Purpose limitation
Purpose limitation means data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Secondary (further) processing is only lawful if it is compatible with the original purpose - judged with a five-factor compatibility test. Statistical, public-interest, scientific and historical research purposes are treated as compatible (within legal limits). If processing is incompatible, the controller needs a separate legal basis (e.g. fresh consent).
Controllers must first identify the specified, explicit and legitimate purposes. Those purposes become the boundaries. Secondary processing is only lawful if compatible with the original purpose. If compatible, no separate legal basis is needed. If incompatible, the controller must inform the data subjects and either get separate consent or satisfy another lawful basis.
- Any link between the original and new purposes
- The context of collection and the reasonable expectations of data subjects
- The nature of the personal data
- The consequences of further processing for data subjects
- The existence of appropriate safeguards in both operations
| Original purpose | Further use | Verdict |
|---|---|---|
| Fitness app: personalised routines | Fixing technical errors / improving the app | Compatible - linked and reasonably expected |
| Medication-reminder app | Sharing data with a company that sells the medication (promotion) | Incompatible - not linked to the reminder purpose |
| Health professional treats patients | Sharing patient list with an insurer to sell insurance | Incompatible - separate legal basis needed |
If further processing is compatible, you reuse the original legal basis - no separate legal ground is required. Only incompatible reuse triggers the need for fresh consent or another Article 6 basis.