Skip to content
AuditFront
Art.5.1b GDPR

GDPR Art.5.1b: Purpose Limitation

What This Control Requires

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation').

In Plain Language

Regulators want to see that you knew exactly why you were collecting personal data before you started collecting it. Vague justifications like "business purposes" or "improving our services" will not cut it. You must define specific, explicit purposes for every data collection activity and stick to them. Once data is collected for reason A, you cannot quietly start using it for reason B without a proper compatibility assessment under Article 6(4). That assessment looks at the link between old and new purposes, the context of collection, the sensitivity of the data, potential consequences, and what safeguards you have in place. There is a carve-out for archiving in the public interest, scientific or historical research, and statistical purposes - but only if you implement appropriate safeguards under Article 89(1), including data minimisation and pseudonymisation where possible. It is not a free pass to repurpose data however you like under the banner of "research".

How to Implement

Audit every data collection point in your organisation - forms, apps, APIs, third-party integrations. For each one, check that the purpose is explicitly stated to the data subject at the moment of collection. Replace any vague purpose statements with specific ones. "Improving our services" becomes "analysing feature usage patterns to prioritise product roadmap decisions." Build a purpose register linked to your Records of Processing Activities (RoPA). Each entry should list granular purposes and map out how data flows through your systems. This is how you catch data collected for one purpose leaking into another team's workflow. Create a formal compatibility assessment process. Before anyone repurposes existing data, they need to run through the five-factor test from Article 6(4) and Recital 50: relationship between purposes, collection context, data sensitivity, potential consequences, and available safeguards. Write this up and keep it on file. Enforce purpose limitation technically, not just on paper. Use access controls tied to specific purposes, tag datasets with their collection purpose, and configure your systems so cross-purpose usage requires explicit authorisation and documented justification. Schedule regular audits to catch purpose creep - the slow, often unintentional expansion of how data gets used. Analytics and business intelligence projects are the usual culprits. Train your team to flag any proposed data use that does not match the original collection purpose.

Evidence Your Auditor Will Request

  • Records of Processing Activities with explicit purpose statements for each processing activity
  • Purpose compatibility assessments for any secondary processing of personal data
  • Data collection forms and privacy notices showing purpose specification at point of collection
  • Access control policies that restrict data use to specified purposes
  • Audit logs demonstrating periodic reviews of data usage against documented purposes

Common Mistakes

  • Vague or overly broad purpose statements such as 'business purposes' or 'improving services' without further specification
  • Repurposing data for marketing or profiling without conducting a compatibility assessment or obtaining fresh consent
  • No formal process for assessing compatibility when new uses for existing data are proposed
  • Purpose creep occurring gradually without detection, often driven by analytics or business intelligence initiatives
  • Failing to update purpose statements when processing activities evolve over time

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related
NIS2 Art.21.2d Partial overlap

Frequently Asked Questions

Can we use personal data collected for one purpose for a completely new purpose?
Only if the new purpose passes the compatibility test under Article 6(4), you get fresh consent, or a specific law permits it. You cannot just decide internally that the new use seems reasonable - you need a documented compatibility assessment covering the five factors before you proceed.
Does the research exemption allow any use of data for research?
No, and DPAs have been clear about this. The research must be genuine, conducted ethically, and you still need to implement Article 89(1) safeguards - particularly data minimisation and pseudonymisation where feasible. Slapping a "research" label on a commercial analytics project will not hold up.
How specific do our purpose statements need to be?
Specific enough that a normal person reading them would understand exactly what happens to their data. "Marketing purposes" is too vague. "Sending monthly product update emails to subscribers" or "personalising website content based on browsing history" tells people what they are actually signing up for. If your purpose statement could mean almost anything, it is too broad.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment