What are the annex 2 compatibility conditions?
In detail
- What is an annex 2 ‘compatible’ purpose?
- How do we apply an annex 2 compatibility condition?
- What are the compatibility conditions?
What is an annex 2 ‘compatible’ purpose?
Data protection law recognises the importance of reusing personal information in certain circumstances. Annex 2 of the UK GDPR lists specific reuses of personal information that are “to be treated as compatible” with your original purpose. These are separate from the other compatible purposes in article 8A(3).
You don't need to assess compatibility if your processing is necessary and proportionate for one of these purposes listed in annex 2. This means that, if it’s necessary for you to reuse personal information for one of these purposes, your reuse complies with the purpose limitation principle.
Each of these specific reuses depends on you meeting particular requirements. We call these listed purposes ‘compatibility conditions’ (although this term is not used in the legislation itself).
How do we apply an annex 2 compatibility condition?
For each of the annex 2 compatibility conditions, you must be able to demonstrate that it’s necessary for you to reuse personal information for the specific purpose. This doesn’t mean the reuse has to be absolutely essential, but you must ensure it is a targeted and proportionate way of achieving the compatible purpose.
You should decide this based on:
- the facts of each case; and
- whether there is another reasonable and less intrusive alternative available. Using the more intrusive way is not necessary if you can achieve your new purpose in a less intrusive way.
If you can’t show that what you want to do helps meet the compatibility condition, you can’t rely on that condition.
As with all reuses of personal information, to comply with the purpose limitation principle, you must have a lawful basis.
Some of the annex 2 compatibility conditions are similar to some of the recognised legitimate interest conditions listed in annex 1 of the UK GDPR. Annex 1 sets out the pre-approved purposes that form the recognised legitimate interest lawful basis. If one of these similar conditions applies, you may be able to rely on recognised legitimate interest as your lawful basis for your reuse.
If your original lawful basis for collecting the personal information was consent, you can only rely on these compatibility conditions if it’s not reasonable to get new consent for the new use.
If your proposed new processing doesn’t meet the requirements of a compatibility condition, you cannot rely on annex 2 to reuse personal information. But if it’s compatible under the other purposes described in articles 8A(3) and 8A(4), you may still be able to reuse the personal information. If none of these apply, you must do a compatibility assessment to determine if your intended reuse is compatible with your original purpose. (For more information, see 'When do we have to assess compatibility?'.)
What are the compatibility conditions?
Annex 2 of the UK GDPR lists the compatibility conditions. We use the following terms to describe them:
- Public task disclosure response compatibility condition
- Archiving disclosure response compatibility condition
- Public security compatibility condition
- Emergencies compatibility condition
- Crime compatibility condition
- Vital interests compatibility condition
- Safeguarding compatibility condition
- Taxation compatibility condition
- Legal obligations compatibility condition
Further reading – ICO guidance