Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
Data are collected for certain aims. As a prerequisite for other data quality requirements, purpose specification will determine the relevant data to be collected, retention periods, and all other key aspects of how personal data will be processed for the chosen purpose/s. If personal data are further processed for a different purpose, the new purpose/s must be specified and it must be ensured that all data quality requirements are also satisfied for the new purposes.
When applying data protection law, it must first be ensured that the purpose is specific, explicit and legitimate. This is a prerequisite for other data quality requirements, including adequacy, relevance and proportionality, accuracy and requirements regarding the duration of retention.
The concept of purpose limitation has two main building blocks: the personal data must be collected for 'specified, explicit and legitimate' purposes (purpose specification) and not be 'further processed in a way incompatible' with those purposes (compatible use).
First building block – Purpose Specification
Purposes must be specific. This means that - prior to, and in any event, no later than the time when the collection of personal data occurs - the purposes must be precisely and fully identified to determine what processing is and is not included within the specified purpose and to allow that compliance with the law can be assessed and data protection safeguards can be applied.
The fact that the information must be precise does not mean that longer, more detailed specifications are always necessary or helpful. Particularly where detailed specifications of purpose are overly legalistic and provide disclaimers rather than helpful information. The approach of a 'layered notice' is encouraged, especially on the Internet. This means e.g. that key and concise information is provided to data subjects, while additional information is provided on another Internet page.
Personal data can be collected for more than one purpose. Controllers should avoid identifying only one broad purpose in order to justify various further processing activities which are in fact only remotely related to the actual initial purpose.
Purposes must be explicit, that is, clearly revealed, explained or expressed in some form in order to make sure that everyone concerned has the same unambiguous understanding of the purposes of the processing irrespective of any cultural or linguistic diversity. Purposes may be made explicit in different ways.
Purposes must be legitimate. Legitimacy is a broad requirement, which goes beyond a simple cross-reference to one of the legal grounds for the processing referred to under Article 6. It also extends to other areas of law and must be interpreted within the context of the processing. The notion of legitimacy must also be interpreted within the context of the processing, which determines the ‘reasonable expectations’ of the data subject.
Second building block – Compatibility
…and not further processed in a manner that is incompatible with those purposes. The notions of 'further processing' and 'incompatible' use, require that further processing must not be incompatible with the purposes for which personal data were collected. Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited. The data controller cannot legitimise incompatible processing by simply relying on a new legal ground.
The fact that the further processing may be for a different purpose does not necessarily mean that it is automatically incompatible: this needs to be assessed on a case-by-case basis. Key factors to be considered during the compatibility assessment:
the relationship between the purposes for which the data have been collected and the purposes of further processing;
the context in which the data have been collected and the reasonable expectations of the data subjects as to their further use;
the nature of the data and the impact of the further processing on the data subjects;
the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects;
The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards - in particular, data minimisation - and in particular by ensuring that the data will not be used to support measures or decisions regarding any particular individuals. Those safeguards may include pseudonymisation. In some cases, Union or Member State law may provide for derogations from certain data subject’s rights.
‘Statistical purposes’ in particular, cover a wide range of processing activities, from commercial purposes (e.g. analytical tools of websites or big data applications aimed at market research) to public interests (e.g. statistical information produced from data collected by hospitals to determine the number of people injured as a result of road accidents.
Processing for ‘historical’ purposes can also have specific characteristics and this may require a different set of safeguards. Member States often have specific laws governing access to national archives, archives on recent history of particular interest (such as archives evidencing oppressive regimes), and court files kept by the judiciary.
As regards ‘scientific’ purposes, there may also be a need to access different kinds of data. Some research may require raw microdata, which are only partially anonymised or pseudonymised. In some cases, the research purposes involved can only be fulfilled if the pseudonymisation is reversible.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018