For what purposes do you collect and process personal information? How do you ensure these are the only purposes for which you collect and process personal information? Is it sufficient? If required to demonstrate compliance, how would you do it?
