(1) Each controller must implement appropriate technical and organisational measures which are designed -
(a) to implement the data protection principles in an effective manner, and
(b) to integrate into the processing itself the safeguards necessary for that purpose.
(2) The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.
(3) Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
(4) The duty under subsection (3) applies to -
(a) the amount of personal data collected,
(b) the extent of its processing,
(c) the period of its storage, and
(d) its accessibility.
(5) In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number
…