Implementing Regulation of PDPL Article 15 says that when a Controller collects personal data from a source other than the data subject—such as from another company or a public source—they must ensure the processing is necessary, proportionate, lawful, and does not harm the data subject’s rights. Specific obligations apply when using publicly available sources or when the original data source anonymized the data.
Implementing Regulation of PDPL Article 15 (1)
Necessary and Proportionate
Except for what is stated in Paragraph (3) of Article (10) of the Law, when Processing Personal Data collected from sources other than the Data Subject directly, the Controller shall consider the following:
a) Processing shall be necessary and proportionate to the specified purpose.
b) Processing shall not affect the rights and interests of the Data Subject.
Implementing Regulation of PDPL Article 15 (2)
Lawful Public Sources
When Processing Personal Data in accordance with paragraph (2) of Article (10) of the Law, the Controller shall ensure that such data Collection from a publicly available source is lawful.
Implementing Regulation of PDPL Article 15 (3)
Respect Anonymisation Rules
When Processing Personal Data in accordance with paragraph (6) of Article (10) of the Law, the Controller shall consider the provisions of Article (9) of this Regulation regarding Anonymisation.
Explanation of Implementing Regulation of PDPL Article 15
Use only if relevant and justified:
Implementing Regulation of PDPL Article 15 (1) says, when data is collected from others, processing must be aligned to a clear, limited purpose and not excessive.
Publicly available data must be legally used:
Implementing Regulation of PDPL Article 15 (1) says, if data is from public platforms, ensure that the collection and use is not in violation of the law.
Follow anonymisation obligations when required:
Implementing Regulation of PDPL Article 15 (1) says, if data was collected under legal bases requiring anonymisation (e.g. research), those obligations continue.
