GDPRArt. 5voice-validated
GDPR Art5: Art. 5
General Data Protection Regulation (EU 2016/679)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Personal data shall be: (a) processed lawfully, fairly and in a transparent manner; (b) collected for specified, explicit and legitimate purposes; (c) adequate, relevant and limited to what is necessary (data minimisation); (d) accurate and kept up to date; (e) kept in a form which permits identification of data subjects for no longer than necessary (storage limitation); (f) processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (integrity and confidentiality). The controller is responsible for, and shall be able to demonstrate compliance with, these principles (accountability).
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Attackers exploit public-facing applications to gain initial access, directly violating Art. 5(f) by compromising confidentiality and integrity of personal data. This technique enables unauthorized processing. | 90% |
| T1053.005 | 1. Scheduled tasks establish persistence, allowing continued unauthorized access and processing of personal data, violating Art. 5(f) confidentiality and integrity. This also hinders accountability under Art. 5(2). | 80% |
| T1068 | 1. Exploiting vulnerabilities for privilege escalation grants attackers higher access to sensitive personal data, directly violating Art. 5(f) confidentiality and integrity. This undermines data protection measures. | 90% |
| T1027 | 1. Obfuscated files or information are used to evade detection, hindering the ability to demonstrate compliance and ensure appropriate security under Art. 5(f) and Art. 5(2) accountability. | 70% |
| T1003 | 1. OS credential dumping provides access to user accounts, enabling unauthorized processing and access to personal data, violating Art. 5(f) confidentiality and integrity. This undermines access controls. | 90% |
| T1087.001 | 1. Local account discovery helps attackers identify targets for further data access, violating Art. 5(f) by facilitating unauthorized processing and compromising the security of personal data. | 80% |
| T1021.001 | 1. Remote Desktop Protocol (RDP) for lateral movement allows attackers to access multiple systems containing personal data, violating Art. 5(f) confidentiality and integrity across the network. | 80% |
| T1005 | 1. Data from local system collection directly involves gathering personal data without authorization, violating Art. 5(a) lawfulness, Art. 5(b) purpose limitation, and Art. 5(f) confidentiality. | 90% |
| T1071.001 | 1. Web protocols for command and control facilitate unauthorized communication, potentially for exfiltration or further data manipulation, violating Art. 5(f) integrity and confidentiality. | 70% |
| T1041 | 1. Exfiltration over C2 channel involves unauthorized transfer of personal data outside the controlled environment, directly violating Art. 5(f) confidentiality and Art. 5(a) lawfulness. | 90% |
| T1486 | 1. Data encrypted for impact (ransomware) renders personal data inaccessible, violating Art. 5(f) availability and integrity, and potentially Art. 5(d) accuracy if data is corrupted. | 90% |
| T1485 | 1. Data destruction directly violates Art. 5(f) by causing accidental loss or destruction of personal data, compromising its availability and integrity. This also impacts Art. 5(d) accuracy. | 90% |
| T1530 | 1. Data from cloud storage collection involves unauthorized access to personal data stored in cloud environments, violating Art. 5(f) confidentiality and integrity, and Art. 5(a) lawfulness. | 80% |
| T1562.001 | 1. Disabling or modifying system firewalls impairs security defenses, directly violating the requirement for appropriate security under Art. 5(f) and hindering accountability under Art. 5(2). | 80% |
| T1136.001 | 1. Creating local accounts establishes unauthorized persistence, allowing attackers to bypass legitimate access controls and continue processing personal data, violating Art. 5(f) and Art. 5(a). | 80% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Network segmentation limits the scope of potential breaches, reducing the impact on personal data confidentiality and integrity as required by Art. 5(f). This isolates sensitive data. | 90% |
| M1040 | 1. Penetration testing identifies vulnerabilities before exploitation, ensuring appropriate security measures are in place to protect personal data as mandated by Art. 5(f) and supports Art. 5(2) accountability. | 80% |
| M1047 | 1. Regular auditing detects unauthorized data processing and access attempts, supporting Art. 5(f) integrity and confidentiality, and enabling the controller to demonstrate compliance under Art. 5(2). | 90% |
| M1035 | 1. Multi-factor authentication strengthens access controls, preventing unauthorized access to systems holding personal data, thereby upholding Art. 5(f) confidentiality and integrity. | 90% |
| M1029 | 1. Data Loss Prevention (DLP) prevents unauthorized exfiltration of personal data, directly supporting Art. 5(f) confidentiality and Art. 5(a) lawfulness by controlling data movement. | 80% |
| M1017 | 1. User account management ensures proper access controls and permissions, limiting access to personal data to authorized personnel, thereby enforcing Art. 5(f) confidentiality and integrity. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Exposure of sensitive information directly violates Art. 5(f) confidentiality, as personal data becomes accessible to unauthorized actors. This undermines data protection principles. | 90% |
| CWE-284 | 1. Improper access control allows unauthorized processing of personal data, directly violating Art. 5(f) confidentiality and integrity. This also impacts Art. 5(a) lawfulness. | 90% |
| CWE-352 | 1. Cross-Site Request Forgery (CSRF) can lead to unauthorized actions on behalf of a user, potentially manipulating or exposing personal data, violating Art. 5(f) integrity and confidentiality. | 70% |
| CWE-79 | 1. Cross-site Scripting (XSS) can lead to unauthorized data exposure or manipulation within a user's browser, violating Art. 5(f) confidentiality and integrity of personal data. | 70% |
| CWE-89 | 1. SQL Injection allows unauthorized access, modification, or deletion of personal data in databases, directly violating Art. 5(f) confidentiality and integrity, and Art. 5(d) accuracy. | 80% |
| CWE-269 | 1. Improper privilege management enables attackers to gain elevated access to personal data, violating Art. 5(f) confidentiality and integrity by bypassing intended security controls. | 80% |
| CWE-532 | 1. Inclusion of sensitive information in log files can lead to unauthorized disclosure of personal data, violating Art. 5(f) confidentiality and Art. 5(a) transparency if not properly secured. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0193 compute · voice-rubric self-validated