At a glance
- You must be clear about what your purposes for processing are from the start.
- You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
- You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.
☐ We have clearly identified our purpose or purposes for processing.
☐ We have documented those purposes.
☐ We include details of our purposes in our privacy information for individuals.
☐ We regularly review our processing and, where necessary, update our documentation and our privacy information for individuals.
☐ If we plan to use personal data for a new purpose other than a legal obligation or function set out in law, we check that this is compatible with our original purpose or we get specific consent for the new purpose.
- What’s new under the GDPR?
- What is the purpose limitation principle?
- Why do we need to specify our purposes?
- How do we specify our purposes?
- Once we collect data for a specified purpose, can we use it for other purposes?
- What is a 'compatible' purpose?
The purpose limitation principle is very similar to the second principle of the 1998 Act, with a few small differences.
As with the 1998 Act, you still need to specify your purpose or purposes for processing at the outset. However, under the GDPR you do this by complying with your documentation and transparency obligations, rather than through registration with the ICO.
The purpose limitation principle still prevents you from using personal data for new purposes if they are ‘incompatible’ with your original purpose for collecting the data, but the GDPR contains more detail on assessing compatibility.
Instead of an exemption for research purposes, the GDPR purpose limitation principle specifically says that it does not prevent further processing for:
- archiving purposes in the public interest;
- scientific or historical research purposes; or
- statistical purposes.
Article 5(1)(b) says:
“1. Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.”
In practice, this means that you must:
- be clear from the outset why you are collecting personal data and what you intend to do with it;
- comply with your documentation obligations to specify your purposes;
- comply with your transparency obligations to inform individuals about your purposes; and
- ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent.
This requirement aims to ensure that you are clear and open about your reasons for obtaining personal data, and that what you do with the data is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset helps you to be accountable for your processing, and helps you avoid ‘function creep’. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over data where appropriate. It is fundamental to building public trust in how you use personal data.
There are clear links with other principles – in particular, the fairness, lawfulness and transparency principle. Being clear about why you are processing personal data will help you to ensure your processing is fair, lawful and transparent. And if you use data for unfair, unlawful or ‘invisible’ reasons, it’s likely to be a breach of both principles.
Specifying your purposes is necessary to comply with your accountability obligations.
If you comply with your documentation and transparency obligations, you are likely to comply with the requirement to specify your purposes without doing anything more:
- You need to specify your purpose or purposes for processing personal data within the documentation you are required to keep as part of your records of processing (documentation) obligations under Article 30.
- You also need to specify your purposes in your privacy information for individuals.
However, you should also remember that whatever you document, and whatever you tell people, this cannot make fundamentally unfair processing fair and lawful.
If you are a small organisation and you are exempt from some documentation requirements, you may not need to formally document all of your purposes to comply with the purpose limitation principle. Listing your purposes in the privacy information you provide to individuals will be enough. However, it is still good practice to document all of your purposes. For more information, read our documentation guidance.
If you have not provided privacy information because you are only using personal data for an obvious purpose that individuals already know about, the “specified purpose” should be taken to be the obvious purpose.
You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified (‘function creep’).
The GDPR does not ban this altogether, but there are restrictions. In essence, if your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you can only go ahead if:
- the new purpose is compatible with the original purpose;
- you get the individual’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
If your new purpose is compatible, you don’t need a new lawful basis for the further processing. However, you should remember that if you originally collected the data on the basis of consent, you usually need to get fresh consent to ensure your new processing is fair and lawful. See our lawful basis guidance for more information.
You also need to make sure that you update your privacy information to ensure that your processing is still transparent.
The GDPR specifically says that the following purposes should be considered to be compatible purposes:
- archiving purposes in the public interest;
- scientific or historical research purposes; and
- statistical purposes.
Otherwise, the GDPR says that to decide whether a new purpose is compatible (or as the GDPR says, “not incompatible”) with your original purpose you should take into account:
- any link between your original purpose and the new purpose;
- the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
- the nature of the personal data – eg is it particularly sensitive;
- the possible consequences for individuals of the new processing; and
- whether there are appropriate safeguards - eg encryption or pseudonymisation.
As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose data for this type of purpose.
A GP discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.
There are clear links here with the lawfulness, fairness and transparency principle. In practice, if your intended processing is fair, you are unlikely to breach the purpose limitation principle on the basis of incompatibility.