At the heart of the General Data Protection Regulation (GDPR), lie six fundamental principles for data controllers to follow when processing personal data. These include:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
All six principles are subject to the overarching (sometimes called a 7th principle – accountability. For this paper we are going to consider the principle of purpose limitation.
Firstly, what is the Purpose Limitation principle?
The purpose limitation requirement has long been known as one of the cornerstones of data protection law. It was legislated for in the 1995 Data Protection Directive. Over thirty years later, it remains protected by Article 5(1)(b) as well as Article 6.4 of the GDPR.
The principle is twofold in its application. Firstly, data can only be collected for specified, explicit and legitimate purposes. Secondly, the data cannot be further processed in a manner that is incompatible with those purposes.
What does this mean for your organisation?
This ultimately requires controllers to be transparent in describing why they are collecting personal data and to only use the data for the described purpose. In practice, data controllers must be clear with individuals from the beginning about why they are collecting data and what they intend to do with it.
There is no blanket ban on the use of information for purposes other than those for which it was collected. If the purpose changes, then the new purpose must be compatible with the original purpose. Additionally, Article 6(4) GDPR allows for personal data to be processed for a purpose other than for which the personal data have been collected where the data subject consents, or the processing is based on “a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society…”.
What is a ‘compatible’ purpose?
Establishing a compatible purpose can be a difficult task. The first step a controller must take is to check whether the purpose fits into the pre-approved compatible purposes under Recital 50 of the GDPR. These include:
- Archiving activities in the public interest
- Scientific and historical purposes
If the new purpose falls outside of this list, then the controller must further examine the use of the data before proceeding. According to Article 6.4 GDPR, these are the factors which a data controller must consider when determining compatibility:
- Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.
- The context in which the personal data have been collected.
- The nature of the personal data (e.g., whether the data is related to criminal convictions).
- The possible consequences to the individual.
- The existence of appropriate safeguards.
The purpose limitation principle remains extremely important. It is closely linked with the principles of transparency and data minimisation, making it fundamental to building public trust.