Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data? clarifies how organizations should determine what qualifies as the “minimum necessary” personal data. Although the PDPL doesn’t specify a precise methodology, it establishes clear legal and regulatory boundaries. Controllers must align personal data collected strictly with their stated purpose, avoid unnecessary or excessive data, and build their systems to regularly review and eliminate non-essential data.
Tie every data point to a lawful purpose and design systems to prevent over-collection or data creep.
Second: What Constitutes “Minimum” Personal Data
Legal Foundation:
Purpose Connection:
Relevance-Only Rule:
3. Controllers must ensure that their data processing activities are designed to prevent the collection of any unnecessary Personal Data in relation to the specific purposes for which the Personal Data was collected. When designing data processing activities, Controllers must adopt appropriate data management software tools, including those that perform automated periodic reviews to ensure that data remains accurate and up-to-date and that any unnecessary data is destroyed.
Examples of Data Minimization:
The following examples serve as guidance for Controllers in assessing their compliance with the Personal Data Minimization Principle:
Excessive Health Data:
1. A recruitment agency distributed details for several open positions that require applicants to provide some data, including health information. It is important to note that this company does not need to collect this type of data except for a limited number of jobs. In this example, the collection of health information is deemed unnecessary, as the recruitment agency does not require such data for all job openings. Moreover, collecting Personal Data based on unsubstantiated or uncertain future needs or contingencies must be avoided.
Justified Risk-Based Use:
2. The safety procedures in certain organizations mandate that employers collect the blood types of employees engaged in fieldwork that poses potential risks. This data is crucial for prompt and effective medical intervention in the event of an accident. While it is highly unlikely that this data will be utilized during the employees’ tenure, its collection and storage are deemed necessary to minimize the impact of accidents.
In this example, collecting blood type data for employees involved in hazardous fieldwork is deemed necessary and directly linked to the purpose for which it is collected. Therefore, it does not contravene the principle of Data Minimization. However, if blood type data were collected for all employees within the organization, regardless of their role (field, office, or non-risk), such data collection would be deemed inappropriate due to the absence of a compelling necessity
Explanation of Second: What Constitutes “Minimum” Personal Data
Basis from Article 11 of the Law:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data says that the law mandates that personal data be appropriate, relevant, and limited to what’s strictly needed.
Clear link to processing purpose:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that there must be an explicit link between each data point and the predefined reason for collecting it.
No unrelated or excessive data:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that data not directly relevant to the purpose must not be collected.
Design systems to block excess:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that data systems must be configured to avoid over-collection right from the start.
Use tools to keep data clean:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that controllers should adopt tools that regularly check for outdated or irrelevant data and trigger secure deletion.
Keep data updated and purposeful:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that data management tools should also maintain accuracy to support compliance and purpose limitation.
Example 1: Unnecessary collection:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that if a recruitment agency gathers health data for all applicants, though only some roles require it. This over-collection breaches the minimization principle.
Avoid speculative data collection:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that collecting personal data just in case it may be needed later, without clear necessity, is not allowed.
Example 2: Safety-related necessity:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data says that collecting blood type for field staff exposed to hazards is appropriate—directly linked to emergency care purposes.
Don't generalize risky role logic:
Minimum Personal Data Determination Guideline – Second: What Constitutes “Minimum” Personal Data also says that collecting blood type from all employees, even those in safe office jobs, is unjustified and breaches the minimization principle.
