility
Your Responsibilities:
- Document the purpose for each type of data collected
- Obtain new consent if you want to use data for a new purpose
- Regularly review data usage against documented purposes
3. Data Minimization
Section titled “3. Data Minimization”Requirement: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
How Emily Helps Complies:
- Optional vs. required fields are clearly marked
- Forms collect only necessary information
- Default settings minimize data collection
- Regular reviews identify unnecessary data fields
Your Responsibilities:
- Only collect data that is genuinely needed
- Review forms and processes to eliminate unnecessary data collection
- Configure system settings to minimize data collection
- Question each data field: “Is this really necessary?“
4. Accuracy
Section titled “4. Accuracy”Requirement: Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
How Emily Helps Complies:
- User self-service portals allow data updates
- Validation checks prevent obviously incorrect data
- Regular data quality reports identify outdated information
- Version history tracks changes to personal data
- Automated reminders for periodic data verification
Your Responsibilities:
- Implement processes for regular data verification
- Respond promptly to correction requests
- Enable user self-service where appropriate
- Train staff on data accuracy importance
5. Storage Limitation
Section titled “5. Storage Limitation”Requirement: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
How Emily Helps Complies:
- Configurable retention periods for different data types
- Automated retention policy enforcement
- Regular reviews identify data for deletion
- Archiving capabilities for records that must be retained
- Audit trail of data deletion activities
Your Responsibilities:
- Define and document retention periods
- Regularly review and delete data that is no longer needed
- Balance legal retention requirements with GDPR obligations
- Document reasons for extended retention periods
See Also: Data Retention Policy
6. Integrity and Confidentiality (Security)
Section titled “6. Integrity and Confidentiality (Security)”Requirement: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
How Emily Helps Complies:
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access controls
- Multi-factor authentication
- Regular security audits and penetration testing
- Backup and disaster recovery procedures
- Security monitoring and incident response
Your Responsibilities:
- Enable and enforce strong authentication
- Regularly review user access rights
- Train staff on security awareness
- Report security incidents promptly
- Implement organizational security measures
See Also: Data Security Measures
7. Accountability
Section titled “7. Accountability”Requirement: The data controller must be able to demonstrate compliance with all GDPR principles.
How Emily Helps Complies:
- Comprehensive audit logging
- Data processing records and documentation
- Privacy impact assessment templates
- Compliance reporting tools
- Data processing agreements with processors
Your Responsibilities:
- Maintain records of processing activities (Article 30)
- Document compliance measures and decisions
- Conduct and document data protection impact assessments
- Train staff and keep training records
- Regularly review and update policies
Implementing the Principles
Section titled “Implementing the Principles”Documentation
Section titled “Documentation”Maintain documentation for:
- Legal basis for each processing activity
- Purpose of data collection
- Categories of data processed
- Data retention periods
- Security measures implemented
- Data sharing and transfers
Regular Reviews
Section titled “Regular Reviews”Conduct periodic reviews to ensure:
- Principles are being followed in practice
- Staff understand their responsibilities
- Technical measures remain effective
- Documentation is up to date
- Policies reflect current practices
Training and Awareness
Section titled “Training and Awareness”All staff who handle personal data should:
- Understand the seven principles
- Know their specific responsibilities
- Recognize potential compliance issues
- Know how to escalate concerns
- Receive regular refresher training
Practical Examples
Section titled “Practical Examples”Example 1: Sacramental Records
Section titled “Example 1: Sacramental Records”Scenario: Recording baptism information
- Lawfulness: Legal obligation and legitimate interest
- Purpose Limitation: Only for sacramental records and church administration
- Data Minimization: Only necessary details (names, dates, parents, godparents)
- Accuracy: Verification at the ceremony and periodic reviews
- Storage Limitation: Permanent retention for canonical records
- Security: Access limited to authorized clergy and staff
- Accountability: Documented policies and audit logs
Example 2: Newsletter Mailing List
Section titled “Example 2: Newsletter Mailing List”Scenario: Collecting email addresses for parish newsletter
- Lawfulness: Consent (explicit opt-in)
- Purpose Limitation: Only for sending the newsletter
- Data Minimization: Email address and name only
- Accuracy: Self-service unsubscribe and update options
- Storage Limitation: Deleted when user unsubscribes
- Security: Encrypted storage and transmission
- Accountability: Consent records and subscription logs
Related Documentation
Section titled “Related Documentation”- Legal Basis for Processing
- Data Security Measures
- Data Retention Policy
- Accountability and Compliance
Last updated: October 2025