Purpose Limitation

A fundamental data protection principle requiring that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (GDPR Article 5(1)(b)). This means organizations must clearly define why they're collecting data before collection begins, communicate these purposes transparently to individuals, and refrain from using data for unrelated purposes without establishing a new lawful basis and providing appropriate notice. Purpose limitation prevents function creep—the gradual expansion of data use beyond original intentions. When evaluating compatibility of new purposes with original purposes, consider: the relationship between purposes, the context of collection, the nature of personal data, possible consequences for data subjects, and whether appropriate safeguards exist. Further processing for archiving, scientific research, or statistical purposes may be considered compatible under certain conditions (Article 89). Purpose limitation works in conjunction with data minimization—organizations should collect only data necessary for stated purposes.