FULL ARTICLE TEXT
Article 5 in full
Article 5: Principles relating to processing of personal data
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
(d) accurate and, where necessary, kept up to date ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data ('integrity and confidentiality').
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').
Read the full text on EUR-Lex (CELEX 32016R0679, Article 5).
What this Article requires
Article 5 is the doctrinal foundation of the GDPR. The seven principles in Article 5(1) are not standalone obligations only; they inform the interpretation of every other Article in the Regulation. A controller cannot satisfy Article 6 (lawful basis) without satisfying Article 5(1)(a) lawfulness. A controller cannot satisfy Article 25 (data protection by design and by default) without satisfying Article 5(1)(c) minimisation. The accountability principle in 5(2) underlies every other GDPR obligation by requiring the controller to be able to demonstrate compliance.
For data minimisation specifically (5(1)(c)), the test has three limbs: the data must be adequate (sufficient to achieve the purpose), relevant (logically connected to the purpose), and limited to what is necessary (no more than the minimum required). The third limb is the most operationally significant. A controller cannot collect data "just in case", cannot collect additional fields on a form that are not required for the immediate purpose, and cannot retain data beyond the period needed for the purpose.
How DPAs interpret Article 5
The European Data Protection Board has issued multiple guidelines that inform Article 5 interpretation, including Guidelines 4/2019 on Article 25 (data protection by design and by default), which operationalise the 5(1)(c) minimisation principle into architectural-design obligations; Guidelines 5/2020 on consent, which interpret the 5(1)(a) fairness principle in consent UX; Guidelines 2/2019 on the processing of personal data under Article 6(1)(b), which address the boundary between contract-necessity and minimisation; and the Article 29 Working Party Opinion 03/2013 on purpose limitation, which remains the leading authority on 5(1)(b) compatibility analysis.
National DPA practice gives more granular content. The CNIL's Guidelines on Data Minimisation in Connected Vehicles (2017, updated 2022) provide a per-data-category analysis of what is necessary for vehicle telemetry. The BfDI's guidance on employment-data processing addresses minimisation in the worker-employer relationship. The Garante's decisions on health-data processing apply 5(1)(c) and 5(1)(e) to regional health-system data architectures. The DPC's decisions on platform processing (TikTok, Instagram, Meta) apply 5(1)(c) to algorithmic-feed personalisation.
Landmark fines under Article 5
TikTok €345 million (DPC, 2023): the leading authority on Article 5(1)(c) and 5(1)(f) applied to platform defaults for children. The decision found that public-by-default visibility for teen accounts exceeded what was necessary for the platform service, infringing minimisation, and that the integrity and confidentiality of children's data was inadequately protected by the Family Pairing design.
Instagram €405 million (DPC, 2022): the parallel authority on 5(1)(c) applied to contact-details publication for teen business-account users. The default exposure of email addresses and phone numbers exceeded what was necessary for the platform service.
H&M €35.3 million (Hamburg, 2020): the leading employment-monitoring authority on 5(1)(c). H&M's warehouse-supervisor practice of recording personal-circumstance data about employees (illnesses, family situations, religious affiliations) far exceeded what was necessary for any legitimate employment purpose.
Dutch AP Belastingdienst €3.7 million (2021): the doctrinal anchor for algorithmic-discrimination jurisprudence. The Tax Authority's use of nationality data in childcare-benefit fraud-risk scoring failed Article 5(1)(a) fairness, 5(1)(c) minimisation (because nationality was not necessary for the stated purpose), and 5(1)(b) purpose limitation.
Italian Garante OpenAI €15 million (2024): the leading AI-training authority. The Garante found that OpenAI's ChatGPT training corpus included personal data of European individuals processed without satisfying 5(1)(b) purpose limitation or 5(1)(c) minimisation, alongside transparency and lawful-basis failures.
Common compliance failures
The recurring patterns in Article 5 enforcement decisions identify a set of common failures that controllers should specifically watch for. First, default settings that maximise data collection or visibility rather than minimise them (the TikTok and Instagram pattern). Second, retention policies that default to "keep indefinitely" or that lack documented deletion triggers (the Article 5(1)(e) storage-limitation pattern). Third, form fields collecting information that is not actually used for the stated purpose (a small but recurring AEPD pattern). Fourth, the use of nationality, ethnicity or other special-category proxy data in algorithmic decision-making (the Belastingdienst pattern). Fifth, training-data corpora assembled without documented purpose-and- necessity analysis (the OpenAI pattern). Sixth, monitoring and surveillance systems with no proportionality assessment (the H&M and Notebooksbilliger patterns).
Defensive controls
For each processing operation, document the specific purpose in the Article 30 ROPA. Map the data elements collected and processed against the documented purpose, identifying any elements that are not strictly necessary. Where a processing operation involves new technology (AI, biometrics, profiling), conduct an Article 35 DPIA that includes a documented necessity-and- proportionality assessment. Set explicit retention periods with operational deletion procedures. Configure default settings to the most privacy-protective option, requiring affirmative user action to move to less-protective settings (the Article 25(2) by-default obligation).
For Article 5(2) accountability, maintain demonstrable evidence: dated DPIAs, dated minimisation assessments, dated retention reviews, documented training, documented testing. The accountability principle means the controller cannot rely on the absence of complaints as evidence of compliance; the controller must be able to demonstrate, in advance, that compliance has been considered and operationalised.
Fine band you can expect
For small Spanish controllers with single-purpose minor infringements, AEPD decisions are typically in the €1,000-€10,000 range. For mid-sized national controllers with documented patterns of minimisation failure, fines range from €50,000 (small CNIL/APD decisions) to several million euros (H&M, Notebooksbilliger). For enterprise-scale controllers with systematic architectural failures affecting children or other vulnerable groups, fines can reach hundreds of millions of euros (the TikTok and Instagram cases). For AI-system processing involving large training corpora, the OpenAI €15 million fine is the current reference; this is likely to rise as AI Act compliance becomes a parallel framework.