[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flOswRQd4AJakfDf6mUU-nBVVYPx4ValzQKwucZa4biY":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":7,"wordCount":8,"readTime":9,"title":10,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":15,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":47,"imageUrl":55,"imageThumbUrls":56,"id":64},false,"The basis for any processing of personal data lies in the [purpose principle](https://www.dastra.eu/en/guide/purpose-of-processing/56312), a principle which also applies at the stage of re-use of such data in the event of further processing.\r\n \r\n**In order to be lawful, all data processing must be justified in order to achieve a specific purpose**. It is not possible to process personal data without a purpose; it must be established clearly and in advance for what purpose the data will be collected.\r\n\r\n> Discover the [**8 golden rules of data privacy compliance**](https://www.dastra.eu/en/guide/the-8-golden-rules-of-data-privacy-compliance/56358)\r\n\r\nThe [data controller](https://www.dastra.eu/en/guide/what-are-my-obligations-as-a-data-controller/56294) cannot choose purposes that are too broad to create \"artificial\" compatibility.\r\n \r\nClearly explaining the purpose of its data processing is important for determining the **relevance of the data collected**, and identifying before any (re)use that new purposes will be compatible.\r\n \r\nArticle 5 b of the GDPR states that [personal data](https://www.dastra.eu/en/guide/personal-data/56315) shall be **collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes**.\r\n \r\n**It is therefore possible to subsequently process data from an initial processing operation for new purposes which must be compatible. This new processing must comply with certain rules**.\r\n \r\n### Conditions depending on the legal basis\r\n \r\nDepending on the legal basis invoked for the initial processing, the conditions will not be the same.\r\n \r\nIf the re-use is based on a **legal obligation** or a **mission in the public interest**, then no particular steps need to be taken other than complying with the legal provisions.\r\n \r\nIf re-use is based on **consent**, then free, informed, specific and unequivocal consent is required.\r\n \r\nIn other cases, an assessment of the compatibility of the purposes must be carried out (**compatibility test**).\r\n \r\n### **5 questions to ask yourself when assessing the compatibility of your data processing purposes** \r\n\r\n \r\nArticle 6.4 of the GDPR requires a **test** to be carried out before personal data is re-used.\r\n \r\nThis compatibility test is necessary when the initial processing is **founded on the basis of a legitimate interest**, a **contract** or the **safeguarding of vital interests**.\r\n \r\n***Is there a relationship between the purposes of the processing operations?***\r\n \r\nThis means, for example, that the second processing operation may already have been included in the initial purposes, or may have been another stage in the initial processing operation.\r\n \r\n***In what context is the data collected?***\r\n \r\nThe question is whether the data subject has a reasonable expectation that his or her data will be re-used. If further processing is impossible or difficult for the individual to envisage, it will probably be considered incompatible.\r\n \r\n***What is the nature of the personal data used?***\r\n \r\nThe test will be less favourable to compatibility if sensitive data is processed. Conversely, if the data is very ordinary, the risks associated with re-use are less.\r\n \r\n***What are the possible consequences of the second processing operation for individuals?***\r\n \r\nIf the second processing operation is likely to infringe a person's rights and freedoms, the test will not be favourable.\r\n \r\n***Are there appropriate safeguards for individuals?***\r\n \r\nIf technical procedures are put in place to ensure privacy, such as encryption or pseudonymisation, a negative result for the 2 previous criteria can be offset. Guarantees such as greater transparency or the possibility of easily objecting to processing may also be taken into account.\r\n \r\n### When is it necessary to carry out this compatibility test?\r\n\r\n \r\n**3 scenarios** should be considered when assessing whether it is necessary to carry out a test:\r\n \r\n- **Scenario 1: compatibility is obvious at first sight because the purposes are the same or very similar**.\r\n\r\n*Example: A customer has products delivered to their home by a professional every week, and their address, personal details including e-mail address and bank details are collected*.\r\n \r\nThis data may be re-used in subsequent weeks for delivery and invoice purposes. The customer's address may also be used in the event of non-payment, in order to send a formal notice to pay.\r\n \r\n* * *\r\n\r\n- **Scenario 2: compatibility is unclear and a compatibility test needs to be carried out**.\r\n\r\n*Example: The professional wishes to use the customer's email address to send them personalised offers. He also wants to communicate the customer's personal details to his contact network so that the latter can send him offers*.\r\n \r\nHere, there may be a connection between the way in which the data is collected and the purposes, even if the latter are not exactly the same. It will be necessary to examine clusters of indicators concerning compatibility, such as the link between the initial purpose and the subsequent purpose, and the context in which the data is collected. Here is an example:\r\n\r\n> A tour operator organises a weekend for 15 loyal customers. During the stay, the trip organiser takes numerous photos. The photos are shared on a secure website. Customers are informed that **the photos are shared on a personal and restricted basis to serve as souvenirs, to the exclusion of any commercial re-use**.  \r\n\r\n> 2 years later, **the organiser wanted to extract and re-use these photos to create and promote his new weekend sales website.** During a meeting, he gathered together the 15 clients and asked them personally if they wished to give their consent to the publication of these photos, and to choose a sample of them to post on his site. Most of the participants gave their consent and signed a summary document prepared by the organiser. The organiser then posts on his site only those photos for which people have given their consent.  \r\n\r\n> Even if the purpose of data collection has changed radically, **these 2 purposes** can be considered compatible because additional safeguards have been put in place to ensure that individuals are informed, and that their consent is obtained, before any data is processed.\r\n\r\n* * *\r\n\r\n- **Scenario 3: incompatibility is manifest**.\r\n\r\n*Example: the customer orders other products on the professional's website. He finds some of these products at a reduced price. Without informing the customer, the trader has set up an advanced price personalisation solution that detects which operating system and browser the customer is using. Depending on the data collected, the customer may or may not receive a discount*.\r\n \r\nIn this case, the data is collected for the sole purpose of implementing a secret and discriminatory pricing policy. The method of data collection is unfair: the customer is not informed and could not reasonably have expected this re-use of their data. \r\n \r\n It is only in very rare cases that even more detailed analyses could be useful to justify the processing.\r\n \r\nExample of a recruiter wishing to re-use a recruitment file to make commercial offers to candidates:\r\n\r\n> The data was collected and processed for the purpose of searching for relevant profiles. A re-use of this same data to carry out a commercial prospecting campaign could not be considered compatible with the purpose of the initial processing with regard to these criteria and particularly the absence of a link between the purposes, and the context in which the data is collected.\r\n\r\nDastra natively integrates [**questionnaire assessment**](https://www.dastra.eu/en/product-features/audit).\r\n \r\n### An exception for statistical processing\r\n \r\nArticle 5-1 b) of the GDPR provides that ***further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered, [...], as incompatible with the original purposes (purpose limitation*)**.\r\n \r\nThis means that when data is re-used for statistical or scientific research purposes, it is not necessary to carry out a compatibility test.\r\n \r\nExample of a temporary employment agency wishing to re-use candidate files for statistical purposes:\r\n\r\n> A temporary employment agency collects and processes the personal data of candidates who register on its online platform in order to offer them jobs and assignments. The temporary employment agency wishes to re-use candidates' personal data for statistical purposes in order to analyse and optimise its candidate placement process. \r\n> \r\n> This new purpose could be considered compatible with the purpose of the initial processing, particularly in view of the link between the purposes, the absence of consequences for the data subjects and the context in which the data was collected.\r\n\r\n### What are the issues behind the re-use of personal data?\r\n \r\nThis concept contributes to **transparency, lawfulness and predictability** for data subjects, but also for the supervisory authorities. This makes it possible to restrict the way in which data is used by data controllers, thereby strengthening the security of individuals.\r\n\r\n> Dastra helps you to [**identify your purposes as soon as the register is created**](https://www.dastra.eu/fr/data-processing)\r\n\r\nIn practice, data protection authorities such as the CNIL in France does not hesitate to **sanction data controllers** for non-compliance with purposes.\r\n \r\n>[In a decision dated 24 July 2018](https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000037261399/), the CNIL fined the Office public de l'habitat (OPH) from Rennes for using user files for purposes **incompatible with the initial purposes**. \r\n> \r\n> In this case, the chairwoman of the Rennes OPH and mayor of the town sent a letter to all social housing tenants criticising a government decision to reduce the amount of personalised housing assistance. \r\n> \r\n> The CNIL assessed the real purpose of the letter and decided that it was not purely informative in nature, nor was it compatible with the main purposes of processing social housing tenants. In addition, there were other means of avoiding a use incompatible with the purpose of the initial collection, such as communication by means of posters.","\u003Cp>The basis for any processing of personal data lies in the \u003Ca href=\"https://www.dastra.eu/en/guide/purpose-of-processing/56312\">purpose principle\u003C/a>, a principle which also applies at the stage of re-use of such data in the event of further processing.\u003C/p>\r\n\u003Cp>\u003Cstrong>In order to be lawful, all data processing must be justified in order to achieve a specific purpose\u003C/strong>. It is not possible to process personal data without a purpose; it must be established clearly and in advance for what purpose the data will be collected.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Discover the \u003Ca href=\"https://www.dastra.eu/en/guide/the-8-golden-rules-of-data-privacy-compliance/56358\">\u003Cstrong>8 golden rules of data privacy compliance\u003C/strong>\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>The \u003Ca href=\"https://www.dastra.eu/en/guide/what-are-my-obligations-as-a-data-controller/56294\">data controller\u003C/a> cannot choose purposes that are too broad to create \"artificial\" compatibility.\u003C/p>\r\n\u003Cp>Clearly explaining the purpose of its data processing is important for determining the \u003Cstrong>relevance of the data collected\u003C/strong>, and identifying before any (re)use that new purposes will be compatible.\u003C/p>\r\n\u003Cp>Article 5 b of the GDPR states that \u003Ca href=\"https://www.dastra.eu/en/guide/personal-data/56315\">personal data\u003C/a> shall be \u003Cstrong>collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cstrong>It is therefore possible to subsequently process data from an initial processing operation for new purposes which must be compatible. This new processing must comply with certain rules\u003C/strong>.\u003C/p>\r\n\u003Ch3 id=\"conditions-depending-on-the-legal-basis\">Conditions depending on the legal basis\u003C/h3>\r\n\u003Cp>Depending on the legal basis invoked for the initial processing, the conditions will not be the same.\u003C/p>\r\n\u003Cp>If the re-use is based on a \u003Cstrong>legal obligation\u003C/strong> or a \u003Cstrong>mission in the public interest\u003C/strong>, then no particular steps need to be taken other than complying with the legal provisions.\u003C/p>\r\n\u003Cp>If re-use is based on \u003Cstrong>consent\u003C/strong>, then free, informed, specific and unequivocal consent is required.\u003C/p>\r\n\u003Cp>In other cases, an assessment of the compatibility of the purposes must be carried out (\u003Cstrong>compatibility test\u003C/strong>).\u003C/p>\r\n\u003Ch3 id=\"questions-to-ask-yourself-when-assessing-the-compatibility-of-your-data-processing-purposes\">\u003Cstrong>5 questions to ask yourself when assessing the compatibility of your data processing purposes\u003C/strong>\u003C/h3>\r\n\u003Cp>Article 6.4 of the GDPR requires a \u003Cstrong>test\u003C/strong> to be carried out before personal data is re-used.\u003C/p>\r\n\u003Cp>This compatibility test is necessary when the initial processing is \u003Cstrong>founded on the basis of a legitimate interest\u003C/strong>, a \u003Cstrong>contract\u003C/strong> or the \u003Cstrong>safeguarding of vital interests\u003C/strong>.\u003C/p>\r\n\u003Cp>\u003Cem>\u003Cstrong>Is there a relationship between the purposes of the processing operations?\u003C/strong>\u003C/em>\u003C/p>\r\n\u003Cp>This means, for example, that the second processing operation may already have been included in the initial purposes, or may have been another stage in the initial processing operation.\u003C/p>\r\n\u003Cp>\u003Cem>\u003Cstrong>In what context is the data collected?\u003C/strong>\u003C/em>\u003C/p>\r\n\u003Cp>The question is whether the data subject has a reasonable expectation that his or her data will be re-used. If further processing is impossible or difficult for the individual to envisage, it will probably be considered incompatible.\u003C/p>\r\n\u003Cp>\u003Cem>\u003Cstrong>What is the nature of the personal data used?\u003C/strong>\u003C/em>\u003C/p>\r\n\u003Cp>The test will be less favourable to compatibility if sensitive data is processed. Conversely, if the data is very ordinary, the risks associated with re-use are less.\u003C/p>\r\n\u003Cp>\u003Cem>\u003Cstrong>What are the possible consequences of the second processing operation for individuals?\u003C/strong>\u003C/em>\u003C/p>\r\n\u003Cp>If the second processing operation is likely to infringe a person's rights and freedoms, the test will not be favourable.\u003C/p>\r\n\u003Cp>\u003Cem>\u003Cstrong>Are there appropriate safeguards for individuals?\u003C/strong>\u003C/em>\u003C/p>\r\n\u003Cp>If technical procedures are put in place to ensure privacy, such as encryption or pseudonymisation, a negative result for the 2 previous criteria can be offset. Guarantees such as greater transparency or the possibility of easily objecting to processing may also be taken into account.\u003C/p>\r\n\u003Ch3 id=\"when-is-it-necessary-to-carry-out-this-compatibility-test\">When is it necessary to carry out this compatibility test?\u003C/h3>\r\n\u003Cp>\u003Cstrong>3 scenarios\u003C/strong> should be considered when assessing whether it is necessary to carry out a test:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Scenario 1: compatibility is obvious at first sight because the purposes are the same or very similar\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cem>Example: A customer has products delivered to their home by a professional every week, and their address, personal details including e-mail address and bank details are collected\u003C/em>.\u003C/p>\r\n\u003Cp>This data may be re-used in subsequent weeks for delivery and invoice purposes. The customer's address may also be used in the event of non-payment, in order to send a formal notice to pay.\u003C/p>\r\n\u003Chr />\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Scenario 2: compatibility is unclear and a compatibility test needs to be carried out\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cem>Example: The professional wishes to use the customer's email address to send them personalised offers. He also wants to communicate the customer's personal details to his contact network so that the latter can send him offers\u003C/em>.\u003C/p>\r\n\u003Cp>Here, there may be a connection between the way in which the data is collected and the purposes, even if the latter are not exactly the same. It will be necessary to examine clusters of indicators concerning compatibility, such as the link between the initial purpose and the subsequent purpose, and the context in which the data is collected. Here is an example:\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>A tour operator organises a weekend for 15 loyal customers. During the stay, the trip organiser takes numerous photos. The photos are shared on a secure website. Customers are informed that \u003Cstrong>the photos are shared on a personal and restricted basis to serve as souvenirs, to the exclusion of any commercial re-use\u003C/strong>.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cblockquote>\r\n\u003Cp>2 years later, \u003Cstrong>the organiser wanted to extract and re-use these photos to create and promote his new weekend sales website.\u003C/strong> During a meeting, he gathered together the 15 clients and asked them personally if they wished to give their consent to the publication of these photos, and to choose a sample of them to post on his site. Most of the participants gave their consent and signed a summary document prepared by the organiser. The organiser then posts on his site only those photos for which people have given their consent.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cblockquote>\r\n\u003Cp>Even if the purpose of data collection has changed radically, \u003Cstrong>these 2 purposes\u003C/strong> can be considered compatible because additional safeguards have been put in place to ensure that individuals are informed, and that their consent is obtained, before any data is processed.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Chr />\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Scenario 3: incompatibility is manifest\u003C/strong>.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cem>Example: the customer orders other products on the professional's website. He finds some of these products at a reduced price. Without informing the customer, the trader has set up an advanced price personalisation solution that detects which operating system and browser the customer is using. Depending on the data collected, the customer may or may not receive a discount\u003C/em>.\u003C/p>\r\n\u003Cp>In this case, the data is collected for the sole purpose of implementing a secret and discriminatory pricing policy. The method of data collection is unfair: the customer is not informed and could not reasonably have expected this re-use of their data.\u003C/p>\r\n\u003Cp>It is only in very rare cases that even more detailed analyses could be useful to justify the processing.\u003C/p>\r\n\u003Cp>Example of a recruiter wishing to re-use a recruitment file to make commercial offers to candidates:\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>The data was collected and processed for the purpose of searching for relevant profiles. A re-use of this same data to carry out a commercial prospecting campaign could not be considered compatible with the purpose of the initial processing with regard to these criteria and particularly the absence of a link between the purposes, and the context in which the data is collected.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>Dastra natively integrates \u003Ca href=\"https://www.dastra.eu/en/product-features/audit\">\u003Cstrong>questionnaire assessment\u003C/strong>\u003C/a>.\u003C/p>\r\n\u003Ch3 id=\"an-exception-for-statistical-processing\">An exception for statistical processing\u003C/h3>\r\n\u003Cp>Article 5-1 b) of the GDPR provides that \u003Cstrong>\u003Cem>further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered, [...], as incompatible with the original purposes (purpose limitation\u003C/em>)\u003C/strong>.\u003C/p>\r\n\u003Cp>This means that when data is re-used for statistical or scientific research purposes, it is not necessary to carry out a compatibility test.\u003C/p>\r\n\u003Cp>Example of a temporary employment agency wishing to re-use candidate files for statistical purposes:\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>A temporary employment agency collects and processes the personal data of candidates who register on its online platform in order to offer them jobs and assignments. The temporary employment agency wishes to re-use candidates' personal data for statistical purposes in order to analyse and optimise its candidate placement process.\u003C/p>\r\n\u003Cp>This new purpose could be considered compatible with the purpose of the initial processing, particularly in view of the link between the purposes, the absence of consequences for the data subjects and the context in which the data was collected.\u003C/p>\r\n\u003C/blockquote>\r\n\u003Ch3 id=\"what-are-the-issues-behind-the-re-use-of-personal-data\">What are the issues behind the re-use of personal data?\u003C/h3>\r\n\u003Cp>This concept contributes to \u003Cstrong>transparency, lawfulness and predictability\u003C/strong> for data subjects, but also for the supervisory authorities. This makes it possible to restrict the way in which data is used by data controllers, thereby strengthening the security of individuals.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>Dastra helps you to \u003Ca href=\"https://www.dastra.eu/fr/data-processing\">\u003Cstrong>identify your purposes as soon as the register is created\u003C/strong>\u003C/a>\u003C/p>\r\n\u003C/blockquote>\r\n\u003Cp>In practice, data protection authorities such as the CNIL in France does not hesitate to \u003Cstrong>sanction data controllers\u003C/strong> for non-compliance with purposes.\u003C/p>\r\n\u003Cblockquote>\r\n\u003Cp>\u003Ca href=\"https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000037261399/\" rel=\"nofollow\">In a decision dated 24 July 2018\u003C/a>, the CNIL fined the Office public de l'habitat (OPH) from Rennes for using user files for purposes \u003Cstrong>incompatible with the initial purposes\u003C/strong>.\u003C/p>\r\n\u003Cp>In this case, the chairwoman of the Rennes OPH and mayor of the town sent a letter to all social housing tenants criticising a government decision to reduce the amount of personalised housing assistance.\u003C/p>\r\n\u003Cp>The CNIL assessed the real purpose of the letter and decided that it was not purely informative in nature, nor was it compatible with the main purposes of processing social housing tenants. In addition, there were other means of avoiding a use incompatible with the purpose of the initial collection, such as communication by means of posters.\u003C/p>\r\n\u003C/blockquote>\r\n",null,1584,9,"How can the compatibility of purposes be assessed in the event of subsequent processing? ",0,"The GDPR requires us to ensure that the purposes of processing are compatible with each other when personal data is re-used. ","en","how-can-the-compatibility-of-purposes-be-assessed-in-the-event-of-subsequent-pr","The basis of all data processing lies in the principle of purpose, a principle which also applies at the stage of re-use of these data in the event of subsequent processing(s).","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":7,"blogUrl":7,"color":7,"userId":18,"creationDate":21},38,"Paul-Emmanuel Bidault","https://static.dastra.eu/tenant-27/avatar/38/paul-emmanuel-bidault-150.jpg","2019-12-03T19:09:28","2023-12-27T15:40:20.614","2023-12-27T16:40:19.1976847","2026-02-04T10:01:22.5091982",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":7,"count":7,"imageUrl":7,"parent":7,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},[48,51],{"typeMetaDataId":26,"value":49,"id":50},"https://www.dastra.eu/en/contacts/demo",111722,{"typeMetaDataId":52,"value":53,"id":54},3,"Request a demo",111723,"https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-1000.png",[57,58,59,60,61,62,63],"https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-1000.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-1500.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-800.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-600.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-300.webp","https://static.dastra.eu/content/43a3ff1e-1e92-49cb-83ba-1bc5bab1d3bf/accountability-100.webp",56361]