Identify lawful basis

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes. ... - Licensed content not shown -

GDPR (EU)

5.1.a: Article(5)(1)(a): Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

6.1.a: Article(6)(1)(a): Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

6.1.b: Article(6)(1)(b): Processing shall be lawful only if and to the extent that at least one of the following applies: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

6.1.c: Article(6)(1)(c): Processing shall be lawful only if and to the extent that at least one of the following applies: (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

6.1.d: Article(6)(1)(d): Processing shall be lawful only if and to the extent that at least one of the following applies: (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person

6.1.e: Article(6)(1)(e): Processing shall be lawful only if and to the extent that at least one of the following applies: (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6.1.f: Article(6)(1)(f): Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

6.2: Article (6)(2): Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

6.3: Article(6)(3): The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

6.4.a: (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

6.4.b: (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

6.4.c: (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

6.4.d: (d) the possible consequences of the intended further processing for data subjects;

6.4.e: (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

8.3: Article(8)(3): Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

9.1: Article(9)(1): Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

9.2.b: Article(9)(2)(b): Paragraph 1 shall not apply if one of the following applies: (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject

9.2.c: Article(9)(2)(c): Paragraph 1 shall not apply if one of the following applies: (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

9.2.d: Article(9)(2)(d): aragraph 1 shall not apply if one of the following applies: (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

9.2.e: Article(9)(2)(e): Paragraph 1 shall not apply if one of the following applies: (e) processing relates to personal data which are manifestly made public by the data subject

9.2.f: Article(9)(2)(f): Paragraph 1 shall not apply if one of the following applies: (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

9.2.g: Article(9)(2)(g): Paragraph 1 shall not apply if one of the following applies: (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

9.2.h: Article(9)(2)(h): Paragraph 1 shall not apply if one of the following applies: (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

9.2.i: Article(9)(2)(i): Paragraph 1 shall not apply if one of the following applies: (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy

9.2.j: Article(9)(2)(j): Paragraph 1 shall not apply if one of the following applies: (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

9.3: Article(9)(3): Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies

9.4: Article(9)(4): Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health

10: Article(10): Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

17.3.a: Article(17)(3)(a): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information

17.3.b: Article(17)(3)(b): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

17.3.c: Article(17)(3)(c): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

17.3.d: Article(17)(3)(d): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

17.3.e: Article(17)(3)(e): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (e) for the establishment, exercise or defence of legal claims

18.2: Article(18)(2): Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

22.2.a: Article(22)(2)(a): Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller

22.2.b: Article(22)(2)(b): Paragraph 1 shall not apply if the decision: (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

22.2.c: Article(22)(2)(c): Paragraph 1 shall not apply if the decision: is based on the data subject's explicit consent

22.4: Article(22)(4): Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.7: The processing of personal data may only be performed in the following scenarios: I – Through the provision of consent by the data subject; II – For the compliance with legal or regulatory obligation on the part of the controller; III – By the public administration, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations or supported by contracts, agreements, or similar instruments, following the provisions of Chapter IV of this Law; IV – To perform studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; V – When necessary for the performance of an agreement or preliminary procedures relating to an agreement to which the data subject is party, at the request of the data subject; VI – For the regular exercise of rights in court, administrative, or arbitration proceedings, considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); VII – For the protection of life or the physical safety of the data subject or third party; VIII – For the protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; (New wording included by Law No. 13,853 of 2019) IX – When necessary to meet the legitimate interests of the controller or third party, except in cases where the data subject’s fundamental rights and freedoms that require the protection of personal data prevail; X – For the protection of credit, including in relation to the provisions of relevant legislation. § 1 (Revoked). (New wording included by Law No. 13,853 of 2019) § 2 (Revoked). (New wording included by Law No. 13,853 of 2019) § 3 The processing of personal data whose access is public must consider the purpose, good faith, and public interest that justify its availability. § 4 The requirement to obtain consent outlined in the head provision of this Article is waived for in case of data made manifestly public by the data subject, preserving the data subject’s rights and the principles outlined in this Law § 5 Controller that obtain the consent referred to in item I of the head provision of this Article that need to communicate or share personal data with another controller must obtain specific consent from the data subject for this purpose, except in the consent waiver scenarios outlined in this Law. § 6 An eventual waiver of the requirement for consent does not relieve the processing agents from the other obligations outlined in this Law, especially the obligation to comply with the general principles and to guarantee the data subject’s rights. § 7 The subsequent processing of the personal data referred to in § § 3 and 4 of this Article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the rights of the holder are observed, as well as the principles and grounds set forth in this Law. (Included by Law No. 13,853 of 2019)

Art.11: The processing of sensitive personal data may only be performed in the following scenarios: I – When the data subject or their legal guardian consents, in a specific and explicit manner, for specific purposes; II – Without the provision of the data subject’s consent, in scenarios in which it is indispensable for: a) The compliance with legal or regulatory obligation on the part of the controller; b) Shared processing of data deemed necessary for the execution, by the public administration, of public policies outlined in laws and regulations; c) In conducting studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; d) The regular exercise of rights in court, administrative, or arbitration proceedings; considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); e) The protection of life or the physical safety of the data subject or third party; f) The protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; or (New wording included by Law No. 13,853 of 2019) g) Ensuring fraud prevention and data subject’s safety, in the identification and authentication process of registration in electronic systems, preserving the rights mentioned in Article 9 of this Law and except in cases where the data subject’s fundamental rights and freedoms require the protection of personal data prevail. § 1 The provisions of this Article apply to any processing of personal data that reveal sensitive personal data and that may cause damage to the data subject, with the exception of the provisions of specific laws. § 2 In cases when letters “a” and “b” of item II of the head provision of this Article are applied by public legal entities and bodies, the aforementioned waiver of consent under the terms of item I of the head provision of Article 23 of this Law will be disclosed. § 3 The communication or shared use of sensitive personal data between controllers with the purpose of obtaining economic advantages may be subject to prohibition or regulation by the National Data Protection Authority, consulting the public authorities’ sectorial bodies, within the scope of their powers. § 4 The communication or shared use of sensitive personal related to health between controllers with the purposes of obtaining economic advantages is prohibited, except when related to the provision of health services, pharmaceutical assistance and health care, provided that § 5 of this Article is observed, including auxiliary services of diagnosis and therapy, to the benefit of the data subjects’ interest, and to allow: (New wording included by Law No. 13,853 of 2019) I – data portability when the data subject requests; or (New wording included by Law No. 13,853 of 2019) II – the financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph. (New wording included by Law No. 13,853 of 2019) § 5 The operators of private health care plans are prohibited from processing health data for the practice of risk selection in the engaging of any modality, as well as in the inclusion or exclusion of beneficiaries. (New wording included by Law No. 13,853 of 2019)

Art.44: The processing of personal data is considered irregular when legislation is not followed or when the security that the data subject can expect is not provided, considering relevant circumstances, including: I – The way the processing was performed; II – The result and the risks that can be reasonably expected from the processing; III – The processing techniques available at the time it was performed. Sole Paragraph. The controller or processor that, when failing to adopt the security measures outlined in Article 46 of this Law, cause damage, will be held responsible for a violation of data security.

CCPA (US, CA)

S.1798.100.b: (b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

S.1798.105.d: (d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to: (1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. (2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. (3) Debug to identify and repair errors that impair existing intended functionality. (4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. (5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. (6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent. (7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business. (8) Comply with a legal obligation. (9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information. (d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”

S.1798.125: (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data. (b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. (2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. (4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

APP (Australian Privacy Principles)

APP.3.2: Must not collect personal information unless the information is reasonably necessary for, or directly related to, the entity's functions or activities (APP 3.2)

APP.3.3: Must not collect sensitive information unless consent is given and unless it is reasonably necessary for, or directly related to, the entity's functions or activities...

APP.6.1: Personal information collected for a particular purpose must not be used or disclosed for another purpose unless consent is obtained (APP 6.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.2.2: Only personal information necessary for the identified purposes is to be collected (4.2.2)

4.4: Collection of personal information is limited to that which is necessary for the identified purposes (4.4)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

DPP.3: Personal data must not be used for a new purpose (i.e. not previously identified) unless the consent of the data subject is obtained

Personal Data Protection Act - Singapore

S.13: Unless permitted by law, collection, use and/or disclosure of personal data requires the individual's consent to that collection, use and disclosure (S.13)

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

S.20: Must inform the individual of the purposes for collection, use and/or disclosure of personal data Notification must be done on or before collection.

Personal Information Protection Act - South Korea

A.15: Must inform the individual of specified matters including the purposes for the collection and use of the personal information (A.15)

A.16: Must collect only the minimum personal information necessary for the purposes. Where more personal information than this is collected you must expressly inform the individual so that they can deny consent

A.18: Must not use personal information or disclose it to another entity for purposes other than those consented to/otherwise permitted with additional consent provided by the individual

A.24: A personal information controller shall not process any information prescribed by Presidential Decree that can be used to identify an individual in accordance with statutes. Limitations to Processing Resident Registration Numbers: Must not process the resident registration number of a data subject

A.30: Must have a privacy policy that sets out specified matters including the purposes for which personal information is processed, any disclosures of personal information, rights and obligations of data subjects and how to exercise those rights

Turkish Data Protection Law numbered 6698

A.4.2: Personal data may only be processed; (i) for specific, explicit and legitimate purposes, (ii) being relevant with, limited to and proportionate to the puposes for which they are processed. Data processing must be relevant, limited and proportionate to the purposes for which data is to be processed (A.4.2) Personal data processed must be accurate and if necessary, up to date (A.4.2)

A.5: Personal data cannot be processed without the explicit consent of the data subject unless the one of legitimate purposes exists (A.5.2)

A.6: Unless specifically permitted by law, it is prohibited to process the personal data of "special nature" without explicit consent (A.6.2)