PII minimization objectivesves

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives ... - Licensed content not shown -

GDPR (EU)

5.1.c: Article(5)(1)(c): Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')

5.1.e: Article(5)(1)(e): Personal data shall be:kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

LGPD (BRA)

Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...

Art.7: The processing of personal data may only be performed in the following scenarios: I – Through the provision of consent by the data subject; II – For the compliance with legal or regulatory obligation on the part of the controller; III – By the public administration, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations or supported by contracts, agreements, or similar instruments, following the provisions of Chapter IV of this Law; IV – To perform studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; V – When necessary for the performance of an agreement or preliminary procedures relating to an agreement to which the data subject is party, at the request of the data subject; VI – For the regular exercise of rights in court, administrative, or arbitration proceedings, considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); VII – For the protection of life or the physical safety of the data subject or third party; VIII – For the protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; (New wording included by Law No. 13,853 of 2019) IX – When necessary to meet the legitimate interests of the controller or third party, except in cases where the data subject’s fundamental rights and freedoms that require the protection of personal data prevail; X – For the protection of credit, including in relation to the provisions of relevant legislation. § 1 (Revoked). (New wording included by Law No. 13,853 of 2019) § 2 (Revoked). (New wording included by Law No. 13,853 of 2019) § 3 The processing of personal data whose access is public must consider the purpose, good faith, and public interest that justify its availability. § 4 The requirement to obtain consent outlined in the head provision of this Article is waived for in case of data made manifestly public by the data subject, preserving the data subject’s rights and the principles outlined in this Law § 5 Controller that obtain the consent referred to in item I of the head provision of this Article that need to communicate or share personal data with another controller must obtain specific consent from the data subject for this purpose, except in the consent waiver scenarios outlined in this Law. § 6 An eventual waiver of the requirement for consent does not relieve the processing agents from the other obligations outlined in this Law, especially the obligation to comply with the general principles and to guarantee the data subject’s rights. § 7 The subsequent processing of the personal data referred to in § § 3 and 4 of this Article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the rights of the holder are observed, as well as the principles and grounds set forth in this Law. (Included by Law No. 13,853 of 2019)

Art.10: The controller’s legitimate interest may only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include but are not limited to: I – Support and promotion of the controller’s activities; and II – Protection, in relation to the data subjects, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and the fundamental rights and freedoms, under the terms of this Law. § 1 When the processing is based on the legitimate interest of the controller, only data strictly necessary for the intended purpose may be processed. § 2 The controller must adopt measures to guarantee transparency in the processing of data based on its legitimate interest. § 3 The National Data Protection Authority may request from the controller a personal data protection impact report, when the processing is based on its legitimate interest, respecting commercial and industrial secrecy

Art.13: In conducting studies and research in public health, the research organizations may have access to personal database, which will be processed exclusively within the body and strictly for the purpose of conducting the studies and research and kept in a controlled and secured environment, according to practices outlined in specific regulations and including, whenever possible, anonymization or pseudonymization of the data, as well as considering the due ethical standards related to studies and research. § 1 The disclosure of results or of any excerpt of the study or research contemplated in the head provision of this Article shall not reveal personal data in any case.

CCPA (US, CA)

S.1798.100.e: (e) This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. (1) Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business. (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

S.1798.110.b.and.c: (b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable request from the consumer. (c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130: (1) The categories of personal information it has collected about that consumer. (2) The categories of sources from which the personal information is collected. (3) The business or commercial purpose for collecting or selling personal information. (4) The categories of third parties with whom the business shares personal information. (5) The specific pieces of personal information the business has collected about that consumer. (d) This section does not require a business to do the following: (1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained. (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

APP (Australian Privacy Principles)

APP.2: Where practicable individuals must have the option of not identifying themselves or using a pseudonym (APP 2)

APP.11.2: Must take reasonable steps to destroy or de-identify personal information once no longer needed for any purpose for which the information may be used or disclosed under the APPs and if not required to be retained by law (APP 11.2) Subject to any legal requirement to keep the information in an identifiable form

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.4: Collection of personal information is limited to that which is necessary for the identified purposes (4.4)

4.5.2: Must develop guidelines and implement procedures with respect to retention of personal information (4.5.2)

4.5.3: Personal information no longer required for the identified purposes should be destroyed, erased or made anonymous (4.5.3)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

DPP.2: The data user must adopt contractual or other means to prevent data from being kept by data processors longer than necessary Must take all practical steps to ensure personal data is not kept longer than necessary to fulfil the purpose for which it was collected Must take all practical steps to ensure personal data is accurate having regard to the purposes for which it is or is to be used Data user must adopt contractual provisions to prevent personal data being kept longer by data processor than necessary to fulfil the processing (DPP 2)

Personal Data Protection Act - Singapore

S.11: Organisations are responsible for the protection of personal data in their possession or under their control (S.11)

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

Personal Information Protection Act - South Korea

A.16: Must collect only the minimum personal information necessary for the purposes. Where more personal information than this is collected you must expressly inform the individual so that they can deny consent

A.21: Once the retention period has expired or the purpose has been fulfilled, must destroy the personal information without delay (unless retention is required by law)

Turkish Data Protection Law numbered 6698

A.4.2: Personal data may only be processed; (i) for specific, explicit and legitimate purposes, (ii) being relevant with, limited to and proportionate to the puposes for which they are processed. Data processing must be relevant, limited and proportionate to the purposes for which data is to be processed (A.4.2) Personal data processed must be accurate and if necessary, up to date (A.4.2)

A.7: Personal data must be deleted, destroyed or anonymised on request by the data subject or when the reasons necessitating its processing cease to exist... Personal data must be deleted, destroyed or anonymised upon request by the data subject or when the reasons necessitating its processing cease to exist...