What you need to know.
Personal data may only be collected for specified and legitimate purposes. This implies that the purposes for which you are processing personal data must be clearly defined and should be in accordance with the law in the broadest sense (an illegitimate purpose would be e.g. for the racial profiling of customers).
The collection of data must be limited to what is necessary for its purpose, and the data cannot be kept longer than is necessary for that purpose.
Clearly defining your purposes is also important for other GDPR obligations. For example, every purpose for which you process personal data constitutes a separate processing activity that you must include in your record (see Countdown 05). It also helps you determine the legitimate grounds of your processing activities (see Countdown 03). You will also have to communicate these purposes to the data subjects (see Countdown 06).
In principle, personal data that you have collected for one specific purpose may not be further used for other purposes.
What you need to do by 25 May 2018.
Clearly define the purposes for which you are processing personal data. These purposes should be actual purposes that are currently being pursued within your company (staff administration, client management, direct marketing, etc.). It is not sufficient that certain data is “nice to have”.
Evaluate whether you might be collecting more data than strictly necessary for these purposes, and define a retention period that is in line with them. You should of course ensure that these retention periods are actually implemented within your company.
Use these purposes for determining the legitimate grounds for your processing activities. Set them down in your record and ensure that they are communicated to the data subjects involved. You can read how to do this in the following Countdowns.
Please consult our website or contact one of our team members if you have questions or require more information: