Explore

Purpose Compatibility

This process determines if existing personal data can be reused where the new Purpose is compatible with the Purpose that it was originally collected for.

To ascertain whether processing for another purpose is compatible with the original purpose for which personal data was initially collected, the Controller should take into account, among other things …

any link between the original purpose and the new purpose;

the context in which the personal data was originally collected – in particular, the Controller(s)’ relationship with the individual(s) and what they would reasonably expect;

the nature of the personal data – e.g. is it particularly sensitive;

the possible consequences for individuals of the new processing; and whether there are appropriate safeguards - e.g. encryption or pseudonymisation.

A new purpose will also be deemed to be ‘compatible’ if it is one of a defined list of ‘Compatible Purposes’. These include disclosures to public authorities that state they need the data for a task in the public interest, as well as:

disclosures for public security purposes

emergency response

safeguarding vulnerable individuals

protecting vital interests

preventing and detecting crime

assessing tax

complying with legal obligations

You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.

As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose

⁠

Principle (b): Purpose limitation | ICO

⁠

There are no rows in this table

⁠