Articles

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

09.04.2013 NL law

Yesterday, the Article 29 Working Party ("WP29"), composed of representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission, published an opinion on the purpose limitation principle when processing personal data. The WP29's opinions provide authoritative guidance on EU data protection rules. To access the opinion, please click here.

1.  Purpose limitation principle 

Personal data may only be collected for specified, explicit and legitimate purposes. Once data are collected they may not be further processed in a way that is incompatible with those purposes. This is called the purpose limitation principle.
The assessment whether or not further use of data is compatible should be made in each situation where further use is considered, according to the WP29. In this opinion, guidance and practical examples are provided on compatibility and incompatibility for further use of personal data.

2.  Proposed compatibility assessment 

The WP29 proposes that a compatibility assessment is made prior to any further use of personal data. The compatibility assessment should at least take into account:

  • The relationship between the purposes for which the data have been collected and the purposes of further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the individuals involved as to further use;
  • The type of the data and the impact of the further processing on the individuals involved;
  • The safeguards applied by the data controller to ensure fair processing and to prevent any undue impact on the individuals involved.

3.  Regarding big data and open data 

The WP29 specifically discusses various safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information. The WP29 finds that opt-in consent would almost always be required for further use regarding e.g. behavioural advertisements and tracking and profiling for direct marketing. Furthermore, in order to obtain a valid consent, organisations should disclose their decision criteria, including the algorithm used to create a profile.

Open data in this regard refers to data processed by public bodies in projects on accessibility of information. The WP29 stresses i.a. the importance of anonymisation, aggregation and the use of privacy impacts assessment to ensure necessary safeguards. The WP29 mentions that it is preparing a guidance document on open data, which will address, among other things, issues related to anonymisation.
 
4.  WP 29 proposed amendments to draft Data Protection Regulation 

The WP29 also proposes amendments to the draft Data Protection Regulation regarding purpose limitation. The current draft provides for the possibility to remedy a lack of compatibility between original processing and further use where there is a new legal ground for the further use (not being legitimate interest). The WP29 is of the opinion that a change of purpose in a processing should only be allowed in case of a favourable outcome in a (prescribed) compatibility assessment. The WP29 proposes to amend the draft Data Protection Regulation in this regard.
 
5.  First remarks 

The WP29 in this opinion provides practical examples and guidance in determining to what extent further use of personal data is allowed.

However, we note that if the WP29's proposed amendment were to be adopted, it may become considerably more difficult for data controllers to process data for further use in the future.

Moreover, in this opinion, the WP29 again (like in its recent opinion WP 202 on apps on smart devices) encourages the use of so-called 'layered privacy notices' to inform individuals involved. This means that first a layer of basic information is offered in a concise and user-friendly manner and a second layer of additional information can be reviewed at request, e.g. on a separate website. It appears that the data protection authorities consider layered privacy notices the way forward to inform individuals.

Team

Related news

14.10.2019 NL law
Kamerdebat over digitalisering van de overheid: aandacht voor bescherming burger vereist

Short Reads - Op 24 september 2019 zijn er vier moties in stemming gebracht én aangenomen door de Tweede Kamer. De moties hebben als gemeenschappelijke deler dat ze in het teken staan van de steeds groter wordende digitalisering bij de overheid. Het achterliggende doel van de moties is dat de burger voldoende beschermd moet worden tegen deze digitalisering.

Read more

27.09.2019 NL law
Stibbe is attending the IBA's annual conference in Seoul

Conference - The annual conference of the International Bar Association (IBA) is currently taking place in Seoul. There are fourteen partners from Stibbe attending the event. Several of them have speaking slots on a wide range of legal topics and will take part in various panel discussions.

Read more

28.08.2019 NL law
Masterclass: e-signature and electronic identifiers

Masterclass - Stibbe is organising a Masterclass on 26 September 2019 in Amsterdam on the subject of e-signature and electronic identifiers. This Masterclass will cover the legal framework and focus especially on the numerous possibilities for applying the various electronic signatures in different situations. In addition, we explain the regulations governing electronic identifiers, and the mandatory European recognition they receive.

Read more

02.10.2019 EU law
Seminar: Data protection implications of (a no-deal) Brexit

Seminar - On October 25th at 9.30 am, we organize a seminar where we will discus the implications of a (no-deal) Brexit on data protection.  These issues affect all businesses interacting between UK and EEA (including EU) and which send or receive data to and from UK. We will highlight the main challenges both in the case of a hard Brexit on 31 October 2019 and in other scenarios. We will also offer guidelines to help your organisation mitigate the respective risks.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring