REQ.189 Specify the purpose of data collection
The system must specify the purpose of the personal data collection (OECD.9, ISACA.G31.3.).
Applications usually request or collect personal data from their users. Such collection must be properly justified according to the legal requirements of each nation. These reasons must be accessible for the user in a clear manner and in an easy to understand language.
GDPR. Recital 39: Principles of data processing. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
GDPR. Recital 40: Lawfulness of data processing. In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis.
GDPR. Recital 45: Fulfillment of legal obligations. Where processing is carried out in accordance with a legal obligation to which the controller is subject, the processing should have a basis in Union or Member State law.
GDPR. Art. 13: Information to be provided where personal data are collected from the data subject.(1-3). Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information.
GDPR. Art. 13: Information to be provided where personal data have not been obtained from the data subject.(1-4). Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information.
GDPR. Art. 30: Records of processing activities. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.