Purpose Limitation

Purpose limitation is a fundamental GDPR principle requiring that personal data is collected only for explicitly stated and legitimate purposes. Data must not subsequently be used for purposes incompatible with the original. The principle is the cornerstone of lawful data processing.

Back to Dictionary

Table of Contents

    What is purpose limitation?

    Purpose limitation is one of the seven fundamental principles in GDPR Article 5(1)(b). The principle requires that personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

    Purpose limitation is closely linked to data minimisation. First you define the purpose of the processing. Then you assess which data is necessary to fulfil it. Without a clearly defined purpose, it is impossible to assess whether you are collecting too much or too little.

    The purpose must be established before you begin collecting data. You cannot collect data and then decide what to use it for.

    The three requirements for the purpose

    The GDPR imposes three requirements on the purpose of your processing:

    • Specified: The purpose must be clearly and precisely formulated. "Improving our services" is too vague. "Analysing usage patterns to optimise our app's loading time" is more precise.
    • Legitimate: The purpose must have a valid legal basis in Article 6 (and possibly Article 9 for sensitive data).
    • Established before collection: The purpose must be defined before you collect data.

    You must inform the data subject about the purpose as part of your duty to inform. This is typically done via your privacy policy.

    May you use data for a new purpose?

    The GDPR does not prohibit all further processing, but it must be compatible with the original purpose. Article 6(4) sets out the factors you must assess:

    • The link between the original and the new purpose
    • The context in which data was collected, including the relationship between you and the data subject
    • The nature of the data, including whether there is sensitive data
    • The possible consequences for the data subject
    • Appropriate safeguards such as encryption or pseudonymisation

    If the new purpose is not compatible, you must obtain new consent or find another independent legal basis.

    Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible with the original purpose.

    Purpose limitation in practice

    Implement purpose limitation by:

    • Defining a clear purpose for each processing activity in your record
    • Ensuring the purpose is stated in your privacy policy
    • Assessing compatibility before using data for new purposes
    • Documenting the assessment in writing
    • Using privacy by design to build purpose limitation into systems

    A classic example of infringement: an organisation collects email addresses for order confirmations and then uses them for marketing without a new legal basis. This is incompatible further processing and a breach of the purpose limitation principle.

    Frequently Asked Questions about Purpose Limitation

    What is purpose limitation under the GDPR?

    Purpose limitation is a principle in GDPR Article 5(1)(b) requiring that personal data is collected only for specified, explicit and legitimate purposes. Data must not subsequently be used for purposes incompatible with the original.

    May you use personal data for a new purpose?

    You may use data for a new purpose if it is compatible with the original purpose. You must assess the link between the purposes, the context of collection, the data type, the consequences for the data subject and any safeguards. Alternatively, you can obtain new consent.

    How do you document purpose limitation?

    You document purpose limitation in your record of processing activities, where you state the specific purpose for each processing activity. Your privacy policy must also clearly describe the purposes for data subjects.

    What is the difference between purpose limitation and data minimisation?

    Purpose limitation is about what you use data for (the purpose). Data minimisation is about how much data you collect. The two principles are closely linked: first you define the purpose, and then you assess what is necessary to fulfil it.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl