1. Collect only the data that is really necessary to achieve your goal
The data is collected for a specific purpose and is not further processed in a way that is incompatible with this initial purpose.
The purpose principle limits how you can use or re-use this data in the future and avoids the collection of "just in case" data.
The principle of minimisation limits the collection of data to that which is strictly necessary to achieve your purpose.
2. Be transparent
Individuals must retain control over their data. This implies that they are clearly informed of the use that will be made of their data as soon as it is collected. Under no circumstances should data be collected without their knowledge. Individuals must also be informed of their rights and how to exercise these rights.
3. Organise and facilitate the exercise of people's rights
You must organise procedures enabling people to exercise their rights and respond as soon as possible to these requests for consultation or access, rectification or deletion of data, or even opposition, unless the processing operation meets a legal obligation (for example, a citizen may not object to being included in a civil status file). It must be possible to exercise these rights electronically from a dedicated address.
4. Set retention periods
You cannot keep the data indefinitely.
They are kept in the "active base", i.e. the current management, only for the time strictly necessary to achieve the objective pursued. They must then be destroyed, anonymised or archived in accordance with the legal obligations applicable to the conservation of public archives.
5. Secure data and identify risks
You must take all the necessary measures to guarantee the security of the data : physical or computer security, securing the premises, cabinets and workstations, strict management of authorisations and computer access rights. This also involves ensuring that only third parties authorised by law have access to the data. These measures are adapted according to the sensitivity of the data or the risks to individuals in the event of a security incident.
6. Make compliance a continuous process
Compliance is not set in stone and fixed.
It depends on the good daily respect of the agents, at all levels, of the principles and measures implemented.
Regularly check that processing operations have not changed, that the procedures and security measures in place are being respected and adapt them if necessary.
Source: CNIL