Short answer
When collecting personal data under GDPR, organizations must be able to clearly explain their purpose for collecting the data, because personal data must only be used for the purpose for which it was collected. There may be some exceptions, but only if the new purposes are compatible with the original purpose.
What does “Purposes for processing” mean under GDPR?
The GDPR sets out strict rules about how personal data must be collected, used and protected. One of the key principles is that personal data must only be used for the purpose for which it was collected.
In other words, when you collect data under GDPR, you are doing so for a specific purpose. And you can only use that for that purpose. If you want to use the data for a different purpose, you must first check whether this is compatible with the original purpose.
How do I know if I can use personal data for purposes other than it was collected?
This assessment must take into account factors such as the relationship between the data subject and the controller, and the nature of the data. If the controller decides that further processing is compatible with the original purpose, they must then obtain consent from the data subject. However, if the new purpose is not compatible with the original purpose, further processing will only be possible if one of the GDPR’s exceptions applies.
For example, if you collected data from customers in the course of selling a product, you would need their consent to use that data for marketing purposes. Another important factor to consider is the nature of the data, particularly whether it includes any special categories of personal data. Finally, you should also be aware of the possible consequences of the proposed further processing, and whether there are appropriate safeguards in place (such as encryption or pseudonymisation).
By taking all of these factors into account, you can help ensure that your GDPR compliance efforts are successful. But also make sure that you are using one of the six lawful bases for processing.
Can I use data for different purposes to which the user consented originally?
Personal data must only be used for the purpose for which it was collected. If a controller wants to use the data for a different purpose, they must first check whether this is compatible with the original purpose, following the list laid out in Article 6.4 of the GDPR.
Further reading: Article 6 of the GDPR
Here’s the original text from Regulation (EU) 2016/679 General Data Protection Regulation.
Article 6: Lawfulness of processing
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
Try out GDPR.direct today
GDPR compliance doesn’t have to be complicated or expensive. In fact, it’s really quite simple: all you need are the right templates. Once you have those, just make sure they’re accessible to your users in the appropriate places. That’s all there is to it. GDPR compliance is the same for every company, regardless of size or industry. So don’t let anyone tell you otherwise. Free and easy GDPR compliance is within reach – you just need to know where to look. Thanks for reading!