The Act is based upon principles relating to data quality and processing. The principles may be summarized as follows:
Data must be fairly and lawfully processed in accordance with good practices of personal data processing.
Data must be processed for limited purposes only.
Data must be adequate, relevant and not excessive in relation to the purposes for the processing.
Data must be reliable and accurate.
Data must not be kept for longer a longer time than is necessary. Personal data which are unreliable or incomplete, having regard to the purposes for their processing, must be erased or rectified.
Personal data may only be processed if the data subject has unambiguously agreed to the processing or given his consent. Processing is also allowed if it is necessary to honour a contract to which the data subject is a party, to fulfil a legal obligation of the controller, to protect vital interests of the data subject and for a number of other reasons that Act provides for. The Act sets out further requirements for processing of sensitive personal data.