-
Recent Posts
- Why data protection law is uniquely equipped to let us fight a pandemic with personal data
- A US Bill from 1974 shares so much DNA with the GDPR, it could be its ancestor
- Planet49 CJEU Judgment brings some ‘Cookie Consent’ Certainty to Planet Online Tracking
- The CJEU decides lack of access to personal data does not unmake a joint controller: A look at Wirtschaftsakademie
- Brief case-law companion for the GDPR professional
- Exam scripts are partly personal data and other practical findings of the CJEU in Nowak
- A Conversation with Giovanni Buttarelli about The Future of Data Protection: setting the stage for an EU Digital Regulator
- Why did Facebook just receive (one of) the biggest data protection fine(s) on record
- Exam scripts and examiner’s corrections are personal data of the exam candidate (AG Kokott Opinion in Nowak)
- Highlights of the draft LIBE report on the ePrivacy Reg
Archives
Tags roulette
AG Mengozzi Article 8 Charter article 29 working party big data CJEU cloud computing CNIL data portability data protection Data Protection Directive data protection laws data protection officer data protection reform data protection regulation directive 95/46 directive 95/46/EC EDPS European Commission European Data Protection Supervisor European Parliament Facebook Gabriela Zanfir GDPR Google personal data PNR privacy right to be forgotten Surveillance technology Viviane RedingCategories
RSS
Meta
All about personal data protection and privacy
EPIC.ORG news- An error has occurred; the feed is probably down. Try again later.
- EDRi
- Commission launches internet fee consultation full of biased questions
- Will the European Union allow politicians to use your personal data for political advertising?
- EDRi-gram, 31 May 2023
- Sex, religion and race are advertising taboos, except for power-hungry politicians
- USA border plan requires “continuous and systematic” transfers of biometric data
- €1.2 billion GDPR fine for Meta over US mass surveillance
- 5 years of the GDPR: National authorities let down European legislator
- Romania: CSA Regulation will make journalistic investigations of child abuse impossible
- Open letter: Gender-inclusive and safe digital world that is free from violence for all
- Chaos Communication Camp 2023
- European Data Protection Supervisor
- An error has occurred; the feed is probably down. Try again later.
- CNIL
- Découvrez les chercheuses et chercheurs présents à la deuxième édition du Privacy Research Day
- Journées RGPD les 13 et 14 juin à Rennes
- Fusion de la carte Vitale et de la carte d’identité : les points d’attention de la CNIL concernant la protection des données
- Clôture de l’injonction prononcée à l’encontre de MICROSOFT IRELAND OPERATIONS LIMITED
- Remise du prix « Protection de la vie privée » 2022 par la CNIL et l’Inria
- Données de santé et utilisation des cookies : DOCTISSIMO sanctionné par une amende de 380 000 euros
- Le rapport annuel 2022 de la CNIL
- Intelligence artificielle : le plan d’action de la CNIL
- Évolution des pratiques du web en matière de cookies : la CNIL évalue l’impact de son plan d’action
- Privacy Research Day : découvrez le programme et inscrivez-vous gratuitement à l’évènement
- ICO
- Two energy firms fined combined £250,000 for making unlawful marketing calls
- ICO warns of “real danger” of discrimination in new technologies that monitor the brain
- ICO reprimands Thames Valley Police for releasing witness details to suspected criminals
- John Edwards, Information Commissioner, delivers a keynote speech at the Data and the Future of Financial Services Summit
- ICO statement on Capita incident
- Statement in response to the Open Rights Group’s report
- ICO issues Ministry of Justice with reprimand after confidential personal information left in prison holding area
- “It’s important not to get caught out.” - New SARs guidance for employers issued
- Information Commissioner John Edwards' opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), delivered on 23 May 2023.
- ICO fines two businesses £180,000 for making unlawful marketing calls
- Privacy Commissioner Canada
- Announcement: Commissioner welcomes conclusion of the U.S. Federal Trade Commission’s investigation into Ashley Madison breach
- Announcement: OPC blog post: learn how identifiers on your phone can be used to track you
- Don’t repeat past mistakes, Privacy Commissioner warns as government reviews national security framework - December 6, 2016
- Media Advisory: Privacy guardians to unveil recommendations on modernizing Canada’s national security framework - December 5, 2016
- Announcement: Contributions Program launches call for innovative research and knowledge translation proposals - November 30, 2016
- Announcement: Commissioner shares views on Security of Canada Information Sharing Act with Parliament
- Announcement: Commissioner shares views on Bill C-22 with Parliament
- Announcement: OPC posts new summaries of cases involving businesses
- Media surveillance highlights privacy risk to all Canadians
- Announcement: Privacy Commissioner launches Privacy Tech-Know blog series
pdpEcho 
“Purpose limitation”, explained by the Article 29 WP
On April 2, Article 29 WP published its Opinion on “purpose limitation”, one of the safeguards which make data protection efficient in Europe.
Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility for data controllers. The concept of purpose limitation has two main building blocks: personal data must be collected for ‘specified, explicit and legitimate’ purposes (purpose specification) and not be ‘further processed in a way incompatible’ with those purposes (compatible use).
Further processing for a different purpose does not necessarily mean that it is incompatible:
compatibility needs to be assessed on a case-by-case basis. A substantive compatibility assessment requires an assessment of all relevant circumstances. In particular, account should be taken of the following key factors:
– the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
– the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
– the nature of the personal data and the impact of the further processing on the data subjects;
– the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Conclusions of the Opinion:
First building block: ‘specified, explicit and legitimate’ purposes
With regard to purpose specification, the WP29 highlights the following key considerations:
Purposes must be specific. This means that – prior to, and in any event, no later than the time when the collection of personal data occurs – the purposes must be precisely and fully identified to determine what processing is and is not included within the specified purpose and to allow that compliance with the law can be assessed and data protection
safeguards can be applied.
Purposes must be explicit, that is, clearly revealed, explained or expressed in some form in order to make sure that everyone concerned has the same unambiguous understanding of the purposes of the processing irrespective of any cultural or linguistic diversity. Purposes may be made explicit in different ways.
There may be cases of serious shortcomings, for example where the controller fails to specify the purposes of the processing in sufficient detail or in a clear and unambiguous language, or where the specified purposes are misleading or do not correspond to reality. In any such situation, all the facts should be taken into account to determine the actual purposes, along with the common understanding and reasonable expectations of the data subjects based on the context of the case.
Purposes must be legitimate. Legitimacy is a broad requirement, which goes beyond a simple cross-reference to one of the legal grounds for the processing referred to under Article 7 of the Directive. It also extends to other areas of law and must be interpreted within the context of the processing. Purpose specification under Article 6 and the requirement to have a lawful ground for processing under Article 7 of the Directive are two separate and cumulative requirements.
If personal data are further processed for a different purpose
– the new purpose/s must be specified (Article 6(1)(b)), and
– it must be ensured that all data quality requirements (Articles 6(1)(a) to (e)) are also
satisfied for the new purposes.
Second building block: compatible use
Article 6(1)(b) of the Directive also introduces the notions of ‘further processing’ and ‘incompatible’ use. It requires that further processing must not be incompatible with the purposes for which personal data were collected. The prohibition of incompatible use sets a limitation on further use. It requires that a distinction be made between further use that is ‘compatible’, and further use that is ‘incompatible’, and therefore, prohibited.
By prohibiting incompatibility rather than requiring compatibility, the legislator seems to give some flexibility with regard to further use. Further processing for a different purpose does not necessarily and automatically mean that it is incompatible, as compatibility needs to be assessed on a case-by-case basis.
In this context, the WP29 emphasises that the specific provision in Article 6(1)(b) of the Directive on ‘further processing for historical, statistical or scientific purposes’ should be seen as a specification of the general rule, while not excluding that other cases could also be considered as ‘not incompatible’. This leads to a more prominent role for different kinds of safeguards, including technical and organisational measures for functional separation, such as full or partial anonymisation, pseudonymisation, aggregation of data, and privacy enhancing technologies.
The Opinion is available HERE.
Share this:
Like this: