What is purpose limitation in the context of GDPR?

Purpose limitation is a fundamental principle under the General Data Protection Regulation (GDPR) which stipulates that personal data must be collected for specific, legitimate purposes and not processed in a manner that is incompatible with those purposes. This means that organizations must clearly define the purpose for which they are collecting personal data at the outset, and they must ensure that any subsequent use of that data aligns with the initial purpose.

This principle helps protect individuals' rights by ensuring that their data is not used in ways they did not consent to or that they might find objectionable. For instance, if a company collects personal data for the purpose of providing a service, it cannot later decide to use that same data to market unrelated products without further consent from the individual.

The emphasis on legitimacy reinforces the need for transparent communication to data subjects about how their information will be used, fostering trust and accountability in data handling practices.