Limit collection

The organization should limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes. ... - Licensed content not shown -

GDPR (EU)

5.1.b: Article(5)(1)(b): Personal data shall be: (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

5.1.c: Article(5)(1)(c): Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

CCPA (US, CA)

S.1798.100.b: (b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

APP (Australian Privacy Principles)

APP.3.2: Must not collect personal information unless the information is reasonably necessary for, or directly related to, the entity's functions or activities (APP 3.2)

APP.4: Must determine if the unsolicited personal information could have been solicited and, if not, delete or de-identify it (APP 4)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.4: Collection of personal information is limited to that which is necessary for the identified purposes (4.4)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

Personal Data Protection Act - Singapore

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

S.20: Must inform the individual of the purposes for collection, use and/or disclosure of personal data Notification must be done on or before collection.

Personal Information Protection Act - South Korea

A.16: Must collect only the minimum personal information necessary for the purposes. Where more personal information than this is collected you must expressly inform the individual so that they can deny consent

A.23: Must not process sensitive information except where individual consents to processing or where the law permits it (A.23)

Turkish Data Protection Law numbered 6698

A.4.2: Personal data may only be processed; (i) for specific, explicit and legitimate purposes, (ii) being relevant with, limited to and proportionate to the puposes for which they are processed. Data processing must be relevant, limited and proportionate to the purposes for which data is to be processed (A.4.2) Personal data processed must be accurate and if necessary, up to date (A.4.2)