[MI-NPER-3] Minimize/No Personal Data required

* Verdict: There is no Personal Data collected => PASS, otherwise FAIL

* Evidence: Packet capture

#### 5.2.12.4 MI-NPER-3: No Personal Data required for use or payment

#### 5.2.12.4 MI-NPER-3: Minimize Personal Data required for use, service provisioning and payment

The VPN shall not require Personal Data for use of the product, including for payment.

The VPN shall minimize the required Personal Data for use of the product, collecting only the Personal Data strictly necessary for the service provider to process the payment, manage the subscription and fulfill contractual obligations.

* Reference: TR-DMIN

* Objective: Confidentiality

* Objective: Data minimization

* Preparation: Follow the instructions to use the product and start a VPN connection, selecting the options that require the least Personal Data, recording all data entered

* Activities: Examine the data entered looking for Personal Data

* Verdict: If there is any Personal Data in the data entered => FAIL, otherwise => PASS

* Evidence: The record of data entered with a short description of each part accounting for why it is not Personal Data

* Activities: Examine the data entered looking for Personal Data. Review the manufacturer's provided justification for the necessity of this data in relation to providing the service, processing payment or managing the subscription.

* Verdict: If there is any excessive Personal Data recorded or Personal Data recorded without a justified, documented operational reason essential for the delivery of the service or payment processing=> FAIL, otherwise => PASS

* Evidence: The record of data entered with a short description of each part accounting for why it is not Personal Data and the record of personal data entered and for which reason this data is needed.

#### 5.2.12.5 MI-NPER-4: No Personal Data stored on remote data processing systems