GDPR – How much data can be collected?

Compliance > GDPR
Q:  How much data can be collected?
 
A:  Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.
 
Example
 
Your company/organisation offers car-sharing services to individuals. For those services it may require the name, address and credit card number of your customers and potentially even information on whether the person has a disability (so health data), but not their racial origin.
 
References
 
Article 5(1)(c) and Recital (39) of the GDPR
 
 
ADDITIONAL INFORMATION:
The above FAQ was included on the European Commission’s website, which can be located here:   
 

Add Feedback