On Further Processing of a Secondary Purpose
From IAPP:
Processing for secondary purposes under GDPR:
If the purpose of the processing changes the Controller would need to evaluate and document whether the new purpose is compatible, taking into account:
(a) any link between the original purpose and the intended future processing
(b) the context in which the Personal Data was collected; specifically, the relationship between the Controller and the individual
© the nature of the Personal Data
(d) the possible consequences of the change of purpose on individuals
(e) the existence of appropriate safeguards, e.g. encryption or pseudonymisation
Section 19(E) of the Implementing Rules and Regulations to the Data Privacy Act states:
Any authorized further processing shall have adequate safeguards.
Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject.
Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.
Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
Section 6(B) on the NPC Circular on Consent states:
The processing of personal data for purposes other than those for which the personal data were initially collected may be allowed.
Consent for processing of personal data for other purposes shall not be required when (i) the further processing is within the data subject’s reasonable expectation on the purpose, scope, manner, and extent of the processing of personal data; and (ii) the purpose of further processing is compatible with the original purpose for which the personal data were initially collected and communicated to the data subject.
In assessing the compatibility of the purpose of the further processing with the original purpose, a clear and reasonable link between the further processing with the original purpose should be established. In addition, the impact of the further processing to the data subject should be considered.