There are eight data protection principles.

The first five state that personal data must be:

• Processed fairly and lawfully 
• Obtained for specific and lawful purposes 
• Adequate, relevant and not excessive for the purposes 
• Accurate and kept up to date 
• Kept no longer than is necessary for its purposes

The sixth principle is that:

• All data must be processed in accordance with the rights of the subject under the Act. The rights of the subject are:
  • a right of access to a copy of the information comprised in their personal data;
  • a right to object to processing that is likely to cause or is causing damage or distress;
  • a right to prevent processing for direct marketing;
  • a right to object to decisions being taken by automated means;
  • a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to claim compensation for damages caused by a breach of the Act

Principles seven and eight state that:

• Technical and organisational measures shall be taken against unauthorised processing of personal data and against accidental loss, destruction of, or damage to personal data.

• Personal data shall not be transferred to a country outside the European Economic Area without guarantees of adequate protection.