The organization must maintain a clear and documented procedure for cases where personal data is processed for a purpose other than the one for which it was originally collected. This procedure should ensure that any additional processing remains lawful, necessary, and transparent.

To ensure compliance, the procedure must:

• Clearly define, justify, and document new processing purposes.
• Use tools such as data mapping or necessity assessments to identify which data elements are needed and how they will be securely processed and safeguarded.
• Limit processing to the minimal amount of personal data required to achieve the new purpose.
• Apply appropriate organizational and technical measures to protect the data throughout processing.
• Record all updates or changes in the organization’s processing activity records.
• Inform affected individuals of the new purpose and provide all required details before beginning additional processing.