EU: Guidance from the Principle of Purpose Limitations

On 2 April 2013, the Article 29 Data Protection Working Party has adopted its opinion 03/2013 in which the European data protection authorities assess and clarify the principle of purpose limitation with the aim to offer guidance on its practical application under the current and under proposed future legal framework (WP203).

Function

The principle of purpose limitation protects data subjects by setting limits to the collection and further processing of their data. When an individual provides his or her personal data to a company or another organisation, he or she usually has certain expectations about the purposes for which the data will be used. There is a value in honouring these expectations and preserving trust and legal certainty. This is why the principle of purpose limitation is an important cornerstone of data protection.

Nevertheless, data that have already been gathered may be genuinely useful for other purposes, which are not initially specified. Therefore, there is also value in allowing, within carefully balanced limits, some degree of additional use. The principle of purpose limitation is designed to offer a balanced approach: an approach that aims to reconcile the need for predictability and legal certainty regarding the purposes of the processing on the one hand, and the pragmatic need for flexibility on the other.

Core Elements

The principle of purpose limitation has two main building blocks:

  • Purpose Specification:  personal data must be collected for 'specified, explicit and legitimate' purposes and
  • Compatible Use:  personal data must not be 'further processed in a way incompatible' with those purposes.

Further processing for a different purpose does not necessarily mean that it is incompatible, but compatibility needs to be assessed on a case-by-case basis, taking into account all relevant circumstances.

Key Factors

The European data protection authorities stipulate that in particular the following key factors need to be taken into account:

  • the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
  • the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
  • the nature of the personal data and the impact of the further processing on the data subjects;
  • the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited. A data controller can therefore not legitimise incompatible data processing by simply relying on a new legal ground, such as, for example, in the context of a new privacy policy or another government task.

Sources:

Press Release of 8 April 2013 by the Article 29 Data Protection Working Party

WP203, Opinion 03/2013 of 2 April 2013 by Article 29 Data Protection Working Party



Verlag Dr. Otto Schmidt vom 27.05.2013 15:30

zurück zur vorherigen Seite

Test subscription

 

Computer Law Review International

Subscribe now to CRi and secure the advantages of legal comparison for your practice: state-of-the-art approaches and solutions from other jurisdictions – every second month, six times a year.

Print (ordering option in German)

eJournal as PDF at De Gruyter

  Back Print to the Top Imprint Data Protection Policy