The type and amount of personal data you may process depends on the reason you’re processing it (legal reason used) and what you want to do with it. You must respect several key rules, including
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
- you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes (‘purpose limitation’).
- you must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’).
- you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
- you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection.
- you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
- you must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
You run a travel agency. When you obtain your clients’ personal data, you should explain in clear and plain language why you need the data, how you’ll be using it, and how long you intend to keep it. The processing should be tailored in a way that respects the key data protection principles.
- Article 5(1); Recital 39
- Article 29 Working Party Opinion 03/2013 on purpose limitation (WP 203)