Under Article 5(1)(c) of GDPR, data minimization requires that personal data must be adequate,
relevant, and limited to what is necessary for its intended purpose.
Option C is correct because it directly reflects the GDPR’s data minimization principle.
Option A is incorrect because storage limitation is a separate principle under Article 5(1)(e).
Option B is incorrect because purpose limitation (Article 5(1)(b)) is separate from data minimization.
Option D is incorrect because GDPR does not specify a fixed retention period (e.g., five years)—
retention should be based on necessity.
Reference:
GDPR Article 5(1)(c) (Data minimization principle)
Recital 39 (Controllers must collect only necessary data)
