What is the second of the seven data processing principles outlined in GDPR?
The second principle of data processing is the purpose limitation.
GDPR text on purpose limitation
Article 5 of GDPR provides that personal data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
What is the purpose limitation principle?
The purpose limitation is intended to ensure that companies provide their clients, users and data subjects clear, explicit and specific information about why they need to collect personal information and that purpose must be reasonable.
For organizations to comply with principle 2 of GDPR with regards to data processing, they must have an explicit and legitimate purpose for collecting, storing and processing personal data.
Companies need to assess the type and nature of personal data they need to render their services and only collect the information needed to achieve their purpose.
For example, if a company needs to collect name, address and email address to achieve a specific purpose, its should not ask for any more information then it is needed.
The purpose must be disclosed to the data subject in a specific manner, it must be explicit and legitimate.
Why is purpose limitation important?
When data subjects are clearly informed of the purpose of personal data collection, storage and processing, they can provide meaningful and free consent to give or not their personal data.
Also, depending on the specified purpose, individuals can be informed as to the rights they may assert against an organization.
For example, a data subject can request that a company delete or erase personal data that is not necessary or exceeds the limits of what’s reasonable for the company’s intended purpose.
By understanding the purpose, data subjects will know what is the reasonable threshold for giving personal data to an organization.
How do you specify the purpose to data subjects?
Companies must be able to specify their purpose both internally and to data subjects.
As a first step, organizations must be internally understood and define their purpose for collecting personal data.
In the event of an audit or regulatory probe, companies must be able to show a documented assessment of their purpose as required by Article 30 of GDPR.
The second step is for organizations to clearly define and specify the purpose for collecting personal data to data subjects.
Companies employing less than 250 employees are not subject to the same obligations as contained in Article 30 of GDPR but they must nonetheless provide sufficient privacy disclosure to data subjects.
Can data be used for multiple purposes?
Under GDPR, the collection, storage and processing of personal data must be done in accordance with the purpose specified to the data subject.
If you have specified multiple purposes to an individual, those purposes are lawful and reasonable for you to render your services, then you are authorized to use the data collected for multiple purposes.
However, you are not authorized to use personal data for purposes other than for the purposes it was initially collected.
What happens if the purpose changes over time?
If your purpose changes over time, you’ll need to evaluate the need to request a new consent from your client or data subject.
To determine if you’ll need a new consent or not, here are some questions that can guide you:
- Is the new purpose compatible with the original purpose?
- Will the new purpose be reasonable and fair?
- Are there specific legal provisions allowing the data processing without the need of a specific consent?
- Is there any link between the original purpose and the new purpose?
- What is the nature of the personal data needed for the new purpose?
- Are the consequences or risks of harm the same to the data subject?
- Do we have sufficient and appropriate safeguards to protect personal data?
If your purpose changes overtime where it impacts the reasonable expectation of the data subject or is no longer compatible with the original consent given, you’ll need to get a new consent from data subjects.
What is a compatible purpose?
GDPR defines the following purposes as a compatible purpose:
- Archiving purposes in the public interest
- Scientific purposes
- Historic purposes
- Statistical purposes
If you are going to process personal data outside of what GDPR considers as compatible, you’ll need to decide if the purpose for which you will use someone’s personal data is compatible with the initial purpose for which it was collected.
For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?