IT Glossary
Purpose
The purpose of processing personal data is the specific reason why the data is processed by the controller or processor.
Data should only be collected for specific, explicit and legitimate purposes.
The controller, or joint controllers, shall define in particular the purpose of the processing. A processor may not define the purpose of the processing being outsourced.
Processing of personal data for purposes other than those for which the personal data were originally collected is only permitted if it is compatible with the purposes for which the personal data were originally collected.
In order to establish whether the purposes of further processing are compatible with those for which the personal data were originally collected, the controller must take into account in particular:
- Any connection between these purposes and the purposes of the intended further processing;
- The context in which the personal data was collected, in particular the reasonable expectations of the data subjects, based on their relationship with the controller, as to the further use of the data;
- The nature of personal data;
- Consequences for data subjects of the intended further processing;
- The existence of appropriate safeguards in both the initial processing and the planned further processing.
In any case, the data subject must be informed of the purpose of the processing of his or her personal data, including any further purposes, before the processing is carried out in order to guarantee transparency.
As a matter of principle, once a processing operation achieves the purpose for which the data were originally collected, the data should be deleted since their processing is no longer necessary. Thus, the duration of data retention must not exceed that necessary for the purposes for which they are processed.
The purpose of the processing operation must be taken into account when determining the likelihood and seriousness of the risk to the rights and freedoms of the data subject, in the context of the implementation of technical and organizational security measures for the processing.
It also makes it possible to assess the adequacy, relevance and limitation of the personal data processed.
RGDPR
“Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, among other things, ensuring that the duration of data retention is limited to the strict minimum.
Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. ”
Recital 39 of the GDPR
Point of jurisprudence
The Belgian supervisory authority recalls that ” When determining the compatibility of the purpose of further processing of data, account shall be taken of: the relationship between the purposes for which the personal data were collected and the purposes of the envisaged further processing; the context in which the personal data are collected and the relationship between the data subjects and the controller; the nature of the personal data; the consequences of the further processing for the data subject; and the existence of appropriate safeguards“.
Data Protection Authority, November 10, 2021, No. 125/2021
The Bouchara firm assists you in particular in :
- Making your organization RGDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.