I need a specific purpose for processing PII, but that doesn't mean that I need a specific purpose for each individual place that PII ends up going. If my web server or database end up incidentally capturing the data in transit, that's not a violation, any more than it's a violation if I copy the data onto more sheets of paper than are strictly necessary.
You are right and in that case you should also have a process in place to delete the PII from the additional sheets of paper. I'm inclined to keep PII out of logs in the first place but am unsure how to proceed. Either just don't log any data / parameters or implement some kind of whitelist like you would with passwords and other secrets.
I need a specific purpose for processing PII, but that doesn't mean that I need a specific purpose for each individual place that PII ends up going. If my web server or database end up incidentally capturing the data in transit, that's not a violation, any more than it's a violation if I copy the data onto more sheets of paper than are strictly necessary.