Menu

Purpose limitation

This principle requires that personal data is:

"collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"

and that "the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data".

 

In practice, this means that you must:

Why do we need to specify our purposes?

This requirement aims to ensure that you are clear and open about your reasons for obtaining personal data, and that what you do with the data is in line with the reasonable expectations of the individuals concerned.

Specifying your purposes from the outset helps you to be accountable for your processing, and helps you avoid ‘function creep’. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over data where appropriate. It is fundamental to building public trust in how you use personal data.

There are clear links with other principles – in particular, the fairness, lawfulness and transparency principle. Being clear about why you are processing personal data will help you to ensure your processing is fair, lawful and transparent. And if you use data for unfair, unlawful or ‘invisible’ reasons, it’s likely to be a breach of both principles.

Specifying your purposes is necessary to comply with your accountability obligations.

How do we specify our purposes?

If you comply with your documentation and transparency obligations, you are likely to comply with the requirement to specify your purposes without doing anything more:

However, you should also remember that whatever you document, and whatever you tell people, this cannot make fundamentally unfair processing fair and lawful.

If you are a small organisation and you are exempt from some documentation requirements, you may not need to formally document all of your purposes to comply with the purpose limitation principle. Listing your purposes in the privacy information you provide to individuals will be enough. However, it is still good practice to document all of your purposes. For more information, read our records of processing guidance.

You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified (‘function creep’).

Once we collect personal data for a specified purpose, can we use it for other purposes?

The purpose limitation principle prevents you from using personal data for new purposes if they are ‘incompatible’ with your original purpose for collecting the data.  The Applied GDPR does not ban processing for other purposes that were not specified at the time the data were collected altogether, but there are restrictions. If your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you can only go ahead if:

If your new purpose is compatible, you don’t need a new lawful basis for the further processing. However, you should remember that if you originally collected the data on the basis of consent, you usually need to get fresh consent to ensure your new processing is fair and lawful. See our lawfulness guidance for more information.

You also need to update your privacy information to ensure that your processing is still transparent.

What is a ‘compatible’ purpose?

The Applied GDPR specifically says that the following purposes should be considered to be compatible purposes:

Otherwise, the Applied GDPR says that to decide whether a new purpose is compatible (or as the Applied GDPR says, “not incompatible”) with your original purpose you should take into account:

As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose data for this type of purpose.

There are clear links with the lawfulness, fairness and transparency principle. In practice, if your intended processing is fair, you are unlikely to breach the purpose limitation principle on the basis of incompatibility.