What is the GDPR Purpose Limitation Principle?

Defined in Article 5(1)(b) of the General Data Protection Regulation (GDPR), purpose limitation is the second principle related to the processing of personal data. Purpose limitation relates closely to the first principle of lawfulness, fairness and transparency.

Purpose Limitation Summary

  • A specific and legitimate reason is needed for any personal data that is collected
  • Personal data can only be used for the specified reasons
  • Exceptions could be made if further processing is for any of the following purposes:
    • archiving in the public interest
    • scientific or historical research
    • statistical reasons

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR purpose limitation principle is very similar to the second principle of the 1998 DPA, having only minor differences.

Similarly, both principles require the purpose for personal data be made before collecting the data. However, under the 1998 DPA, this is performed through registration with the ICO, whereas the GDPR handles this by complying with documentation and transparency obligations.

In both cases, using personal data for new purposes outside of originally stated purposes are deemed ‘incompatible’; however, GDPR provides further exemptions than the 1998 Data Protection Act. In addition to further processing for research purposes, the GDPR includes archiving in the public interest, historical research, and statistical purposes.

Business Considerations for Organizations to Understand

How you properly address the purpose limitation principle?

Data Discovery

  • define what personal data needs to be investigated
  • ocate all places your organization is storing the data
  • create an inventory of who is using or has access to the data

Evaluation

  • understand the current purpose(s) employees are using the data
  • determine whether the current purpose(s) comply with GDPR
  • identify any purposes not currently utilized which may be needed

Preparation

  • restrict access to users with invalid purposes for using the data
  • apply safeguards, including encryption or masking, for data that the organization may use for further processing or which the organization can use without the use of sensitive elements
  • notate and communicate all valid purposes for internal and GDPR documentation

Where do you specify your purpose for processing?

All organizations need to disclose their purpose for processing personal data within the privacy policy documentation they provide individuals. The documentation should clearly state the type(s) and intended use(s) of personal data being collected.

Additionally, larger organizations keeping ‘records of processing,’ per Article 30 of the GDPR, are likely further complying as part of their documentation and transparency obligations. Although smaller organizations may be exempt from the requirements of Article 30, it is best practice to still document all purposes, as a safeguard and for internal reference.

Can personal data be used for reasons outside of the purposes specified?

Can personal data be used for reasons outside of the purposes specified?
As a general rule of thumb, it is best to seek further consent from individuals when considering using personal data for purposes differing from the ones initially specified. However, there may be some exceptions:

  • the explicit legal provision requires or allows new processing
  • data security measures, such as pseudonymization or encryption, are present
  • compatible, based upon any of the the (3) criteria, stated within the GDPR:
    • archiving in the public interest
    • scientific or historical reasons
    • statistical purposes