The organization must maintain a clear and documented procedure for cases where personal data is processed for a purpose other than the one for which it was originally collected. This procedure should ensure that any additional processing remains lawful, necessary, and transparent.

To ensure compliance, the procedure must:

• Clearly define, justify, and document new processing purposes.
• Use tools such as data mapping or necessity assessments to identify which data elements are needed and how they will be securely processed and safeguarded.
• Limit processing to the minimal amount of personal data required to achieve the new purpose.
• Apply appropriate organizational and technical measures to protect the data throughout processing.
• Record all updates or changes in the organization’s processing activity records.
• Inform affected individuals of the new purpose and provide all required details before beginning additional processing.

The organization must maintain a structured procedure for responding to data disclosure requests from public authorities. The process should ensure that:

• Each request is verified to be lawful, necessary, and properly authorized
• All details of the request and the organization’s response are clearly documented
• Only the specific types of personal data relevant to the request are accurately identified and disclosed
• Disclosures made for reasons such as public security, legal compliance, or the protection of health and safety follow the same verification and accountability standards

Käsitellessään henkilötietoja yleisen edun mukaisen tarkoituksen saavuttamiseksi, joka poikkeaa alkuperäisestä keruutarkoituksesta, organisaation on varmistettava, että käsittely on tarpeellista, selkeästi määriteltyä ja sen oikeudellisen valtuutuksen mukaista. Henkilötietoja olisi kerättävä ja käsiteltävä vain vähimmäismäärä, ja asianmukaista hallinnollista ja teknistä valvontaa olisi toteutettava haittojen estämiseksi ja henkilöstön vaatimustenmukaisuuden varmistamiseksi. Kaikki asiaan liittyvät käsittely- ja luovutustoimenpiteet on dokumentoitava ja kirjattava organisaation tietojenkäsittelyrekistereihin.