Overview#This Opinion analyses the principle of purpose limitation. It provides guidance for the principle's practical application under the current legal framework, and formulates policy recommendations for the future.
Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility for data controllers. The concept of purpose limitation has two main building blocks: personal data must be collected for 'specified, explicit and legitimate' purposes (purpose specification) and not be 'further processed in a way incompatible' with those purposes (compatible use).
Further processing for a different purpose does not necessarily mean that it is incompatible: compatibility needs to be assessed on a case-by-case basis. A substantive compatibility assessment requires an assessment of all relevant circumstances. In particular, account should be taken of the following key factors:
- the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
- the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
- the nature of the personal data and the impact of the further processing on the data subjects;
- the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited. The data controller cannot legitimise incompatible processing by simply relying on a new legal ground in Article 7. The purpose limitation principle can only be restricted subject to the conditions set forth in Article 13 of the Directive.
This analysis also has consequences for the future. Article 6(4) of the proposed Data Protection Regulation provides a broad exception from the requirement of compatibility, which would severely restrict its applicability and risk eroding this key principle. The WP29 therefore recommends that the proposed paragraph 4 should be deleted. Further, to provide more legal certainty, the WP29 recommends that legislators adopt the above list of relevant factors in order to assess compatibility. Although this presentation of key factors is not fully exhaustive, it attempts to highlight the most typical factors that may be considered in a balanced approach: neither too general so as to be meaningless, nor too specific so as to be overly rigid.
This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC