Sign in

Purposes

Defining data processing purposes

In order to become GDPR compliant there are some core data protection principles that must be followed.

  • Purpose Specification
  • Storage Limitation
  • Data Minimisation
  • Security
  • Accuracy
  • Transparency

Our privacy configuration is created to help you define your purposes for data processing and be transparent about what you are doing. GDPR defines that the following information must be made available to the data subject (the individual the data is about) when personal identifiable information is collected:

  • The identity and the contact details of the controller and the data protection officer
  • The purposes of the processing for which the personal data are intended
  • The legal ground of the processing
  • Where applicable the legitimate interests pursued by the controller or by a third party
  • Where applicable, the recipients or categories of recipients of the personal data
  • Where applicable, that the controller intends to transfer personal data internationally
  • The period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period

Additional information if the data has not been obtained directly from the data subject – perhaps using a 3rd party - must list:

  • From which source the personal data originated from
  • The existence of any profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

In order to provide the user with all that information required by GDPR we have provided you with the possibility to define your metadata (contact information), your data processing purposes, the data used in the processing and the potential third parties you share a data subject’s personal data with. If you edit your purposes after the user have consented then that may require a new consent, so we also support versioning where you decide if the change requires a new consent or not.

There are 4 different legal grounds for personal data processing activities:

  • legal requirement
  • performance of a contract
  • legitimate interests
  • individual’s consent Processing of personal data must rely at least on one of the above mentioned legal grounds during the whole information life-cycle – from collection of the data to the final and complete erasure or anonymization.

From a legal point of view, there is no hierarchy between different legal grounds, unless the law explicitly requires consent in a specific case to be used as the legal ground.

However, we’ve established a order of priority between different legal grounds as detailed below:

legal grounds

For example, consent is just one of several legal grounds to process personal data, rather than the main ground. When correctly used, consent is a tool giving the data subject control over the processing of his or her data. If incorrectly used, the data subject’s control becomes illusory and consent constitutes an inappropriate basis for processing.

Mandatory consent is used for all processing activities, where applicable law explicitly requires a consent (e.g. processing of special categories of data).

The "legal requirement" and "performance of contract" legal grounds are used for "core" processing activities (when consent is not mandatory). The "core" processing constitutes the minimum and prerequisite level of processing, both in relation to processing purposes and processed data categories, for enabling e.g. your company to provide its products and services as well as fulfill legal requirements. For processing activities, which fall outside the above mentioned "core" area of processing and do not require individual’s consent under law, the usage of "legitimate interests" as legal ground, can be applicable.

Consent is used as the legal ground for the processing if the processing goes beyond:

  • what is required by law, and
  • what is necessary for fulfilling a contract, and
  • your company’s "legitimate interests"

legal grounds 2

"Core" processing is based on "legal requirements" and "performance of contract"

Create a purpose object

Creates a purpose object

POST /privacy/v2/projects/{project_id}/configurations/purposes

Update a purpose object

Update a specific purpose object. Important: Updating a purpose may invalidate already given permissions by data subjects for that purpose.

PUT /privacy/v2/projects/{project_id}/purposes/{purpose_id}

Delete a purpose object

Delete a purpose object. Important: Deleting a purpose will invalidate already given permissions by data subjects for that purpose.

DELETE /privacy/v2/projects/{project_id}/purposes/{purpose_id}

Get a purpose object

Return a specific purpose object

GET /privacy/v2/projects/{project_id}/purposes/{purpose_id}

Get a list of purpose objects

Returns an object that contains a list of purposes Each item has the same format as you get from GET /privacy/v2/purposes/{purpose_id}

GET /privacy/v2/projects/{project_id}/purposes/

Schema

This section specifies the purpose schema

Parameters

Field Type Description Comments
projectId string The ID of the project
purposeId string The purpose ID generated by us
referenceId string The internal identifier your service has for this purpose.
legalGround enum The legal ground that this purpose belongs to:
LR: legal requirement
POC: performance of a contract
LI: legitimate interests
IC: individual’s consent
objectionType enum The type of objection associated with this purpose:
auto_accepted
auto_rejected
evaluate
not_applicable
The purpose of this is to facilitate both front-end and back-end systems in handling purposes that can be objected to and how those objections will be processed
title Array An array of translations objects containing the title to be used to name this purpose Displayed to the data subject in end-user portal interactions and dialogues.
description Array An array of translations objects containing the understandable description to be used to describe this purpose Displayed to the data subject in end-user portal interactions and dialogues.
category string The GDPR defined purpose category this purpose belongs to Used for machine readable processing of purposes
onLogin boolean Boolean flag stating if this purpose and its related data objects are shown during login through our IDP or not.
version string The version of this purpose. See how versioning is handled here
dataGroups Array An array of dataGroup object IDs for the dataGroup objects belonging to this purpose
retention Array An array of translations objects containing the retention period applied to the personal data collected and processed for this purpose Displayed to the data subject in end-user portal interactions and dialogues.
dataSharing Array An array of translations objects containing the explaining what kind of data sharing is done by the data controller on this specific purpose Displayed to the data subject in end-user portal interactions and dialogues.
controllers Array An array of JSON objects containing the parties that are controllers of personal data related to this processing purpose and a description of each party’s role in relationship to this purpose See own schema for this section below
processors Array An array of JSON objects containing the parties that are processors of personal data related to this processing purpose and a description of each party’s role in relationship to this purpose See own schema for this section below
recipients Array An array of JSON objects containing the parties that are recipients of personal data related to this processing purpose and a description of each party’s role in relationship to this purpose See own schema for this section below
created timestamp The time this party was created
updated timestamp The time this party was last updated  

This section specifies the controllers, processors and recipients section of the schema

Field Type Description Comments
partyId string The internal ID for this party
description Array An array of translations objects containing containing translations of the description to be used to describe this party’s role in regards to this purpose Displayed to the data subject in end-user portal interactions and dialogues
Response
{
  "purposeId": "9d5df04e-3e7c-46a5-9440-8114206dcb52",
  "projectId": "7fba66c8-9a67-4a06-8d70-7e5dffe9109d",
  "referenceId": "anIdentifier",
  "title": [
    {
      "language": "en-US",
      "text": "The title of the item"
    }
  ],
  "description": [
    {
      "language": "en-US",
      "text": "The description of the item"
    }
  ],
  "retention": [
    {
      "language": "en-US",
      "text": "The retention polecy of the item"
    }
  ],
  "dataSharing": [
    {
      "language": "en-US",
      "text": "The description of the data sharing items."
    }
  ],
  "version": "1.0.0",
  "legalGround": "ic",
  "objectionType": "evaluate",
  "category": [
    "improvePerformance"
  ],
  "onLogin": true,
  "dataGroups": [
    {
      "dataGroupId": "4056dfca-a4bf-4829-a13f-7cf30ddb6a68"
    }
  ],
  "controllers": [
    {
      "description": [
        {
          "language": "en-US",
          "text": "The description of the item"
        }
      ],
      "partyId": "3a8c23ab-d171-404f-9fd7-b13f1283f646"
    }
  ],
  "processors": [
    {
      "description": [
        {
          "language": "en-US",
          "text": "The description of the item"
        }
      ],
      "partyId": "3a8c23ab-d171-404f-9fd7-b13f1283f646"
    }
  ],
  "recipients": [
    {
      "description": [
        {
          "language": "en-US",
          "text": "The description of the item"
        }
      ],
      "partyId": "3a8c23ab-d171-404f-9fd7-b13f1283f646"
    }
  ],
  "created": "1969-07-16T09:32:50.052Z",
  "updated": "1969-07-16T09:32:50.052Z"
}