(1) A controller shall, without prejudice to the generality of section 75(1), for the purposes of meeting the requirements of this Part and protecting the rights of data subjects -
(a) when determining the means of processing personal data, and
(b) when carrying out the said processing,
implement appropriate technical and organisational measures that are designed -
(i) to implement the principles of the protection of personal data contained in this Part in an effective manner, and
(ii) to integrate the necessary safeguards into the said processing.
(2) Without prejudice to the generality of section 75(1) and subsection (1), a controller shall, subject to subsection (3), when processing personal data implement appropriate technical and organisational measures to ensure that only personal data that are necessary for each specific purpose of the processing are processed.
(3) The requirement in subsection (2) applies in relation to -
(a) the amount of personal data collected for the proces
…