Organization’s purposes

The organization should ensure that PII processed on behalf of a customer is not processed for any purpose independent of the documented instructions of the customer. ... - Licensed content not shown -

GDPR (EU)

5.1.a: Article(5)(1)(a): Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

5.1.b: Article(5)(1)(b): Personal data shall be: (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

28.3.a: Article(28)(3)(a): Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor: (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

29: Article(29): Processing under the authority of the controller or processor: The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

32.4: Article(32)(4): The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

LGPD (BRA)

Art.39: The processor must carry out the processing of the data in accordance with the instructions provided by the controller, which will verify the observance of these instructions and rules on the matter.

CCPA (US, CA)

S.1798.145.h: (h) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

APP (Australian Privacy Principles)

APP.3.2: Must not collect personal information unless the information is reasonably necessary for, or directly related to, the entity's functions or activities (APP 3.2)

APP.6.1: Personal information collected for a particular purpose must not be used or disclosed for another purpose unless consent is obtained (APP 6.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.1.3: Responsible for personal information that has been transferred to third parties for processing (4.1.3)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

DPP.3: Personal data must not be used for a new purpose (i.e. not previously identified) unless the consent of the data subject is obtained

Personal Data Protection Act - Singapore

S.4.2: Except for Ss.24-25, no obligations apply to a 'data intermediary' in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a written contract

S.4.3: Organisations have the same obligations in respect of personal data processed for them by a 'data intermediary' as if it was processed by them (S.4(3))

Personal Information Protection Act - South Korea

A.19: A recipient of personal information cannot use it or disclose it for any other purpose, except as permitted for by law or where additional consent is provided by the individual

A.26: On outsourcing the processing of personal information to a third party, must satisfy certain formalities in writing and prevent processing for purposes other than the purposes for which the processing was outsourced and ensure technical and managerial safeguards

Turkish Data Protection Law numbered 6698

A.4.2: Personal data may only be processed; (i) for specific, explicit and legitimate purposes, (ii) being relevant with, limited to and proportionate to the puposes for which they are processed. Data processing must be relevant, limited and proportionate to the purposes for which data is to be processed (A.4.2) Personal data processed must be accurate and if necessary, up to date (A.4.2)

A.12.4: The controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term.