Overviewpopi_compliance_monitoring

  • You must only process personal information further in accordance or compatible with the purpose for which it was collected.
  • You need to take account of the relationship between the purpose of the intended further processing and the purpose for which the information has been collected, the nature of the information and the potential consequences of the intended further processing 
  • You may process personal information further if you have the consent of data subjects, in order to fulfil a contractual obligation or comply with an obligation imposed by law.
  • You may further process personal information when it is necessary to prevent or mitigate a serious and imminent threat to—
    • public health or public safety; or
    • the life or health of the data subject or another individual;
  • You may use historical, statistical or research information when further processing is carried out solely for such purposes and will not be published in an identifiable form;
  • You may further process information when it is in accordance with an exemption granted by the Regulator.

 

Checklist

☐ We know that further processing of personal information is in accordance or compatible with the purpose for which it was collected.

☐ We carefully consider the relationship  between the purpose of the intended further processing and the purpose for which the information has been collected.

☐ Where we process personal information with the consent of the data subjects, we maintain records of the valid consent obtained.

☐ We only process personal information for historical, statistical or research purposes if we are able to implement appropriate safeguards.

 

Briefly

When is further processing possible?

A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client’s personal information to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the information of the client again as the new purposes are compatible with the initial purposes.

When further processing is not possible?

The same bank wants to share the client’s information with insurance firms, based on the same contract for a bank account and personal loan. That processing isn’t permitted without the explicit consent of the client as the purpose isn’t compatible with the original purpose for which the information was processed.