57 Data protection by design and default
57 Data protection by design and default

(1)     Each controller must implement appropriate technical and organisational measures which are designed—

(a)     to implement the data protection principles in an effective manner, and

(b)     to integrate into the processing itself the safeguards necessary for that purpose.

(2)     The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.

(3)     Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

(4)     The duty under subsection (3) applies to—

(a)     the amount of personal data collected,

(b)     the extent of its processing,

(c)     the period of its storage, and