KSA PDPL – Article 10 – Purpose Limitation and Permissible Exceptions for Data Collection & Processing

Explanation

Article 10 outlines the circumstances in which a Data Controller may collect or process personal data without direct consent or for purposes other than the originally stated ones. While the general rule is to collect personal data directly from the individual and process it only for specific purposes, certain exceptions allow flexibility. These include cases involving public interest, health, security, or legal obligations. Approach ensures compliance while allowing the Controller flexibility when handling personal data, particularly when consent isn’t feasible.

Key Points

• Direct Collection as a General Rule: Personal data should primarily be collected from the individual (Data Subject).
• Exceptions for Alternative Collection or Processing:
  • With Consent: The Data Subject agrees to alternate collection or processing.
  • Publicly Available Data: Data from public sources can be used.
  • Public Entities: Government bodies can collect or process data for public interest, security, or legal reasons.
  • Vital Interests: If not following this rule would harm the individual or impact their well-being.
  • Health and Safety: Necessary collection or processing for public health and safety or individual life protection.
  • Anonymized Data: Data that cannot directly or indirectly identify a person can be processed.
  • Legitimate Interests: Controllers may collect or process data to achieve legitimate goals, provided they do not violate the rights or interests of individuals.

General Activation Steps

• Assess Data Collection Source: Ensure data is collected directly from the individual unless one of the exceptions applies.
• Obtain Consent Where Necessary: If collecting from other sources or for new purposes, secure clear consent unless one of the exceptions allows bypassing this.
• Verify Legitimate Interests: In cases of legitimate interest, confirm that the processing doesn’t infringe on the rights or interests of the Data Subject, and ensure sensitive data isn’t processed.
• Ensure Public Health or Safety Justification: When processing for health or safety, document the necessity.
• Public Entity Actions: For government bodies, confirm that the processing aligns with public interest, legal, or security needs.
• Ensure Anonymization: If using anonymized data, verify that it cannot be traced back to an individual.
• Comply with Regulations: Adhere to additional regulatory procedures set by governing bodies regarding paragraphs (2) to (7).

Use Cases

• Public Health Campaigns: A government agency collects anonymized data from hospitals to monitor disease outbreaks without directly obtaining patient consent.
• Legal or Judicial Requirements: A law enforcement agency collects data from third-party sources for an ongoing investigation without needing direct consent.
• Legitimate Business Interests: A company uses publicly available customer data to tailor marketing campaigns, ensuring no sensitive data is processed and rights are respected.
• Public Safety Operations: Emergency services collect personal data in crisis situations, like natural disasters, to protect citizens’ health and safety.

Dependencies

• Data Subject’s Consent: Direct collection and processing may require clear consent unless falling under the exceptions.
• Public Availability of Data: Data must be verifiably public or from public sources in relevant cases.
• Legal and Regulatory Framework: Exceptions, especially for public entities, must align with legal mandates and judicial requirements.
• Legitimate Interest Balancing: Controllers must ensure the balance between legitimate interests and the data subject’s rights and interests.

Tools & Technologies

• Consent Management Platforms: Tools that track and manage consent from individuals (e.g., OneTrust, TrustArc).
• Data Anonymization Tools: Technologies that anonymize personal data, ensuring it cannot be traced back (e.g., IBM Data Privacy Passports, Oracle Data Masking).
• Public Data Collection Tools: Tools for gathering and processing publicly available information, including web scraping tools.
• Compliance Management Systems: Systems that ensure adherence to legal requirements and automate data processing policies (e.g., SAP GRC, RSA Archer).
• Data Protection Impact Assessment (DPIA) Tools: Helps assess the impact of data processing activities on data subject rights (e.g., DPIA template tools).

---

For Your Further Reading:

• Data Strategy vs. Data Platform Strategy
• KSA PDPL – Initial Framework
• KSA PDPL – Consent Not Mandatory
• KSA PDPL – Article 5, Article 6, Article 7, & Article 8, Article 9
• KSA NDMO – Data Catalog and Metadata
• KSA NDMO – Personal Data Protection – Initial Assessment
• KSA NDMO – Classification Process – Data Classification Metadata
• KSA NDMO – DG Artifacts Control – Data Management Issue Tracking Register
• KSA NDMO – Personal Data Protection – PDP Plan, & PDP Training, Data Breach Notification
• Enterprise Architecture Governance & TOGAF – Components
• Enterprise Architecture & Architecture Framework
• TOGAF – ADM (Architecture Development Method) vs. Enterprise Continuum
• TOGAF – Architecture Content Framework
• TOGAF – ADM Features & Phases
• Data Security Standards
• Data Steward – Stewardship Activities
• Data Modeling – Metrics and Checklist
• How to Measure the Value of Data
• What is Content and Content Management?