§ 37 DSG NRW
General principles for the processing of personal data
(1)Personal data must
(2)1. be processed lawfully and fairly,
(3)2. be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes,
(4)3. be adequate for the purpose of processing, be necessary for achieving the purpose of processing, and their processing must not be disproportionate to that purpose,
(5)4. be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,
(6)5. not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which they are processed, and
(7)6. be processed in a manner that ensures appropriate security of the personal data; this shall include protection, to be ensured by appropriate technical and organisational measures, against unauthorised or unlawful processing, accidental loss, accidental destruction or accidental damage.