Purpose limitation

The purpose of processing personal data must be planned and defined clearly before the start of processing. Personal data may only be collected and processed for a specific and lawful purpose. The data may not be processed in a manner inconsistent with the original purpose at a later date.

The purpose of processing the personal data must be specified, documented and communicated to the data subjects. Defining the purpose of processing helps data subjects

  • understand what their data is required for;
  • assess the appropriateness of the purpose; and
  • decide whether they want to influence the processing of their personal data through the exercise of their rights.

The processing of personal data in accordance with the specified purpose is a material part of maintaining the trust between the controller and data subject. Limiting the purposes of processing makes it easier to observe the principles of lawfulness, fairness and transparency.

Compatible purpose of processing

In addition to the specified purposes of processing, it can also be possible to process personal data for purposes considered compatible with the original purposes of processing. The processing must also be lawful from the perspective of other data protection regulations; a compatible purpose does not justify non-compliance with other data protection regulations.

Processing of personal data

  • for the purposes of archiving in the public interest;
  • for scientific or historical research; or
  • for the compilation of statistics

is compatible if the appropriate safeguards specified in the GDPR are adopted.

Such safeguards must include both technical and organisational measures for guaranteeing compliance with the principle of the minimisation of data in particular. Appropriate safeguards include encryption, pseudonymisation or the aggregation of personal data to the level of statistics. The processing of personal data is not permitted if the purposes of processing could be implemented with anonymous data. The principle of minimisation also requires the minimisation of storage time. As a safeguard, the data subjects can also be informed of the compatible purpose and the rights available to them for influencing the processing of their personal data. When charting appropriate safeguards, the controller must follow a risk-based approach. The more sensitive the personal data, the stronger the safeguards required. Read more about risk assessment

In certain other cases, the controller may also evaluate whether the processing of personal data for a new purpose would be compatible with the original purposes of processing. In such cases, the controller is required to take into consideration:

  • any link between the purposes for which the personal data has been collected and the purposes of the intended further processing;
  • the context in which the personal data has been collected, in particular regarding the relationship between the data subjects and the controller;
  • the nature of the personal data, particularly the processing of special categories of personal data;
  • the possible consequences of the intended further processing for the data subjects; and
  • the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the personal data has been collected on the basis of consent, a new consent is usually required for the compatible purposes in order to ensure the lawfulness and fairness of the processing. The information on the processing of personal data must also be updated in order to fulfil the requirement of transparency.

The processing conflicts with the original purpose if

  • the purpose changes significantly;
  • the processing is unexpected for the data subject; or
  • the processing causes unfair consequences to the data subjects.

Such purposes constitute new purposes of processing and require consent unless there is a legal basis for the processing.

New purposes of processing

The processing of personal data for new purposes different from the original purpose is possible if the planned purpose of processing is compliant with data protection regulations and

  • the data subject’s consent for the new purpose of processing is obtained before the start of processing; or
  • there is a clear legal basis for the processing.

 When a controller intends to process personal data for purposes other than the original purpose of processing, it must notify the data subjects of this before starting processing. The controller is required to inform the data subjects of the new purpose of processing, the rights of the data subject and all other relevant information unless there is a legal basis for deviating from the notification obligation.

Read more:
When is the processing of personal data permitted?
Inform data subjects about processing