Skip to main content
Data Protection / GDPR

Purpose limitation

Purpose limitation requires that personal data be collected only for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes.

Purpose limitation is one of the core processing principles of the GDPR and is enshrined in Art. 5(1)(b) GDPR. According to it, personal data may only be collected for specified, explicit and legitimate purposes. The controller must determine and document the purpose concretely before collection; blanket or vague statements such as "business operations" are not sufficient. The defined purpose simultaneously serves as the benchmark for further principles such as data minimisation and storage limitation, because the necessity of the data and the retention period are always measured against the specified purpose.

Subsequent processing for a purpose other than the original one (purpose change) is only permitted under narrow conditions. It is readily possible where the data subject has given consent or where a Union or Member State law authorises the further processing. In the absence of such a basis, the controller must carry out a compatibility assessment under Art. 6(4) GDPR: this examines, among other things, the link between the old and the new purpose, the context of collection, the nature of the data, the possible consequences for the data subjects and the existence of appropriate safeguards such as encryption or pseudonymisation.

Under the second half-sentence of Art. 5(1)(b) GDPR, further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is privileged; subject to appropriate safeguards under Art. 89(1) GDPR, it is not considered incompatible. Every purpose change must also observe the information duties under Art. 13(3) and Art. 14(4) GDPR. Anyone who disregards purpose limitation risks fines under Art. 83(5) GDPR and claims for damages from data subjects; clean documentation of purposes in the record of processing activities is therefore also an expression of accountability.

Legal Basis

Art. 5(1)(b) GDPR; Art. 6(4) GDPR; Art. 89(1) GDPR

Practical Example

An online retailer has collected its customers' email addresses solely to process orders. The marketing department now wants to use these addresses for a newsletter. The data protection coordinator checks: no consent is in place, and the newsletter is not readily compatible with the original contractual purpose. He therefore recommends obtaining a separate marketing consent before sending, or limiting the advertising to the narrow scope of the existing-customer exemption under Section 7(3) of the German Act Against Unfair Competition, and documents the purpose change together with its legal basis in the record of processing activities.

FAQ

A change of purpose is permitted where the data subject consents, where a legal provision authorises it, or where the new purpose is compatible with the original one. Compatibility is assessed using the criteria in Art. 6(4) GDPR, such as the closeness of the purposes, the nature of the data and any safeguards in place.
The purpose must be specified before collection and be explicit and legitimate. Blanket statements such as "business purposes" are not sufficient. The more concretely the purpose is described, the more clearly necessity, retention period and permissible further processing can be determined.
Yes. Further processing for archiving purposes in the public interest and for scientific, historical or statistical purposes is, under Art. 5(1)(b) GDPR, not considered incompatible, provided that appropriate safeguards under Art. 89(1) GDPR are in place.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Data minimisation Storage limitation Consent Legal basis
Back to Glossary