DSP-12: Limitation of Purpose in Personal Data Processing

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is processed according to any applicable laws and regulations and for the purposes declared to the data subject.

Implementation Guidance

Implement and maintain processes, procedures, and technical measures to ensure the following:

  1. The data subject is made aware of the nature and purpose of information collection.
  2. The information is relevant and limited to processing requirements.
  3. Processing is performed in a reasonable manner that does not infringe upon the data subject's privacy.
  4. Processing is for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party.
  5. Where the controller intends to further process the personal data for an alternative purpose to which the personal data were collected, the data subject should be informed of the purpose and provide consent before additional processing.
  6. Information is stored only as long as required.

Auditing Guidance

  1. Examine whether the organization's policy and procedures related to data privacy address the requirement that data the organization is responsible for is processed lawfully and used only for the purposes stated to data subjects.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Review the organization's data breaches and confirm that action plans were identified and carried out appropriately. Confirm that all supporting evidence was formally documented.
  4. Review the organization's processes that inform data subjects why the organization requests this data and what it will be used for. Confirm that any organization documentation (including web page content) is subject to formal periodic review for relevance and compliance to legislation and regulation.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.