Personal data must be processed according to the following principles:

Legality: Federal bodies require a legal basis to process personal data. An exception is possible if the person concerned has consented to the processing in an individual case or has made their personal data generally accessible and has not expressly prohibited processing.

Proportionality: The processing of personal data must be objectively suitable and necessary to fulfil the task (“as much as necessary, as little as possible”). A sensible relationship must exist between the pursued purpose and the processing of data.

Purpose limitation: Personal data may only be procured for a particular purpose identifiable to the person concerned; it may only be processed such that it is consistent with this purpose.

Limited retention periods: Personal data is destroyed or anonymised as soon as it is no longer required for the purpose of processing..

Accuracy of data: Anyone processing personal data must make sure that it is correct. He or she must take all appropriate measures to ensure that the data which is incorrect or incomplete with regard to its purpose of procurement or processing is corrected, deleted or destroyed.

Transparency: The controller informs the person concerned appropriately about the procurement of personal data; this duty to provide information also applies if the data cannot by procured from the person concerned. Anyone can request information from the controller on whether personal data about them is being processed.

Data security: The controller ensures a level of data security appropriate to the risk through suitable technical and organisational measures. They take this into account from planning (“privacy by design”). The controller is obligated, by means of suitable default settings, to ensure that the processing of personal data is restricted to the minimum level required for the intended use, if the person concerned does not decide otherwise («Privacy by Default»).

Data protection

Data protection consultant