Data minimisation is the GDPR Article 5(1)(c) principle that personal data must beadequate, relevant, and limited to what is necessary for the stated purpose. Everyfield a business collects has to pass that three-part test. Verifying a user is over 18?Ask for age confirmation, not a date of birth. Newsletter signup? Email is enough — aphone number is excess. Data minimisation pairs with purpose limitation and storagelimitation: collect for a defined reason, keep only what you need, delete when done.The 2026 EDPB AI guidelines apply the same logic to model training.‍

‍