Page Contents

Answer

Yes, but only in some cases. If your company/organisation has collected data on the basis of legitimate interest, a contract or vital interests it can be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

The following points should be considered:

  • the link between the original purpose and the new/upcoming purpose;
  • the context in which the data was collected (what is the relationship between your company/organisation and the individual?);
  • the type and nature of the data (is it sensitive?);
  • the possible consequences of the intended further processing (how will it impact the individual?);
  • the existence of appropriate safeguards (such as encryption or pseudonymisation).

If your company/organisation wants to use the data for statistics or for scientific research it is not necessary to run the compatibility test.

If your company/organisation has collected the data on the basis of consent or following a legal requirement, no further processing beyond what is covered by the original consent or the provisions of the law is possible. Further processing would require obtaining new consent or a new legal basis.

Examples

Further processing is possible

A bank has a contract with a client to provide the client with a bank account and a personal loan. At the end of the first year the bank uses the client’s personal data to check whether they are eligible for a better type of loan and a savings scheme. It informs the client. The bank can process the data of the client again as the new purposes are compatible with the initial purposes.

Further processing isn’t possible

The same bank wants to share the client’s data with insurance firms, based on the same contract for a bank account and personal loan. That processing isn’t permitted without the explicit consent of the client as the purpose isn’t compatible with the original purpose for which the data was processed.

References

  • Articles 5(1)(b), 6(4) and 89(1) and Recitals (39) and (50) of the GDPR
  • Article 29 Working Party Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203)