#5 – The principle of purpose limitation

Today we are looking a bit into another principle of the regulations, which has been of fundamental importance to European data protection since its inception. Of course, this post is about purpose limitation.

The principle of purpose limitation entails two requirements for controllers: First, every processing activity must always have a specified, explicit and legitimate purpose. Second, if the processing of personal data is with a new purpose that is different from the original one, you will need to assess their compatibility. Today I will elaborate on these concepts using the old Article 29 Working Party’s opinion on purpose limitation.

Determining a purpose is a prerequisite for other data protection rules. The aim is to protect the data subjects by making processing more transparent and increasing legal certainty. In extension, it prevents the use of personal data from the data subjects in ways that they find inappropriate or do not expect. In fact, the function of a purpose is multi-faceted, e.g. it helps determine storage times, the appropriate security measures, and if personal data is collected unnecessarily. So getting it right is essential for complying with the whole of the GDPR.

Every purpose must be sufficiently defined to enable the implementation of any necessary data protection safeguards and to delimit the scope of the processing operation. It must also be sufficient, unambiguously, and clearly expressed. Generally, it is held that too vague purposes are not detailed enough to sufficiently determine which kind of processing is covered by a purpose. Here are examples of vague purposes: improving X; marketing; IT security. These purposes should be elaborated on a bit more so that they are descriptive in a more specific and detailed way.
Although, you should consider that an overtly detailed description is not necessarily helpful. It could be overwhelming for the data subjects, creating information fatigue. Finding a sweet spot (the Swedish word lagom comes to mind) can be difficult, but great for the data subjects and the other GDPR requirements.

The specified purpose must be legitimate. That means that any purpose must have a legal ground and comply with the data protection principles and principles of law. Legitimacy also includes all forms of written and common law, primary and secondary legislation, municipal decrees, judicial precedents, constitutional principles, fundamental freedoms and rights, other legal principles, and jurisprudence.

It is okay to keep and use the same personal data for more than one purpose. In most cases, it is even considered better to use several purposes that are closely related, rather than having one too broad unspecified purpose that you think covers all the processing.

Needless to state at this point in the GDPR requirements series; proper documentation is needed. This is reflected in the requirement that the purpose must be explicit. The purpose of choice can be registered for each processing activity and data subject category in DPOrganizer’s tool, and our Professional Services team can help you define your specified purposes. The requirement of explicit purposes also entails that the purpose should give the necessary information to ensure that everyone concerned has an identical, unambiguous understanding of the purpose.

This brings us to the second requirement of the day. Once you decided on a purpose for a processing activity, there is a rule for if you can change it. The name of any subsequent processing after a purpose change is called secondary or further processing. The rule is that the personal data is not further processed in a manner that is incompatible with the initial purposes. A change in purpose, therefore, requires an assessment of the compatibility between the old and new purposes and processing. An alternative to the assessment is that you either get a new specific consent from the data subject for the new purpose or have a clear basis in law, but that will not work in a lot of cases.
The assessment of whether the new purpose is compatible with the original purpose can fall into three categories: obvious compatibility, non-obvious compatibility, or obvious incompatibility. You should continue with a thorough assessment if further processing falls under non-obvious compatibility. Every compatibility assessment should at least take the following into account:

• The link between the initial purpose and the new purpose
• The context in which you collected the data – in particular, your relationship with the data subject and what they would reasonably expect
• The nature of the personal data – e.g., special category data or criminal offence data
• The possible impact and consequences of the new processing for individuals
• Whether there are appropriate safeguards in place – e.g., encryption or pseudonymity

The GDPR provide that archiving purposes in the public interest, scientific or historical research purposes, and statistical purposes are considered compatible.

It is important to remember that it is strictly prohibited to process personal data for another purpose than the initial one used for the collection of that personal data. That is unless a secondary purpose is compatible. In addition to that, it is also important to remember that the use of the legal basis consent is affected by a change in purpose. Any consent can deteriorate over time to a stage where it is no longer valid. That is especially the case if there is a change in purpose, since the data subject has consented to a specified purpose.

To summarise this post, we looked into the two main requirements of purpose limitation. Namely, every processing activity should have a specified, explicit and legitimate purpose, and secondly, how a purpose may be changed. If you have any questions about any of this, you can always reach out to me or my colleagues in the Professional Services Team.
Next up in the blog series, my colleague Anna will, I believe, write about the principle of storage limitation. So give her a warm welcome next Tuesday!