Articles

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

Working Party 29 guidance on purpose limitation principle

09.04.2013 NL law

Yesterday, the Article 29 Working Party ("WP29"), composed of representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission, published an opinion on the purpose limitation principle when processing personal data. The WP29's opinions provide authoritative guidance on EU data protection rules. To access the opinion, please click here.

1.  Purpose limitation principle 

Personal data may only be collected for specified, explicit and legitimate purposes. Once data are collected they may not be further processed in a way that is incompatible with those purposes. This is called the purpose limitation principle.
The assessment whether or not further use of data is compatible should be made in each situation where further use is considered, according to the WP29. In this opinion, guidance and practical examples are provided on compatibility and incompatibility for further use of personal data.

2.  Proposed compatibility assessment 

The WP29 proposes that a compatibility assessment is made prior to any further use of personal data. The compatibility assessment should at least take into account:

  • The relationship between the purposes for which the data have been collected and the purposes of further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the individuals involved as to further use;
  • The type of the data and the impact of the further processing on the individuals involved;
  • The safeguards applied by the data controller to ensure fair processing and to prevent any undue impact on the individuals involved.

3.  Regarding big data and open data 

The WP29 specifically discusses various safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information. The WP29 finds that opt-in consent would almost always be required for further use regarding e.g. behavioural advertisements and tracking and profiling for direct marketing. Furthermore, in order to obtain a valid consent, organisations should disclose their decision criteria, including the algorithm used to create a profile.

Open data in this regard refers to data processed by public bodies in projects on accessibility of information. The WP29 stresses i.a. the importance of anonymisation, aggregation and the use of privacy impacts assessment to ensure necessary safeguards. The WP29 mentions that it is preparing a guidance document on open data, which will address, among other things, issues related to anonymisation.
 
4.  WP 29 proposed amendments to draft Data Protection Regulation 

The WP29 also proposes amendments to the draft Data Protection Regulation regarding purpose limitation. The current draft provides for the possibility to remedy a lack of compatibility between original processing and further use where there is a new legal ground for the further use (not being legitimate interest). The WP29 is of the opinion that a change of purpose in a processing should only be allowed in case of a favourable outcome in a (prescribed) compatibility assessment. The WP29 proposes to amend the draft Data Protection Regulation in this regard.
 
5.  First remarks 

The WP29 in this opinion provides practical examples and guidance in determining to what extent further use of personal data is allowed.

However, we note that if the WP29's proposed amendment were to be adopted, it may become considerably more difficult for data controllers to process data for further use in the future.

Moreover, in this opinion, the WP29 again (like in its recent opinion WP 202 on apps on smart devices) encourages the use of so-called 'layered privacy notices' to inform individuals involved. This means that first a layer of basic information is offered in a concise and user-friendly manner and a second layer of additional information can be reviewed at request, e.g. on a separate website. It appears that the data protection authorities consider layered privacy notices the way forward to inform individuals.

Team

Related news

21.03.2019 NL law
15 aspects of Brexit you did not know

Short Reads - A Brexit without a deal, or with a deal that does not cover all relevant aspects, is still a potential scenario. We have highlighted a number of unexpected legal consequences of Brexit in such a no deal or incomplete deal scenario.

Read more

27.03.2019 NL law
Ook WhatsApp- en sms-berichten op privételefoons vallen onder Wet openbaarheid van bestuur

Short Reads - De Afdeling bestuursrechtspraak van de Raad van State heeft in een uitspraak van 20 maart 2019 (ECLI:NL:RVS:2019:899) bevestigd dat ook WhatsApp- en sms-berichten onder de reikwijdte van de Wet openbaarheid van bestuur (Wob) vallen. Dat geldt niet alleen voor WhatsApp- en sms-berichten die staan op werktelefoons, maar ook voor berichten die staan op privételefoons van bestuurders of ambtenaren. Daarmee gaat de Afdeling terecht verder dan de rechtbank (ECLI:NL:RBMNE:2017:5979) in eerste aanleg, die van oordeel was dat de Wob niet van toepassing is op berichten op privételefoons.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring