(1) A data controller or data processor shall ensure that personal data is —

(a) processed in a fair, lawful and transparent manner;

(b) collected for specified, explicit, and legitimate purposes, and not to be further processed in a way incompatible with these purposes;

(c) adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed;

(d) retained for not longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed;

(e) accurate, complete, not misleading, and, where necessary, kept up to date having regard to the purposes for which the personal data is collected or is further processed; and

(f ) processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.