Identify and document purpose

The organization should identify and document the specific purposes for which the PII will be processed. ... - Licensed content not shown -

GDPR (EU)

5.1.b: Article(5)(1)(b): Personal data shall be: (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

32.4: Article(32)(4): The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.7: The processing of personal data may only be performed in the following scenarios: I – Through the provision of consent by the data subject; II – For the compliance with legal or regulatory obligation on the part of the controller; III – By the public administration, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations or supported by contracts, agreements, or similar instruments, following the provisions of Chapter IV of this Law; IV – To perform studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; V – When necessary for the performance of an agreement or preliminary procedures relating to an agreement to which the data subject is party, at the request of the data subject; VI – For the regular exercise of rights in court, administrative, or arbitration proceedings, considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); VII – For the protection of life or the physical safety of the data subject or third party; VIII – For the protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; (New wording included by Law No. 13,853 of 2019) IX – When necessary to meet the legitimate interests of the controller or third party, except in cases where the data subject’s fundamental rights and freedoms that require the protection of personal data prevail; X – For the protection of credit, including in relation to the provisions of relevant legislation. § 1 (Revoked). (New wording included by Law No. 13,853 of 2019) § 2 (Revoked). (New wording included by Law No. 13,853 of 2019) § 3 The processing of personal data whose access is public must consider the purpose, good faith, and public interest that justify its availability. § 4 The requirement to obtain consent outlined in the head provision of this Article is waived for in case of data made manifestly public by the data subject, preserving the data subject’s rights and the principles outlined in this Law § 5 Controller that obtain the consent referred to in item I of the head provision of this Article that need to communicate or share personal data with another controller must obtain specific consent from the data subject for this purpose, except in the consent waiver scenarios outlined in this Law. § 6 An eventual waiver of the requirement for consent does not relieve the processing agents from the other obligations outlined in this Law, especially the obligation to comply with the general principles and to guarantee the data subject’s rights. § 7 The subsequent processing of the personal data referred to in § § 3 and 4 of this Article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the rights of the holder are observed, as well as the principles and grounds set forth in this Law. (Included by Law No. 13,853 of 2019)

Art.9: The data subject has the right to easily access information regarding the processing of data, which must be made available in a clear, adequate, and ostensive manner, among other characteristics outlined in regulations to comply with the principle of free access: I – Specific purpose of processing; II – Form and duration of processing, respecting commercial and industrial secrecy; III – Identification of the controller; IV – The controller’s contact information; V – Information regarding the shared use of data by the controller and the purpose of the sharing; VI – Liabilities of the processing agents; and VII – The data subject’s rights with explicit mention of the rights contemplated in Article 18 of this Law. § 1 If consent is requested, such consent will be considered void in case the information provided to the data subject have misleading or abusive content or were not previously presented in a transparent, clear, and unambiguous manner. § 2 If consent is requested, if there is a change in the purpose of the processing of personal data that is not compatible with the original consent, the controller must inform the data subjects beforehand, who may revoke the consent, if they disagree with the changes. § 3 When the processing of personal data is a condition for the provision of a good or service or the exercise of a right, the data subjects will be informed in a highlighted manner regarding this fact and the means through which they may exercise the rights identified in Article 18 of this Law.

Art.11: The processing of sensitive personal data may only be performed in the following scenarios: I – When the data subject or their legal guardian consents, in a specific and explicit manner, for specific purposes; II – Without the provision of the data subject’s consent, in scenarios in which it is indispensable for: a) The compliance with legal or regulatory obligation on the part of the controller; b) Shared processing of data deemed necessary for the execution, by the public administration, of public policies outlined in laws and regulations; c) In conducting studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; d) The regular exercise of rights in court, administrative, or arbitration proceedings; considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); e) The protection of life or the physical safety of the data subject or third party; f) The protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; or (New wording included by Law No. 13,853 of 2019) g) Ensuring fraud prevention and data subject’s safety, in the identification and authentication process of registration in electronic systems, preserving the rights mentioned in Article 9 of this Law and except in cases where the data subject’s fundamental rights and freedoms require the protection of personal data prevail. § 1 The provisions of this Article apply to any processing of personal data that reveal sensitive personal data and that may cause damage to the data subject, with the exception of the provisions of specific laws. § 2 In cases when letters “a” and “b” of item II of the head provision of this Article are applied by public legal entities and bodies, the aforementioned waiver of consent under the terms of item I of the head provision of Article 23 of this Law will be disclosed. § 3 The communication or shared use of sensitive personal data between controllers with the purpose of obtaining economic advantages may be subject to prohibition or regulation by the National Data Protection Authority, consulting the public authorities’ sectorial bodies, within the scope of their powers. § 4 The communication or shared use of sensitive personal related to health between controllers with the purposes of obtaining economic advantages is prohibited, except when related to the provision of health services, pharmaceutical assistance and health care, provided that § 5 of this Article is observed, including auxiliary services of diagnosis and therapy, to the benefit of the data subjects’ interest, and to allow: (New wording included by Law No. 13,853 of 2019) I – data portability when the data subject requests; or (New wording included by Law No. 13,853 of 2019) II – the financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph. (New wording included by Law No. 13,853 of 2019) § 5 The operators of private health care plans are prohibited from processing health data for the practice of risk selection in the engaging of any modality, as well as in the inclusion or exclusion of beneficiaries. (New wording included by Law No. 13,853 of 2019)

Art.44: The processing of personal data is considered irregular when legislation is not followed or when the security that the data subject can expect is not provided, considering relevant circumstances, including: I – The way the processing was performed; II – The result and the risks that can be reasonably expected from the processing; III – The processing techniques available at the time it was performed. Sole Paragraph. The controller or processor that, when failing to adopt the security measures outlined in Article 46 of this Law, cause damage, will be held responsible for a violation of data security.

CCPA (US, CA)

S.1798.100.a: (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

S.1798.100.b: (b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

S.1798.125: (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. (b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. (2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. (4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

APP (Australian Privacy Principles)

APP.1.4.c: Privacy policy must include purposes for which the entity collects, holds and uses personal information (APP 1.4(c))

APP.5: Must notify certain matters on the collection of personal information (APP 5)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.2: The purposes for which personal information is collected must be identified at or before the time of collection (4.2)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

DPP.5: Must take all practical steps to ensure that person can ascertain a data user's policies and practices in relation to personal data (DPP 5)

Personal Data Protection Act - Singapore

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

S.20: Must inform the individual of the purposes for collection, use and/or disclosure of personal data Notification must be done on or before collection.

Personal Information Protection Act - South Korea

A.15: Must inform the individual of specified matters including the purposes for the collection and use of the personal information (A.15)

A.18: Must not use personal information or disclose it to another entity for purposes other than those consented to/otherwise permitted with additional consent provided by the individual

A.30: Must have a privacy policy that sets out specified matters including the purposes for which personal information is processed, any disclosures of personal information, rights and obligations of data subjects and how to exercise those rights

Turkish Data Protection Law numbered 6698

A.10: Obligation of Controller to Inform