Articles

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

09.04.2013 NL law

Yesterday, the Article 29 Working Party ("WP29"), composed of representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission, published an opinion on the purpose limitation principle when processing personal data. The WP29's opinions provide authoritative guidance on EU data protection rules. To access the opinion, please click here.

1.  Purpose limitation principle 

Personal data may only be collected for specified, explicit and legitimate purposes. Once data are collected they may not be further processed in a way that is incompatible with those purposes. This is called the purpose limitation principle.
The assessment whether or not further use of data is compatible should be made in each situation where further use is considered, according to the WP29. In this opinion, guidance and practical examples are provided on compatibility and incompatibility for further use of personal data.

2.  Proposed compatibility assessment 

The WP29 proposes that a compatibility assessment is made prior to any further use of personal data. The compatibility assessment should at least take into account:

  • The relationship between the purposes for which the data have been collected and the purposes of further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the individuals involved as to further use;
  • The type of the data and the impact of the further processing on the individuals involved;
  • The safeguards applied by the data controller to ensure fair processing and to prevent any undue impact on the individuals involved.

3.  Regarding big data and open data 

The WP29 specifically discusses various safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information. The WP29 finds that opt-in consent would almost always be required for further use regarding e.g. behavioural advertisements and tracking and profiling for direct marketing. Furthermore, in order to obtain a valid consent, organisations should disclose their decision criteria, including the algorithm used to create a profile.

Open data in this regard refers to data processed by public bodies in projects on accessibility of information. The WP29 stresses i.a. the importance of anonymisation, aggregation and the use of privacy impacts assessment to ensure necessary safeguards. The WP29 mentions that it is preparing a guidance document on open data, which will address, among other things, issues related to anonymisation.
 
4.  WP 29 proposed amendments to draft Data Protection Regulation 

The WP29 also proposes amendments to the draft Data Protection Regulation regarding purpose limitation. The current draft provides for the possibility to remedy a lack of compatibility between original processing and further use where there is a new legal ground for the further use (not being legitimate interest). The WP29 is of the opinion that a change of purpose in a processing should only be allowed in case of a favourable outcome in a (prescribed) compatibility assessment. The WP29 proposes to amend the draft Data Protection Regulation in this regard.
 
5.  First remarks 

The WP29 in this opinion provides practical examples and guidance in determining to what extent further use of personal data is allowed.

However, we note that if the WP29's proposed amendment were to be adopted, it may become considerably more difficult for data controllers to process data for further use in the future.

Moreover, in this opinion, the WP29 again (like in its recent opinion WP 202 on apps on smart devices) encourages the use of so-called 'layered privacy notices' to inform individuals involved. This means that first a layer of basic information is offered in a concise and user-friendly manner and a second layer of additional information can be reviewed at request, e.g. on a separate website. It appears that the data protection authorities consider layered privacy notices the way forward to inform individuals.

Team

Related news

15.07.2019 EU law
ICO to impose record-breaking fines for inadequate security measures and data breaches

Short Reads - Though the European data protection authorities have taken their time in enforcing the GDPR, two announcements by the ICO in the UK regarding proposed fines for British Airways and Marriott demonstrate that large fines are about to start landing regularly. Both of the substantial fines are to be handed out as a result of shortcomings in handling data breaches caused by cyber-attacks.

Read more

21.06.2019 NL law
Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Short Reads - Op 14 maart 2019 zijn de nieuwe Boetebeleidsregels Autoriteit Persoonsgegevens 2019 ("Boetebeleidsregels") van de Autoriteit Persoonsgegevens ("AP") gepubliceerd. Dit boetebeleid heeft de AP opgesteld vanwege de inwerkingtreding van de Algemene verordening gegevensverwerking ("AVG") en omdat er op Europees niveau nog geen boeterichtsnoeren zijn opgesteld.

Read more

02.07.2019 NL law
Debate night: HR Analytics: opportunity or threat?

Seminar - On 2 July 2019, Stibbe's Digital Economy Group will host a debate night in Amsterdam on the hot topic of HR analytics. During Stibbe's debate night, speakers from the world of business, politics, science and law will exchange views on HR analytics, how they can be used in practice, and their development in the context of employment and privacy law.

Read more

21.06.2019 NL law
Dutch Data Protection Authority publishes new fining policy

Short Reads - The Dutch Data Protection Authority ("DPA") has published its new Fining policy for Administrative Fines. The new policy was drafted in response to the lack of such guidelines at the European level following the entering into force of the General Data Protection Regulation ("GDPR"). In the policy, the DPA elaborates on how the amount of fines for infringements of the GDPR, the Police Data Act, the Judicial and Criminal Records Act and the Telecommunications Act will be calculated. In this blog post, we will discuss the outline of this new policy.

Read more

27.06.2019 NL law
Stibbe launches website about Digital Economy

Inside Stibbe - Stibbe's Digital Economy group published a new website this week: Stibbedigital.com With this new website we aim to view technological developments including artificial intelligence (AI), blockchain, the Internet of Things, smart mobility and the rise of digital platforms from a legal perspective.

Read more

07.06.2019 BE law
Part three - GDPR and public law: To retroact or not?

Articles - Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the retroactive application of GDPR.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring