GDPR Learning Hub

login/sign up
Menu
{{ search }}
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

The Data Protection Principle of Purpose Limitation

Article 5(1)(B) of the GDPR

theme_placeholder

Summary of the GDPR Principle

Principle of Purpose Limitation

A company must always have a predetermined purpose for processing personal data. It is therefore not permitted under the GDPR to process personal data without any purpose. In addition, the principle of purpose limitation states that the purpose in question must be specific and clear. This means that the purpose must not be diffuse, too broad or unclear. Furthermore, a company may not process more personal data than is actually necessary to fulfill the purpose. The company shall also determine the purpose of the processing before conducting the processing. This means that it is not possible to collect a lot of personal data “just because it may be useful to have in the future” and to start determining the purposes of processing the personal data after the collection.

 

The Principle of Purpose Limitation

Article 5(1)(b) of the GDPR states the principle of purpose limitation. Please note that the company must also comply with the other basic data protection principles, such as the principle of lawfulness, fairness and transparency.

theme_placeholder
theme_placeholder

Informing the data subjects of the purpose of the processing

By informing data subjects of the purpose of the processing of their personal data, data subjects shall understand, among other things, the following: 

      • Why: Why the company processes the personal data. 

      • Appropriate: Whether the processing is appropriate in relation to its use.  

      • Rights: Whether the data subject can influence the processing through the rights that data subjects have under the GDPR.

    Compatible purposes in accordance with the Principle of Purpose Limitation

    In some cases, a company may process personal data in addition to the initial established purpose of use, for a new purpose. However, in such cases, the new purpose must be compatible with the original purpose of use. In such cases, it is not necessary for the company to have a separate legal basis than the one that was used for the original purpose of the processing. Please note that the company must also always comply with the other rules of the GDPR and other relevant laws in all processing of personal data.

     

    Below you can read some examples of processing operations that may be compatible with each other, provided the company complies with the safeguards of the GDPR. When the additional processing is carried out for:

     

    • Archiving in the public interest. 
    • Historical research purposes (the same applies to scientific research purposes). 
    • Statistical purposes. 

    Examples of when a new purpose of processing the same personal data is not compatible with the original purpose of use:

     

    • If the change in purpose of use is too significant. 
    • If the data subject cannot expect the processing. 
    • Where the consequences of the processing are not fair to the data subject. 

    Recital 50 of the GDPR states more information on compatible purposes.

    If the legal basis for personal data processing is consent 

    Consent is a relatively common legal basis for companies to use when processing personal data. When the legal basis is consent, in most cases companies need to obtain a new consent in order to process personal data for other compatible purposes. Please note that if the data subject revokes its consent, the processing shall cease. 

    Technical and organizational security measures to implement

    Companies must take appropriate technical and organizational security measures to comply with the GDPR and, above all, ensure compliance with the principle of data minimization. In other words, to limit the collection of personal data to what is directly necessary and relevant to accomplish the stated purpose. This means that a company shall not process more personal data than necessary. Companies need to take stronger and higher security measures the more sensitive the personal data is. For example, the company may:

     

    • Encrypt the personal data.
    • Pseudonymize the personal data. 
    • Archive the personal data.

    Please note that in some cases companies may anonymise personal data and subsequently use anonymous data. Anonymous data is no longer personal data. Therefore, the GDPR does not cover anonymous data. 

    Determine whether the new purpose of use is compatible with the initial purpose of the processing 

    Below follows a few examples of questions that companies can answer, when assessing whether a processing of the same personal data for another purpose of use is compatible with the initial purpose:

    • Connection: What is the connection between the new and the initial processing? 
    • Context: What context has the company collected the personal data in?
    • Characteristics: What is the nature of the personal data? (For example, if the processing concerns privacy-sensitive or sensitive personal data).  
    • Consequences: What are the consequences of the processing for the data subjects? 
    • Technical and organizational measures: What technical and organizational security measures does the company take? (For example, encryption of personal data and implementing internal procedures for personal data breaches). 

    Processing personal data for a new purpose of use 

    In some cases, companies may process personal data for a new purpose of use. However, the company must comply with the following: 

    • The company must have obtained the consent of the data subject or demonstrate that the GDPR or other relevant legislation allows processing for the new purpose. 

    In addition to the above requirements, the company must also inform the data subjects about the processing. The information must be provided before the company starts the processing. For example, data subjects should be informed about their rights and the new purpose of use. However, there may be exceptions to the obligation to provide information in certain cases. 

    Other data protection principles

    The Basic Data Protection Principle of Data Minimization

    When a company processes personal data, it must ensure that the personal data is accurate, relevant and limited. In other words, companies may not process more personal data than necessary for the purpose they have specified to the data subjects. First of all, the company must analyze the purpose of the processing. They can then determine whether the personal data is necessary to achieve the purpose of the processing. The principle of data minimisation means that the amount of data that companies process should be minimized, and thus limited to those that are necessary to process. A company may not process any unnecessary personal data that is not needed to achieve the stated purpose of the processing.

    Want to learn more?

    Next Principle

    Solverwp- WordPress Theme and Plugin

    Scroll to Top