• 個人資料應(yīng)以合法，公正和透明的方式處理。

• 人們需要被告知正在收集什么信息以及為了什么目的而收集。

• 個人數(shù)據(jù)應(yīng)按指定的，明確的和合法的目的收集。它不得用于與這些目的相沖突的其他任何原因。

• 個人資料只有在需要時才能保存和處理，并且不超過此時間。

• 個人資料必須保持最新和準(zhǔn)確。

• 人們有權(quán)收到其數(shù)據(jù)副本，或者可以要求不再使用他們的個人數(shù)據(jù)。在某些情況下，他們可以完全刪除它。

• 組織必須采取適當(dāng)?shù)陌踩胧﹣肀Ｗo(hù)個人數(shù)據(jù)免受意外或不當(dāng)影響而導(dǎo)致數(shù)據(jù)的非法破壞，遺失，變更或披露。

• 此外，組織需要確保所有處理個人數(shù)據(jù)的工作人員都經(jīng)過適當(dāng)?shù)呐嘤?xùn)知道如何保護(hù)這些數(shù)據(jù)。

• Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.

• People need to be told what is being collected and for what purpose.

• Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.

• Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.

• Personal data must be kept up-to-date and accurate.

保護(hù)個人數(shù)據(jù)的措施必須確保適當(dāng)?shù)乃絹肀Ｕ蠑?shù)據(jù)的敏感性。由于與數(shù)據(jù)相關(guān)的風(fēng)險(xiǎn)變得更大，所以應(yīng)該花費(fèi)更多的努力和措施來保護(hù)數(shù)據(jù)。這些措施也應(yīng)該進(jìn)行定期審查并適時更新。有關(guān)于隱私和安全決議的記錄有助于合規(guī)。

The protection measures that are in place to secure personal data must ensure a level of protection appropriate to the sensitive nature of the data. As the risk associated with data becomes greater, so should the effort and expense of measures to protect the data.These measures should be regularly reviewed and updated as appropriate.Well-documented records about privacy and security decisions and measures help to show compliance with the requirements.

此外，當(dāng)數(shù)據(jù)轉(zhuǎn)移給外部第三方或歐盟以外的各方時，組織在法律上必須采取合同和盡職調(diào)查等措施來保護(hù)個人。最后，在個人數(shù)據(jù)泄露的情況下，組織應(yīng)該在知悉后72小時內(nèi)報(bào)告違規(guī)行為。組織未能遵守GDPR可能導(dǎo)致高達(dá)其全球收入的4％的罰款，這也使得GDPR成為財(cái)務(wù)成本最高的全球法規(guī)之一。

In addition, organizations are legally bound to employ measures, such as contracts and due diligence reviews,to protect personal data when transferring it to external third parties or parties outside the European Union. Finally, in the case of a personal data breach, organizations shall report the breach within 72 hours after becoming aware of it. Failure for organizations to comply with GDPR can result in fines up to 4% of their global revenue, making GDPR one of the most financially costly global regulations in the world.