The principle of data minimisation means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose. In other words, data controllers should only collect the personal data they really need, and should only keep it for as long as they need it.

The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which statethat personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.