|
|
|
|
|
|
by lmkg
1252 days ago
|
|
|
GDPR requires a purpose for processing. The majority of other requirements GDPR imposes attach to the purpose, rather than the processing activity. GDPR gives a lot of leeway in determining a purpose. But if you don't have a purpose, then the processing is unlawful regardless of literally anything else you've done or not done. Not even with valid consent of the data subject (because, guess what, consent attaches to the purpose). So if you say "we need this data for addressing communications to the data subject," that's a purpose. On the other hand, if sex gets stored in a DB column and never used, that's a violation. Separately, GDPR has a Data Minimization requirement: you collect data for a purpose, could you achieve that purpose with less data? This one has some flex to it. If the answer is "we could but not as well," then the data has a purpose. Maybe not a great purpose, but it's something. |
|
|