After the General Data Protection Regulation (GDPR) went into effect, users of online services and mobile device applications began to receive emails or website pop-ups regarding updated terms of service. These updates, largely focused on data privacy policies, require users to affirmatively accept the described use of their personal data (e.g., cookie identifiers ) or to affirmatively adjust the provider’s use of their data (e.g., opting in or out of sharing location information). The emails and pop-ups often explain the type of personal data the service provider collects, how the data will be used or processed, and request the users’ consent for continued use of their personal data in the manner described. The notices and alerts are generated to satisfy the GDPR’s purpose limitation principle that requires personal data to be collected and processed with “informed consent” and limited to the “specific purpose” explicitly described by the controller or processor. This installment of The eData Guide to GDPR discusses best practices for identifying specific purposes for collecting and processing personal data in accordance with the GDPR.
The GDPR defines specific purpose as a fair and lawful reason to collect, process, store and/or access personal data.[1] The reason and process must be communicated in an unambiguous and simple manner, while the processing measures must be transparent and related to the specific purpose.[2] Compliance with this element of the GDPR should begin with a review of the applicable principles and clauses in the regulation. Articles 5 and 6 provide the scope and basis for communicating and documenting “specific purpose” for processing personal data.
The Purpose Limitation Principle is expressed in Article 5:
Qualified exceptions for using data beyond its original purpose were addressed in GDPR: When Is It Permissible to Use Data Beyond Its Original Purpose. Article 5, together with Article 25, establishes a continued duty to protect personal data, “by design and default,” from data collection through to deletions of the data that are closely tied to the stated specific purpose for processing the data. Article 25 instructs controllers to “implement appropriate technical and organizational (sic) measures for ensuring that…only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”[10]
In accordance with Article 12 and Recital 60, all organizations governed by the regulation need to disclose their purpose for processing personal data within a privacy policy they provide to data subjects.[11] Controllers and processors are obliged to cooperate with EU supervising authorities if requests are made for access or review of their privacy policies and processing records.[12] Additionally, organizations of any size must document processing activities if the subject processing is likely to result in risks to the rights or freedom of the data subjects, the processing activities are not occasional or they involve special categories of data (e.g., biometric, sexual orientation), or the personal data is related to criminal convictions or offense.[13] While documenting the specific purposes for processing is required under Articles 12 and 30, stating specific purposes for processing within information governance plans, business strategies, marketing, and standard operating procedures is a best practice.
After properly scoping the intended personal data set, identifying a lawful application for processing, and selecting the applicable documentation for processing, a controller and/or processor must sufficiently articulate specific purposes for processing. The GDPR advises that “information and communication relating to the processing of personal data” should be “easily accessible,” “easy to understand” and should use “clear and plain” language.[14] Further guidance is provided by the European Data Protection Board (the Board), formerly known as the Article 29 Working Party. Their best practices for defining specific purposes include the following:
The Board also provides examples of insufficient and sufficient purpose of processing statements:
Insufficient -
(It is unclear what the “services” are or how the data will help develop them.)
(It is unclear what kind of “research” this entails.)
(It is unclear what the “personalization” entails.)
Sufficient -
The goal of the specific purpose requirement is to promote and facilitate clear and open communication regarding the collection and use of personal data. This element of the GDPR is meant to assist with scoping and monitoring lawful processing. With thoughtful application of the specific purpose requirement, controllers and processors can avoid sanctions and all parties can better manage their expectations regarding the fair and lawful use of personal data.
[1] GDPR Art. 5, 6, 12, 25, and 30.
[2] Id.
[3] Id.
[4] GDPR Recital 39.
[5] GDPR Art. 5 and GDPR Recital 39.
[6] Id.
[7] Id.
[8] Id.
[9] GDPR Art. 5 and GDPR Recital 50.
[10] GDPR Art. 25.
[11] GDPR Art. 12 and GDPR Recital 60.
[12] GDPR Art. 30 and GDPR Recital 82.
[13] GDPR Art. 30 and GDPR Recital 13.
[14] GDPR Recital 39.
[15] Guidelines on Transparency under Regulation 2016/679 (WP260rev.01).