This principle requires that personal data is:
"collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes"
and that "the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data".
In practice, this means that you must:
- be clear from the outset why you are collecting personal data and what you intend to do with it;
- comply with your documentation obligations to specify your purposes;
- comply with your transparency obligations to inform individuals about your purposes; and
- ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent.
Why do we need to specify our purposes?
This requirement aims to ensure that you are clear and open about your reasons for obtaining personal data, and that what you do with the data is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset helps you to be accountable for your processing, and helps you avoid ‘function creep’. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over data where appropriate. It is fundamental to building public trust in how you use personal data.
There are clear links with other principles – in particular, the fairness, lawfulness and transparency principle. Being clear about why you are processing personal data will help you to ensure your processing is fair, lawful and transparent. And if you use data for unfair, unlawful or ‘invisible’ reasons, it’s likely to be a breach of both principles.
Specifying your purposes is necessary to comply with your accountability obligations.
How do we specify our purposes?
If you comply with your documentation and transparency obligations, you are likely to comply with the requirement to specify your purposes without doing anything more:
- You need to specify your purpose or purposes for processing personal data within the documentation you are required to keep as part of your records of processing (documentation) obligations under Article 30.
- You also need to specify your purposes in your privacy information for individuals.
However, you should also remember that whatever you document, and whatever you tell people, this cannot make fundamentally unfair processing fair and lawful.
If you are a small organisation and you are exempt from some documentation requirements, you may not need to formally document all of your purposes to comply with the purpose limitation principle. Listing your purposes in the privacy information you provide to individuals will be enough. However, it is still good practice to document all of your purposes. For more information, read our records of processing guidance.
You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified (‘function creep’).
Once we collect personal data for a specified purpose, can we use it for other purposes?
The purpose limitation principle prevents you from using personal data for new purposes if they are ‘incompatible’ with your original purpose for collecting the data. The Applied GDPR does not ban processing for other purposes that were not specified at the time the data were collected altogether, but there are restrictions. If your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you can only go ahead if:
- the new purpose is compatible with the original purpose;
- you get the individual’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
If your new purpose is compatible, you don’t need a new lawful basis for the further processing. However, you should remember that if you originally collected the data on the basis of consent, you usually need to get fresh consent to ensure your new processing is fair and lawful. See our lawfulness guidance for more information.
You also need to update your privacy information to ensure that your processing is still transparent.
What is a ‘compatible’ purpose?
The Applied GDPR specifically says that the following purposes should be considered to be compatible purposes:
- archiving purposes in the public interest;
- scientific or historical research purposes; and
- statistical purposes.
Otherwise, the Applied GDPR says that to decide whether a new purpose is compatible (or as the Applied GDPR says, “not incompatible”) with your original purpose you should take into account:
- any link between your original purpose and the new purpose;
- the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
- the nature of the personal data – eg is it particularly sensitive;
- the possible consequences for individuals of the new processing; and
- whether there are appropriate safeguards - eg encryption or pseudonymisation.
As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose data for this type of purpose.
There are clear links with the lawfulness, fairness and transparency principle. In practice, if your intended processing is fair, you are unlikely to breach the purpose limitation principle on the basis of incompatibility.