Implementing Regulation of PDPL Article 21 sets specific conditions for public entities when they process personal data for public interest purposes, especially when the data is obtained indirectly or used for a different purpose than originally intended. It emphasizes lawful alignment with the entity’s mandate, minimizing harm, and documenting processing activities to maintain compliance and transparency.
When a Public Entity collects Personal Data not directly from the Data Subject, processes it for a purpose other than the one for which it was initially collected, or requests Disclosure of such data to achieve a public interest, the Public Entity shall comply with the following:
Implementing Regulation of PDPL Article 21 (1)
Clearly Defined Purpose
Ensure that it is necessary to achieve a clearly defined public interest.
Implementing Regulation of PDPL Article 21 (2)
Legal Mandate Link
That the public interest is related to the mandate as specified by law.
Implementing Regulation of PDPL Article 21 (3)
Risk Mitigation Measures
Take suitable measures to limit the damage that may result, including implementing necessary administrative and technical controls to ensure its personnel’s compliance with the provisions of Article 41 of the Law.
Implementing Regulation of PDPL Article 21 (4)
Mandatory Record-Keeping
Record those operations in the records of Personal Data Processing activities.
Implementing Regulation of PDPL Article 21 (5)
Data Minimisation Requirement
Collecting and Processing the minimum necessary Personal Data to achieve the purpose.
Explanation of Implementing Regulation of PDPL Article 21
Must relate to a specific and legitimate public interest:
Implementing Regulation of PDPL Article 21 (1) says, the data processing must be essential for a clearly defined and lawful public interest goal.
Public interest must align with the entity’s lawful role:
Implementing Regulation of PDPL Article 21 (2) says, the purpose must directly relate to the duties legally assigned to the public entity.
Administrative and technical controls must be implemented to limit harm:
Implementing Regulation of PDPL Article 21 (3) says, entities must protect against misuse or harm by applying safeguards and ensuring personnel follow Article 41 obligations.
Operations must be logged in processing activity records:
Implementing Regulation of PDPL Article 21 (4) says, all such data operations must be recorded in compliance logs (i.e., RoPA).
Only collect what is strictly necessary to meet the public interest goal:
Implementing Regulation of PDPL Article 21 (5) says, public entities must follow the principle of collecting and processing the least amount of personal data needed.
