# GDPR

* All personal data or data which can be used to identify a person
* Collection must be for specific use case(s)
* Data needs to be accurate (updated)
* Data mustn't be stored longer than necessary OR for archiving, or statistical purposes.
* User must be allowed to request deletion (store datetime for interval analysis)
* Data must be optional unless absolutely required (e.g. HR data, customer info for invoice etc.). All other data requires approval by holder.
* Person must be at least 16 years old
* Data breaches must be published after 72 hours

## Processing

* Consent must be given by person (this consent needs to be able to demonstrate). Therefore it must be a activation checkbox and not a deactivation checkbox.
* Must be necessary for the contract (e.g. writing invoice etc.)
* User may request what data is stored