Answer
The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
- there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
- the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
- the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
- the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
- the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
- the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
Example
Your company/organisation runs a travel agency. When you obtain your clients’ personal data, you should explain in clear and plain language why you need the data, how you’ll be using it, and how long you intend to keep it. The processing should be tailored in a way that respects the key data protection principles.