Principles of the PDPA BES

General personal data

Any information about an identified or identifiable person.

Special personal data

Any information about a person’s race, sexual orientation, criminal history, religious beliefs, political preferences, medical file or membership of an association. This type of data may only be processed if permitted by law.

What is processing?

Anything you may do with personal data.

What do you want to make sure of?

  • Indicating what data you want to process
  • Indicating why you want to process the data
  • Having (legal) grounds to do so

What can serve as grounds?

Process if necessary:

  • Permission
  • Agreement
  • Legal obligation
  • Vital interest
  • Public duty (general interest)
  • Legitimate interest

How to handle data?

  • Legally, properly and transparently
  • In keeping with the set purposes
  • Only if necessary
  • The data must be correct
  • The data must be kept confidential and uncompromised

Rights of those involved

  • The right to know which of your data an organization has processed (right of inspection)
  • The right to correct any factual inaccuracies (right of correction)
  • The right to object to certain forms of processing by the organization (right of objection)


Personal data may not be stored any longer than is necessary for the purposes for which they were collected. (retention policy)


  • Organizational and technical protection
  • Privacy policy/voluntary agreement
  • Personnel policy for use of eg E-mail, social media, it systems
  • Security policy
  • Autorisation matrix