Articles

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

09.04.2013 NL law

Yesterday, the Article 29 Working Party ("WP29"), composed of representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission, published an opinion on the purpose limitation principle when processing personal data. The WP29's opinions provide authoritative guidance on EU data protection rules. To access the opinion, please click here.

1.  Purpose limitation principle 

Personal data may only be collected for specified, explicit and legitimate purposes. Once data are collected they may not be further processed in a way that is incompatible with those purposes. This is called the purpose limitation principle.
The assessment whether or not further use of data is compatible should be made in each situation where further use is considered, according to the WP29. In this opinion, guidance and practical examples are provided on compatibility and incompatibility for further use of personal data.

2.  Proposed compatibility assessment 

The WP29 proposes that a compatibility assessment is made prior to any further use of personal data. The compatibility assessment should at least take into account:

  • The relationship between the purposes for which the data have been collected and the purposes of further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the individuals involved as to further use;
  • The type of the data and the impact of the further processing on the individuals involved;
  • The safeguards applied by the data controller to ensure fair processing and to prevent any undue impact on the individuals involved.

3.  Regarding big data and open data 

The WP29 specifically discusses various safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information. The WP29 finds that opt-in consent would almost always be required for further use regarding e.g. behavioural advertisements and tracking and profiling for direct marketing. Furthermore, in order to obtain a valid consent, organisations should disclose their decision criteria, including the algorithm used to create a profile.

Open data in this regard refers to data processed by public bodies in projects on accessibility of information. The WP29 stresses i.a. the importance of anonymisation, aggregation and the use of privacy impacts assessment to ensure necessary safeguards. The WP29 mentions that it is preparing a guidance document on open data, which will address, among other things, issues related to anonymisation.
 
4.  WP 29 proposed amendments to draft Data Protection Regulation 

The WP29 also proposes amendments to the draft Data Protection Regulation regarding purpose limitation. The current draft provides for the possibility to remedy a lack of compatibility between original processing and further use where there is a new legal ground for the further use (not being legitimate interest). The WP29 is of the opinion that a change of purpose in a processing should only be allowed in case of a favourable outcome in a (prescribed) compatibility assessment. The WP29 proposes to amend the draft Data Protection Regulation in this regard.
 
5.  First remarks 

The WP29 in this opinion provides practical examples and guidance in determining to what extent further use of personal data is allowed.

However, we note that if the WP29's proposed amendment were to be adopted, it may become considerably more difficult for data controllers to process data for further use in the future.

Moreover, in this opinion, the WP29 again (like in its recent opinion WP 202 on apps on smart devices) encourages the use of so-called 'layered privacy notices' to inform individuals involved. This means that first a layer of basic information is offered in a concise and user-friendly manner and a second layer of additional information can be reviewed at request, e.g. on a separate website. It appears that the data protection authorities consider layered privacy notices the way forward to inform individuals.

Team

Related news

02.04.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

18.03.2020 EU law
Stibbe: COVID-19

Short Reads - In view of the developments concerning the coronavirus, we hereby inform you of our business operations and the measures we take to ensure the continuity of our services to you.

Read more

12.03.2020 EU law
Stibbe sets up corona team

Inside Stibbe - The coronavirus (COVID-19) may have legal consequences for your business. We have set up a team of specialists who can provide insight into the legal implications of the virus.

Read more

10.03.2020 NL law
De AVG staat niet in de weg aan de verwerking van persoonsgegevens door een toezichthouder tijdens een bedrijfsbezoek

Short Reads - Bedrijven die met toezicht worden geconfronteerd, zijn gehouden op verzoek van een toezichthouder in beginsel alle informatie te verstrekken. Met de komst van de Algemene verordening gegevensbescherming (AVG) is in de praktijk de vraag opgekomen of een toezichthouder bevoegd is om persoonsgegevens die onderdeel uitmaken van de gevraagde informatie te verwerken.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring