3. Only use personal data for the planned purposes

The principle of purpose limitation means that personal data may only be collected for specific, predefined purposes. The purpose of processing must be defined clearly in advance. Nor may the data be processed in a manner that is incompatible with those purposes later.

The data subjects must be informed of the purpose of processing their personal data. The purpose of the data must also be documented, i.e. written down. Only processing personal data for a specific purpose is a key factor in the maintenance of trust. Defining the purpose of processing helps the data subject

• understand what their data is needed for;
• evaluate whether the purpose is appropriate; and
• decide whether they want to influence the processing of their personal data by exercising their data protection rights.

Example

A dance academy has determined that it processes personal data for the following purposes in its operations: maintaining the club’s membership registry, arranging dancing classes, communicating about activities, collecting membership fees, delivering the club’s newsletter, and paying salaries.

Personal data may be processed for new purposes if the planned purpose complies with data protection regulations and

• the data subject’s consent for the new purpose is obtained before the start of processing

or

• there is a clear legal basis for the processing

If the controller intends to process personal data for new purposes, it must notify the data subject of this before the start of processing. The controller must inform the data subject of the new purpose of processing, the rights of the data subject and all other necessary matters, unless it has a legal reason for derogating from the duty to inform.

Remember

Define a specific purpose for the processing of personal data and only process the data for that purpose. If you intend to use the data for other purposes as well, you need to notify the data subjects of the change in purpose before starting the processing.