GDPR A5-02: Purpose Limitation — Collect Data for Specified Purposes Only
Purpose limitation is a core GDPR principle requiring you to collect personal data only for specified, explicit purposes and prohibiting further processing incompatible with those purposes. Failing to document and enforce purpose limitations creates significant compliance risk and regulatory exposure.
What this means
Purpose limitation requires your organization to establish clear, documented purposes before collecting any personal data. Once collected, you cannot process that data for unrelated purposes without explicit legal basis or consent. You must maintain a Records of Processing Activities (ROPA) that details the specific purpose(s) for each data category you collect, ensuring all downstream processing aligns with your original documented intent.
How to comply
- 1.Conduct a data inventory and identify all personal data categories your organization collects.
- 2.Define explicit, documented purposes for each data category before collection begins.
- 3.Record these purposes in your Records of Processing Activities (ROPA).
- 4.Map all data processing activities to their original stated purposes.
- 5.Implement controls to prevent processing data for purposes beyond what was documented.
- 6.Document legal bases for any secondary uses or new purposes that arise.
- 7.Communicate data purposes clearly to data subjects in privacy notices.
- 8.Review and update documented purposes annually or when processing changes.
Evidence auditors look for
- Records of Processing Activities (ROPA) listing data categories with specified purposes
- Privacy policy or notice documenting data collection purposes disclosed to subjects
- Data processing impact assessments (DPIAs) tied to documented purposes
- Contracts with processors limiting processing to specified purposes only
- Internal policies restricting data use to documented purposes
- Audit logs showing alignment between actual processing and documented purposes
- Training documentation on purpose limitation for data handlers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes your Records of Processing Activities and automatically flags processing activities that drift from documented purposes, ensuring purpose limitation compliance without manual tracking.
See how GRCWatch handles this control automatically
Start free trial