In order to set up an organization-wide Privacy Protection Policy you’ll have to map out the categories of your stakeholders initially.
After all, each category can be subject to a different purpose.
For example, a hospital can process personal data of patients, cleaners, nurses, specialists, suppliers, etc …
All these categories will each have a different processing purpose.
1. Define Purpose limitation
Personal data may be collected for (1):
- explicit and
- legitimate purposes and
(2) may not be further processed in a way incompatible with those purposes.
We can work out the above aspects as follows.
I. Target specification
Target specification is the core of the legal framework set for the protection of personal data.
First of all, the goal must be specified to enable the implementation of all necessary data protection safeguards and to define the scope of the processing.
Personal data may not be collected if they are not necessary, sufficient or relevant to the purpose or purposes that are intended.
It is therefore a necessary precondition for specifying the specific reason(s) for which the collection of personal data is required.
Target specification therefore sets limits to the purposes for which personal data may be collected and used.
This also helps to establish the necessary safeguards for data protection.
Target specification requires a continuous internal assessment by the controller and is a necessary condition for accountability.
Target specification is the first step that the organization must follow to ensure proper compliance with the GDPR.
II. Unambiguous and clear goal
Second, the goal must be sufficiently unambiguous and clearly expressed.
Comparison of the term ‘explicit purpose’ with the concept of ‘hidden purpose’ can help.
The purposes must be clearly disclosed, explained or expressed in an intelligible form.
From the analysis of the target specification it follows that this must take place at the moment that the collection of personal data takes place.
What is meant must be clear and leave no doubt or not difficult to understand.
The specification of the targets should be expressed in particular in such a way that they are not only understood in the same way by the controller (including all relevant staff) and by external processors, but also by the data protection authorities and the relevant data subjects.
The requirement that the goals are specified ‘explicitly’ contributes to transparency and predictability. It allows unambiguous identification for the way in which the collected personal data can be used, with a view to protecting the data subjects.
This in turn reduces the risk that the expectations of those involved will differ from the expectations of the controller.
Personal data must only be collected for legitimate purposes.
This means that the purposes must be in compliance with all provisions of applicable data protection legislation, as well as other applicable laws such as labor law, contract law, consumer protection legislation, and so on.
The requirement of legitimacy means that the goals must be ‘in accordance with the law’ in the broadest sense of the word.
This includes all forms of written and customary law, primary and secondary legislation, municipal decrees, judicial precedents, constitutional principles, fundamental rights, other legal principles, as well as jurisprudence, since such ‘law’ would be interpreted and taken into account by competent authorities.
Within the legal limits, other elements such as customs, codes of conduct, ethical codes, contractual arrangements and the general context and facts of the case may also be considered to determine whether a particular purpose is legitimate.
This includes the nature of the underlying relationship between the controller and the data subjects, whether commercial or otherwise.
Main GDPR articles in which the principle of Purpose Limitation is explicitly addressed:
25 – Data protection by design and by default
30 – Record of processing activities
35 – Data protection impact assessment
40 – Codes of conduct