Limit processing

The organization should limit the processing of PII to that which is adequate, relevant and necessary for the identified purposes. ... - Licensed content not shown -

GDPR (EU)

25.2: Article(25)(2): The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.10: The controller’s legitimate interest may only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include but are not limited to: I – Support and promotion of the controller’s activities; and II – Protection, in relation to the data subjects, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and the fundamental rights and freedoms, under the terms of this Law. § 1 When the processing is based on the legitimate interest of the controller, only data strictly necessary for the intended purpose may be processed. § 2 The controller must adopt measures to guarantee transparency in the processing of data based on its legitimate interest. § 3 The National Data Protection Authority may request from the controller a personal data protection impact report, when the processing is based on its legitimate interest, respecting commercial and industrial secrecy

CCPA (US, CA)

S.1798.100.b: (b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

APP (Australian Privacy Principles)

APP.4: Must determine if the unsolicited personal information could have been solicited and, if not, delete or de-identify it (APP 4)

APP.6.1: Personal information collected for a particular purpose must not be used or disclosed for another purpose unless consent is obtained (APP 6.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.2.4: Unless required by law, any use of personal information for a new purpose (i.e. not previously identified) must be consented to by the individual (4.2.4) If...

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

Personal Data Protection Act - Singapore

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

S.20: Must inform the individual of the purposes for collection, use and/or disclosure of personal data Notification must be done on or before collection.

Personal Information Protection Act - South Korea

A.16: Must collect only the minimum personal information necessary for the purposes. Where more personal information than this is collected you must expressly inform the individual so that they can deny consent

A.23: Must not process sensitive information except where individual consents to processing or where the law permits it (A.23)

Turkish Data Protection Law numbered 6698

A.4.2: Personal data may only be processed; (i) for specific, explicit and legitimate purposes, (ii) being relevant with, limited to and proportionate to the puposes for which they are processed. Data processing must be relevant, limited and proportionate to the purposes for which data is to be processed (A.4.2) Personal data processed must be accurate and if necessary, up to date (A.4.2)

A.12.4: The controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term.