The principle of purpose limitation dominates all data protection law. Every data processing operation must have a purpose. Data processing without a purpose is not permitted. The application of many GDPR provisions therefore depends on the purposes of processing:
Determination of the controller: The controller is the person who decides on the purposes and means of processing (Art. 4 No. 7).
Permissibility of processing: The purposes of processing have a decisive influence on the scope of permissibility of initial and further processing. They determine the scope of consent (Art. 6 I a, 7, 9 II a). They decide on the question of whether there is further processing to be assessed under Art. 6 IV. And they help decide whether such further processing is permissible (Art. 6 IV a).
Specific purposes: For certain purposes, the GDPR explicitly provides for special rules:
Purely personal or household activity (Art. 2 II c): Tile CO.32
Archiving purposes in the public interest (Art. 5 I b/e, 9 II j, 14 V b, 17 III d, 21 VI, 89): Tile P.18
Scientific or historical research purposes (Art. 5 I b/e, 9 II j, 14 V b, 17 III d, 21 VI, 85 I/II, 89): Tile CO.14
Statistical purposes (Art. 5 I b/e, 9 II j, 14 V b, 17 III d, 21 VI, 89): Tile P.17
Different purposes when processing sensitive data (Art. 9 II).
Legal proceedings (Art. 9 II f, 17 III e, 18 II, 21 I, 23 I j, 49 I e): Tile CO.27
Direct marketing (Art. 21 II/III; Rec. 47 (7)): Tile CO.23
Prevention of fraud (Rec. 47 (6)): Tile CO.22
Network and information security (Rec. 49): Tile CO.25
Journalistic purposes (Art. 85 I/II): Tile CO.11
Artistic and literary purposes (Art. 85 I/II): Tile CO.13
Employment context (Art. 88; § 26 BDSG (i.e. German Data Protection Act)): Tile CO.16 and Tile CO.17
Internal administrative purposes within a group of companies (Rec. 48 (1)): Tile CO.24
Processing in the public interest: Tiles P
Risk assessments: Purposes of processing are one of several weighting parameters in risk assessments. A high risk associated with the purpose of the processing is to be considered in favor of the data subject, a low risk in favour of the controller. A special benefit inherent in the processing purposes (for the general public, for the data processor or for third parties) shall be taken into account in favour of the controller. Cf. Art. 23 II a, 24 I 1, 25 I/II, 27 II a, 32 I, 35 I, 37 I b, 39 II, 83 II a GDPR. Cf. also §§ 7 III, 22 II BDSG. For the risk-based approach of the GDPR see Tile BC.02.
Data subjects’ rights: The purposes of processing have an impact on the scope of the data subjects’ rights: cf. Art. 11 I, 13 III, 14 IV, 16 (2), 17 I a, 18 I c GDPR.
Principles: Purpose limitation is one of the principles relating to processing of personal data (Art. 5 I b). Other principles depend on purpose limitation, such as the principle of data minimisation (Art. 5 I c), the principle of accuracy (Art. 5 I d) and the principle of storage limitation (Art. 5 I e).