(1) Personal data processed by a controller pursuant to ss. 501.716-501.718 may not be processed for any purpose other than those specified in those sections. Personal data processed by a controller pursuant to ss. 501.716-501.718 may be processed to the extent that the processing of the data is:(a) Reasonably necessary and proportionate to the purposes specified in ss. 501.716-501.718; (b) Adequate, relevant, and limited to what is necessary in relation to the purposes specified in ss. 501.716-501.718; and (c) Done to assist another controller, processor, or third party with any of the purposes specified in s. 501.716, s. 501.717, or s. 501.718. (2) A controller or processor that collects, uses, or retains personal data for the purposes specified in s. 501.717(1) must take into account the nature and purpose of such collection, use, or retention. Such personal data is subject to reasonable administrative, technical, and physical measures to protect its confidentiality, integrity, and accessibility and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. (3) A controller or processor shall adopt and implement a retention schedule that prohibits the use or retention of personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained, after the expiration or termination of the contract pursuant to which the information was collected or obtained, or 2 years after the consumer’s last interaction with the controller or processor. This subsection does not apply to personal data reasonably used or retained to do any of the following:(a) Provide a good or service requested by the consumer, or reasonably anticipate the request of such good or service within the context of a controller’s ongoing business relationship with the consumer.
(b) Debug to identify and repair errors that impair existing intended functionality.
(c) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the controller or that are compatible with the context in which the consumer provided the information.
(4) A controller or processor that processes personal data pursuant to ss. 501.716-501.718 bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of this section.