PII minimization objectivesves
The organization should define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives
...
- Licensed content not shown - LGPD (BRA)
Art.6: The operations of personal data processing
must be performed in good faith and follow these
principles:
I – Purpose: Performing the processing for legitimate,
specific, and explicit purposes that the data subject
is informed of, without the possibility of further
processing in a manner that is incompatible with
those purposes;
II – Adequacy: Compatibility of the processing with
the purposes that the data subject was informed of,
according to the context of the processing;
III – Necessity: Limitation of processing to the
minimum necessary for fulfilling its purposes, using
pertinent, proportional and non-excessive data in
relation to the purposes of processing;
IV – Free Access: Guarantee, to the data subjects, of
the ability to easily query free of charge the means
and duration of processing, as well as the integrity
of their personal data;
V – Data Quality: Guarantee, to the data subjects,
of accuracy, clarity, relevance, and updating of data,
according to the need and to fulfill the purpose of its
processing;
VI – Transparency: Guarantee, to the data subjects,
of clear, precise, and easily-accessible information
regarding the processing and the respective
processing agents, respecting commercial and
industrial secrecy;
VII – Security: Use of technical and administrative measures suitable to protect personal data from
unauthorized access and accidental or illicit
destruction, loss, change, communication, or
dissemination events;
VIII – Prevention: Adoption of measures to prevent
the occurrence of damage as result of the
processing of personal data;
IX – Non-Discrimination: Impossibility of processing
for illegal or abusive discriminatory purposes;
X – Liability and Accountability: Demonstration,
by the processing agent, that effective measures
capable of proving the observance and compliance
with personal data protection rules, including the
efficacy of these measures, is adopted.
Processing of personal data activities must be in good faith and, among others, be for notified purpose(s), necessary and transparent (Art 6)
If testing is not... Art.7: The processing of personal data may only be
performed in the following scenarios:
I – Through the provision of consent by the data
subject;
II – For the compliance with legal or regulatory
obligation on the part of the controller;
III – By the public administration, for the processing
and shared use of data deemed as necessary for
the execution of public policies outlined in laws and
regulations or supported by contracts, agreements,
or similar instruments, following the provisions of
Chapter IV of this Law;
IV – To perform studies by research organizations,
ensuring, whenever possible, the anonymization of
the personal data;
V – When necessary for the performance of an
agreement or preliminary procedures relating to an
agreement to which the data subject is party, at the
request of the data subject;
VI – For the regular exercise of rights in court,
administrative, or arbitration proceedings,
considering that arbitration proceedings must follow
the provisions of Law 9,307, dated of September 23,
1996 (Arbitration Law); VII – For the protection of life or the physical safety
of the data subject or third party;
VIII – For the protection of health, exclusively, in
procedures performed by health care professionals,
health services or sanitary authorities; (New wording
included by Law No. 13,853 of 2019)
IX – When necessary to meet the legitimate
interests of the controller or third party, except
in cases where the data subject’s fundamental
rights and freedoms that require the protection of
personal data prevail;
X – For the protection of credit, including in relation
to the provisions of relevant
legislation.
§ 1 (Revoked). (New wording included by Law No.
13,853 of 2019)
§ 2 (Revoked). (New wording included by Law No.
13,853 of 2019)
§ 3 The processing of personal data whose access
is public must consider the purpose, good faith, and
public interest that justify its availability.
§ 4 The requirement to obtain consent outlined in
the head provision of this Article is waived for in case
of data made manifestly public by the data subject,
preserving the data subject’s rights and the principles
outlined in this Law § 5 Controller that obtain the consent referred to in
item I of the head provision of this Article that need
to communicate or share personal data with another
controller must obtain specific consent from the data
subject for this purpose, except in the consent waiver
scenarios outlined in this Law.
§ 6 An eventual waiver of the requirement for consent
does not relieve the processing agents from the
other obligations outlined in this Law, especially the
obligation to comply with the general principles and to
guarantee the data subject’s rights.
§ 7 The subsequent processing of the personal data
referred to in § § 3 and 4 of this Article may be carried
out for new purposes, provided that the legitimate
and specific purposes for the new treatment and the
preservation of the rights of the holder are observed,
as well as the principles and grounds set forth in this
Law. (Included by Law No. 13,853 of 2019) APP (Australian Privacy Principles)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
DPP (Data Protection Principles) - Hong Kong
Personal Data Protection Act - Singapore
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698