Dictionary

Purpose limitation

Personal data may only be used for specified purposes. Further processing for other, incompatible purposes is not permitted. This is the principle of “purpose limitation” in data processing. For any other purpose for which data controllers wish to use personal data, they must obtain separate consent or claim other reasons for lawful data processing.

However, there are exceptions to purpose limitation: Data may be processed for scientific research purposes, for statistical purposes or for archiving purposes in the public interest (see Research purposes).

In Germany, the Federal Data Protection Act provides for further restrictions on the purpose limitation of data processing:

  • Public authorities may process data of data subjects if this is obviously in the interest of the data subject and a refusal of consent is not anticipated.
  • Public sector bodies may use personal data in law enforcement, in matters of national security or to perform monitoring tasks.
  • Non-public bodies, such as companies, may process data of data subjects if this is necessary for public security or for the exercise of civil law claims.

Article 5(1b) GDPR (Principles relating to processing of personal data)

[Personal data shall be:] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”)

Source: Regulation (EU) 2016/679 (see also recital 39)

Article 13(3) GDPR (Information to be provided where personal data are collected from the data subject)

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

Source: Regulation (EU) 2016/679

Article 14(4) GDPR (Information to be provided where personal data have not been obtained from the data subject)

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

Source: Regulation (EU) 2016/679

Section 23 BDSG (Processing for other purposes by public bodies)

(1) Public bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected where such processing is necessary for them to perform their duties and if
1. it is obviously in the interest of the data subject and there is no reason to assume that the data subject would refuse consent if he or she were aware of the other purpose;
2. it is necessary to check information provided by the data subject because there is reason to believe that this information is incorrect;
3. processing is necessary to prevent substantial harm to the common good or a threat to public security, defence or national security; to safeguard substantial concerns of the common good; or to ensure tax and customs revenues;
4. processing is necessary to prosecute criminal or administrative offences, to carry out or enforce punishment or measures as referred to in Section 11 (1) no. 8 of the Criminal Code or educational or disciplinary measures as referred to in the Juvenile Court Act or to enforce fines;
5. processing is necessary to prevent serious harm to the rights of another person; or
6. processing is necessary to exercise powers of supervision and monitoring, to conduct audits or organizational analyses of the controller; this shall also apply to processing for training and examination purposes by the controller, as long as it does not conflict with the legitimate interests of the data subject.

(2) The processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for a purpose other than the one for which the data were collected shall be permitted if the conditions of subsection 1 are met and an exception pursuant to Article 9 (2) of Regulation (EU) 2016/679 or pursuant to Section 22 applies.

Source: German Federal Data Protection Act

Section 24 BDSG (Processing for other purposes by private bodies)

(1) Private bodies shall be permitted to process personal data for a purpose other than the one for which the data were collected if
1. processing is necessary to prevent threats to state or public security or to prosecute criminal offences; or
2. processing is necessary for the establishment, exercise or defence of legal claims,

unless the data subject has an overriding interest in not having the data processed.

(2) The processing of special categories of personal data as referred to in Article 9 (1) of Regulation (EU) 2016/679 for a purpose other than the one for which the data were collected shall be permitted if the conditions of subsection 1 are met and an exception pursuant to Article 9 (2) of Regulation (EU) 2016/679 or pursuant to Section 22 applies.

Source: German Federal Data Protection Act

Go to article Go to video

 

A
B
C