GDPR: Specific Purpose

The eData Guide to GDPR

December 06, 2018

After the General Data Protection Regulation (GDPR) went into effect, users of online services and mobile device applications began to receive emails or website pop-ups regarding updated terms of service. These updates, largely focused on data privacy policies, require users to affirmatively accept the described use of their personal data (e.g., cookie identifiers ) or to affirmatively adjust the provider’s use of their data (e.g., opting in or out of sharing location information). The emails and pop-ups often explain the type of personal data the service provider collects, how the data will be used or processed, and request the users’ consent for continued use of their personal data in the manner described. The notices and alerts are generated to satisfy the GDPR’s purpose limitation principle that requires personal data to be collected and processed with “informed consent” and limited to the “specific purpose” explicitly described by the controller or processor. This installment of The eData Guide to GDPR discusses best practices for identifying specific purposes for collecting and processing personal data in accordance with the GDPR.

Purpose Limitation Principle – The Specific Purpose Requirement

The GDPR defines specific purpose as a fair and lawful reason to collect, process, store and/or access personal data.[1] The reason and process must be communicated in an unambiguous and simple manner, while the processing measures must be transparent and related to the specific purpose.[2] Compliance with this element of the GDPR should begin with a review of the applicable principles and clauses in the regulation. Articles 5 and 6 provide the scope and basis for communicating and documenting “specific purpose” for processing personal data.

The Purpose Limitation Principle is expressed in Article 5:

  • Personal data should only be collected and processed for a legitimate specific purpose[3]
  • Personal data should be processed only if the specific purpose for processing the data could not reasonably be fulfilled by other means[4]
  • The specific purpose should be expressed in an unambiguous, transparent, and simple manner[5]
  • The volume and scope must be limited to what is necessary in relation to the specific purpose[6]
  • The data should only be retained and stored for as long as necessary to satisfy the specified purpose[7]
  • The data should be kept in a manner that permits identification of the data subject for no longer than is necessary for the specific purpose[8]
  • The data should not be processed for reasons beyond the originally stated purpose, or compatible with same, unless the additional purpose is a qualified exception[9]

Qualified exceptions for using data beyond its original purpose were addressed in GDPR: When Is It Permissible to Use Data Beyond Its Original Purpose. Article 5, together with Article 25, establishes a continued duty to protect personal data, “by design and default,” from data collection through to deletions of the data that are closely tied to the stated specific purpose for processing the data. Article 25 instructs controllers to “implement appropriate technical and organizational (sic) measures for ensuring that…only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”[10]

Best Practices for Compliance – Documentation

In accordance with Article 12 and Recital 60, all organizations governed by the regulation need to disclose their purpose for processing personal data within a privacy policy they provide to data subjects.[11] Controllers and processors are obliged to cooperate with EU supervising authorities if requests are made for access or review of their privacy policies and processing records.[12] Additionally, organizations of any size must document processing activities if the subject processing is likely to result in risks to the rights or freedom of the data subjects, the processing activities are not occasional or they involve special categories of data (e.g., biometric, sexual orientation), or the personal data is related to criminal convictions or offense.[13] While documenting the specific purposes for processing is required under Articles 12 and 30, stating specific purposes for processing within information governance plans, business strategies, marketing, and standard operating procedures is a best practice.

Best Practices for Compliance – Choose Your Words Wisely

After properly scoping the intended personal data set, identifying a lawful application for processing, and selecting the applicable documentation for processing, a controller and/or processor must sufficiently articulate specific purposes for processing. The GDPR advises that “information and communication relating to the processing of personal data” should be “easily accessible,” “easy to understand” and should use “clear and plain” language.[14] Further guidance is provided by the European Data Protection Board (the Board), formerly known as the Article 29 Working Party. Their best practices for defining specific purposes include the following:

  • Avoid complex sentence and language structures
  • Do not use overly legal, technical, or specialized language or terminology
  • Language qualifiers such as “may,” “might,” “some,” “often” and “possible” should be avoided
  • Information should be concrete and definitive, without abstract or ambivalent terms that invite different interpretations
  • The specific purpose, legal basis, and processing activities should be defined and stated in a clear manner
  • Controllers/processors should ensure that all language translations are accurate, including phraseology and syntax

The Board also provides examples of insufficient and sufficient purpose of processing statements:

Insufficient -

  • We may use your personal data to develop new services

    (It is unclear what the “services” are or how the data will help develop them.)

  • We may use your personal data for research purposes

    (It is unclear what kind of “research” this entails.)

  • We may use your personal data to offer personalized services

(It is unclear what the “personalization” entails.)

Sufficient -

  • We will retain your shopping history and use details of the products you have previously purchased to make suggestions to you for other products that we believe you will also be interested in purchasing
  • We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive
  • We will keep a record of the articles on our website that you have clicked on and use that information to target advertising on this website to you that is relevant to your interests, which we have identified based on articles you have read[15]

The goal of the specific purpose requirement is to promote and facilitate clear and open communication regarding the collection and use of personal data. This element of the GDPR is meant to assist with scoping and monitoring lawful processing. With thoughtful application of the specific purpose requirement, controllers and processors can avoid sanctions and all parties can better manage their expectations regarding the fair and lawful use of personal data.

[1] GDPR Art. 5, 6, 12, 25, and 30.

[2] Id.

[3] Id.

[4] GDPR Recital 39.

[5] GDPR Art. 5 and GDPR Recital 39.

[6] Id.

[7] Id.

[8] Id.

[9] GDPR Art. 5 and GDPR Recital 50.

[10] GDPR Art. 25.

[11] GDPR Art. 12 and GDPR Recital 60.

[12] GDPR Art. 30 and GDPR Recital 82.

[13] GDPR Art. 30 and GDPR Recital 13.

[14] GDPR Recital 39.

[15] Guidelines on Transparency under Regulation 2016/679 (WP260rev.01).