PII minimization objectivesves

The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives ... - Licensed content not shown -



Art.6: The operations of personal data processing must be performed in good faith and follow these principles: I – Purpose: Performing the processing for legitimate, specific, and explicit purposes that the data subject is informed of, without the possibility of further processing in a manner that is incompatible with those purposes; II – Adequacy: Compatibility of the processing with the purposes that the data subject was informed of, according to the context of the processing; III – Necessity: Limitation of processing to the minimum necessary for fulfilling its purposes, using pertinent, proportional and non-excessive data in relation to the purposes of processing; IV – Free Access: Guarantee, to the data subjects, of the ability to easily query free of charge the means and duration of processing, as well as the integrity of their personal data; V – Data Quality: Guarantee, to the data subjects, of accuracy, clarity, relevance, and updating of data, according to the need and to fulfill the purpose of its processing; VI – Transparency: Guarantee, to the data subjects, of clear, precise, and easily-accessible information regarding the processing and the respective processing agents, respecting commercial and industrial secrecy; VII – Security: Use of technical and administrative measures suitable to protect personal data from unauthorized access and accidental or illicit destruction, loss, change, communication, or dissemination events; VIII – Prevention: Adoption of measures to prevent the occurrence of damage as result of the processing of personal data; IX – Non-Discrimination: Impossibility of processing for illegal or abusive discriminatory purposes; X – Liability and Accountability: Demonstration, by the processing agent, that effective measures capable of proving the observance and compliance with personal data protection rules, including the efficacy of these measures, is adopted. Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6) If testing is not...
Art.7: The processing of personal data may only be performed in the following scenarios: I – Through the provision of consent by the data subject; II – For the compliance with legal or regulatory obligation on the part of the controller; III – By the public administration, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations or supported by contracts, agreements, or similar instruments, following the provisions of Chapter IV of this Law; IV – To perform studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; V – When necessary for the performance of an agreement or preliminary procedures relating to an agreement to which the data subject is party, at the request of the data subject; VI – For the regular exercise of rights in court, administrative, or arbitration proceedings, considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); VII – For the protection of life or the physical safety of the data subject or third party; VIII – For the protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; (New wording included by Law No. 13,853 of 2019) IX – When necessary to meet the legitimate interests of the controller or third party, except in cases where the data subject’s fundamental rights and freedoms that require the protection of personal data prevail; X – For the protection of credit, including in relation to the provisions of relevant legislation. § 1 (Revoked). (New wording included by Law No. 13,853 of 2019) § 2 (Revoked). (New wording included by Law No. 13,853 of 2019) § 3 The processing of personal data whose access is public must consider the purpose, good faith, and public interest that justify its availability. § 4 The requirement to obtain consent outlined in the head provision of this Article is waived for in case of data made manifestly public by the data subject, preserving the data subject’s rights and the principles outlined in this Law § 5 Controller that obtain the consent referred to in item I of the head provision of this Article that need to communicate or share personal data with another controller must obtain specific consent from the data subject for this purpose, except in the consent waiver scenarios outlined in this Law. § 6 An eventual waiver of the requirement for consent does not relieve the processing agents from the other obligations outlined in this Law, especially the obligation to comply with the general principles and to guarantee the data subject’s rights. § 7 The subsequent processing of the personal data referred to in § § 3 and 4 of this Article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the rights of the holder are observed, as well as the principles and grounds set forth in this Law. (Included by Law No. 13,853 of 2019)
Art.10: The controller’s legitimate interest may only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include but are not limited to: I – Support and promotion of the controller’s activities; and II – Protection, in relation to the data subjects, of the regular exercise of their rights or provision of services that benefit them, respecting their legitimate expectations and the fundamental rights and freedoms, under the terms of this Law. § 1 When the processing is based on the legitimate interest of the controller, only data strictly necessary for the intended purpose may be processed. § 2 The controller must adopt measures to guarantee transparency in the processing of data based on its legitimate interest. § 3 The National Data Protection Authority may request from the controller a personal data protection impact report, when the processing is based on its legitimate interest, respecting commercial and industrial secrecy


S.1798.110.b.and.c: (b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable request from the consumer. (c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130: (1) The categories of personal information it has collected about that consumer. (2) The categories of sources from which the personal information is collected. (3) The business or commercial purpose for collecting or selling personal information. (4) The categories of third parties with whom the business shares personal information. (5) The specific pieces of personal information the business has collected about that consumer. (d) This section does not require a business to do the following: (1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained. (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

DPP (Data Protection Principles) - Hong Kong