(1) A controller shall, as respects personal data for which it is responsible, comply with the following provisions:
(a) the data shall be processed lawfully and fairly;
(b) the data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with such purposes;
(c) the data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed;
(d) the data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) the data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed;
(f) the data shall be processed in a manner that ensures appropriate security of the data, including, by the implementa
…