Sec. 7. (a) Personal data processed by a controller for a purpose authorized under this chapter may not be processed for any other purpose unless otherwise allowed under this article. Personal data processed by a controller under this chapter may be processed to the extent that such processing is:

(1) reasonably necessary and proportionate to a purpose authorized under this chapter; and

lawyer at desk

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose.

     (b) Personal data collected, used, or retained under section 2 of this chapter:

(1) shall, as applicable, take into account the nature and purpose of the collection, use, or retention; and

(2) must be subject to reasonable administrative, technical, and physical measures to:

(A) protect the confidentiality, integrity, and accessibility of the personal data; and

(B) reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of the personal data.

     (c) If a controller processes personal data pursuant to an exemption under this chapter, the controller bears the burden of demonstrating that such processing:

(1) qualifies for the exemption; and

(2) complies with the requirements set forth in this section.

As added by P.L.94-2023, SEC.1.

  Previous section
Next section  
 Chapter 8 Contents