🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Understand everything about purpose limitation

Home GDPR: Understand everything about purpose limitation

Previously, we discussed the notion of processing purposes, as a reminder, the purpose of processing is the objective pursued by the latter, its reason for being. In other words, we identify it by asking the question: why am I using this data? What are they for me?
In this article, we will focus on the principle of purpose limitation. In less than 5 minutes, you will understand everything about this concept.?

The response to the survey Is it possible to reuse the data for another processing whose purpose is incompatible with the first?? "

To introduce the subject, we offered you a survey on February 15 on our LinkedIn page, asking you if it was possible to reuse data for another processing whose purpose is incompatible with the first.
Well done! Out of 209 voters, 93% of you said "No, it’s forbidden". In fact, you cannot reuse the data for other processing whose purpose is incompatible.

The 6 principles retained in article 5 of the GDPR

Article 5.1 of the GDPR lists five principles that the processing of personal data must meet:

Our previous articles introduce and explain some of these concepts. Follow us so as not to miss those to come!

How do we limit the purposes?

To begin, you must first identify the purpose of the processing. To do this, the processing must meet a precise, determined, explicit, legitimate and well-supervised objective. Likewise, the purpose must be clear to the data subject and be justified by the data controller.
This makes it possible, on the one hand, to respond to the principle of minimization (which we will discuss next week).

On the other hand, you assure the persons concerned that their data will not be used or reused outside of this intended purpose.
Indeed, the data controller cannot reuse the data for another processing whose purpose is incompatible with the first.?

This principle is primordial and immutable. In the event of misuse of the purpose, the company concerned is liable to a fine and its representative to a prison sentence.

  • Article 226-21 of the Penal Code punishes this offense with 300,000€ fines and 5 years of imprisonment
  • While article 85-3 of the GDPR promises an administrative sanction which can amount to 20 million euros or 4% of annual turnover.

A principle to be qualified

At the same time, the GDPR qualifies the principle of purpose limitation with the notion of "compatible purpose". It allows, under certain conditions, to reuse the data collected for another purpose.
This depends in particular on the initial legal basis on which your initial processing is based.
If it is a legitimate interest, a contract or vital interests, the data may be used for another purpose provided that the following points have been checked to ensure compatibility.
The following points deserve particular attention (conditions identified by the EDPS):

  • “the link between the initial purpose and the new or future purpose;
  • the context in which the data was collected (What is the relationship between your company/organization and the data subject?);
  • the type and nature of the data (Are they sensitive?);
  • the possible consequences of the planned further processing (What impact will it have on the data subject?);
  • the existence of appropriate safeguards (such as encryption or pseudonymization)”.

If you use the data for statistical or scientific research purposes, there is no need to carry out a compatibility test.
If the initial processing is based on consent or a legal obligation, no further processing which goes beyond the scope of the areas covered by the initial basis is possible. Further processing would require obtaining new consent or a new legal basis.

An example of sanction for non-compliance with the principle of limitation of purposes?‍?

The Spanish supervisory authority, the AEPD, has sanctioned Bankia Bank for violating Article 5.1 on purpose limitation. In this case, the plaintiff closes his bank account, 16 years later contacts the banking establishment in order to obtain information relating to an inheritance issue.
It turns out that, in accordance with its internal procedures, the bank keeps the data of its former customers in intermediate archiving for the duration of the legal limitation period (in the event of a lawsuit).
This is a subsequent purpose compatible with the initial purpose (managing the customer account).

However, as noted by the supervisory authority, use this data
archived to respond to a new request, unrelated to
the initial intended purposes are contrary to the principle of limitation of
processing purposes. This is, in fact, a new processing which was not initially planned by the data controller and which turns out to be incompatible with the existing one.
Therefore, the AEPD decided to impose a fine of 50,000€ on August 28, 2020 for violation of the principle of limiting the purposes of processing personal data.

Data Comply One (formerly Mission RGPD) facing the principle of purpose limitation

Are you having difficulty identifying your processing purposes? You don't have time to think about and concretely set up your treatment register? Or do you lack the means to be compliant?

✅ With Data Comply One (formerly Mission RGPD), you simply identify the purposes and sub-purposes of your processing.
Thanks to our pre-filled templates, you will find proposals for writing purposes and sub-purposes ready to use. You can obviously modify them if necessary and even create your own templates.
Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject