The GDPR set forth certain principles that go through the entire regulation as an underlying manifest that is the essence of how the GDPR grasps proper handling of personal data.
• Lawfulness. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose Limitation. Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; some exceptions are specified in the GDPR relating to archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
• Data Minimization. Personal data that is processed shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• Accuracy. When processing Personal Date, it should be kept accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Storage limitation. Except for some exclusions mentioned by the GDPR (and even then, only subject to implementation of the appropriate technical and organizational measures), generally Personal Data should be kept in a form which limits the ability to identify data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality. Personal Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Breaching these principles comes with a heavy fine of the higher level of up to EUR 20M or 4% of the global annual turnover of the breaching entity (in certain circumstances, probably the turnover of the entire group of entities if applicable).