Personal data must be processed lawfully, fairly and in a transparent manner. Data may only be collected and processed for specified, explicit and legitimate purposes (purpose limitation). Data must be minimized to the data absolutely needed for the purpose a business is trying to achieve (data minimization). Data must be kept up-to-date and accurate, and should not be kept any longer than is necessary (accuracy and storage limitation). Organizations must ensure appropriate security of the data through technical and organizational measures (integrity and confidentiality). The Controller is responsible for demonstrating compliance (accountability).