Article 5 paragraph 1 sub b GDPR:
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (“purpose limitation”).”
The recitals to the GDPR indicate that personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed (O 39 GDPR). If the purposes of the processing for which the personal data were initially collected changes, this may only be permitted if the processing is compatible with the purposes for which the personal data were initially collected (O 50 GDPR) or a basis is obtained (usually consent).
Article 26 paragraph 1 GDPR: “When two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.”
In the register of processing activities, Article 30 GDPR, the controller records the processing purposes for each processing and ensures adequate management.
Knowing the purposes of processing personal data is one of the pillars for adequate protection of personal data.
