Data may not be processed unless certain conditions are met.
The most important condition is that the data processing is lawful, fair and transparent.
This means, among other things, that data processing is only permitted if it is based on one of the grounds mentioned in the law (consent, agreement, legal obligation, vital interests of the data subject, public interest/government task, own urgent interest).
In addition, it is not allowed to process more data than necessary (minimal data processing) and the data may not be kept longer than necessary.
Of course, the data must also be correct and up to date and appropriate security measures must be in place.
The principle of transparency means that the data controller must lay down in a privacy policy that and how all these conditions are dealt with and what rights the data subject has in this respect.