(1) Personal data processed by a controller under sections 87-1126 to 87-1129 may not be processed for any purpose other than a purpose listed in sections 87-1126 to 87-1129 unless otherwise allowed by the Data Privacy Act. Personal data processed by a controller under sections 87-1126 to 87-1129 may be processed to the extent that the processing of the data is:

(a) Reasonably necessary and proportionate to the purposes listed in sections 87-1126 to 87-1129; and

(b) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in sections 87-1126 to 87-1129.

(2) Personal data collected, used, or retained under subsection (1) of section 87-1127 shall, where applicable, take into account the nature and purpose of such collection, use, or retention. The personal data described by this subsection is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(3) A controller that processes personal data under an exemption in sections 87-1126 to 87-1129 bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of subsections (1) and (2) of this section.

(4) The processing of personal data by an entity for the purposes described by section 87-1126 does not solely make the entity a controller with respect to the processing of the data.