Purpose limitation: What is it, and why does it play such a crucial role?
Undoubtedly, you’ve come across the terms “purpose limitation” or “purpose-bound” in the context of data privacy protection. That’s not surprising, as purpose limitation is essentially at the core of the General Data Protection Regulation (GDPR). But what does it exactly mean, and why is it so important?
Purpose Limitation
Within the GDPR, Article 5, paragraph 1, states that personal data may only be collected for “specified, explicit, and legitimate purposes.” An example of this is collecting address details by an online store so that a purchased product can be delivered to the residential address of the person who placed the order.
Using personal data for the specific purpose for which it was collected – in this example, the address for product delivery – is referred to as “purpose limitation.” Simultaneously with determining the purpose, you also decide which data is necessary to achieve that purpose. It is assumed that only the data needed for the goal should be collected and that it can only be used for that specific purpose (this approach is also known as privacy by design and privacy by default). Returning to the example of our online store, the purpose of collecting the data is to facilitate the delivery of the purchased product to the customer.
Furthermore, the collected personal data may only be used for the purpose for which it was collected. If, for instance, we use the address details not only for delivering the product but also for sending promotional material to that address, we would be in violation of the GDPR (unless explicit consent is obtained for sending advertisements, clearly stated in the information regarding the use of address details).
Purpose limitation is crucial because it establishes the framework within which we can collect data and dictates what we can ultimately do with it.
Basis
Now, you might think that if you accurately describe the purpose for which you want to use the data, you can collect them without any issues. However, that’s not the case. The purpose must always be based on one of the legal grounds mentioned in the GDPR:
- Consent of the data subject
In this case, the individual whose personal data you are processing has explicitly given consent for the collection of data. Think, for example, of subscribing to a newsletter on a website. Explicit consent is sought to process your data with the purpose of sending the newsletter to you. - Performance of a contract
The personal data is necessary for the performance of a contract between the individual and the organization collecting the personal data. This situation applies to our online store. In order to ship the purchased product to the buyer, the online store needs the personal data to fulfill its agreement by delivering the product. - Legal obligation
Under this basis, the collection of personal data is grounded in legal requirements. Consider, for instance, gathering employee data for tax law purposes. - Vital interests of the data subject
With this basis, the collection of personal data is permitted in situations where the data is necessary for the individual’s health. For example, if you arrive unconscious at an emergency room after an accident, in that case, personal data essential for your health (such as biometric data) will need to be recorded. - Performance of a task carried out in the public interest
This basis can only be invoked when an organization is performing a public task for the general interest or public authority. In other words, the data is necessary to carry out tasks defined by law. - Legitimate interests pursued by the organization
The last basis comes into play when an organization evaluates the processing of specific personal data necessary for its business activities. The organization must conduct a balancing test to determine whether the privacy interests of the individuals concerned are sufficiently protected and whether they can reasonably anticipate the processing of personal data and its purpose.
