The term “data minimization” generally refers to two requirements within the GDPR: (1) a company should only collect and process personal data that is “necessary” in relation to its purpose, and (2) a company should keep data for “no longer than is necessary for [that] purpose[].”[1] Put differently, a company should only collect what

The term “data minimization” generally refers to two requirements within the GDPR: (1) a company should only collect personal data that is “necessary” in relation to its purpose, and (2) a company should keep data for “no longer than is necessary for [that] purpose[].”[1] Put differently, a company should only collect what it needs