The basis for any processing of personal data lies in the purpose principle, a principle which also applies at the stage of re-use of such data in the event of further processing.
In order to be lawful, all data processing must be justified in order to achieve a specific purpose. It is not possible to process personal data without a purpose; it must be established clearly and in advance for what purpose the data will be collected.
Discover the 8 golden rules of data privacy compliance
The data controller cannot choose purposes that are too broad to create "artificial" compatibility.
Clearly explaining the purpose of its data processing is important for determining the relevance of the data collected, and identifying before any (re)use that new purposes will be compatible.
Article 5 b of the GDPR states that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
It is therefore possible to subsequently process data from an initial processing operation for new purposes which must be compatible. This new processing must comply with certain rules.
Conditions depending on the legal basis
Depending on the legal basis invoked for the initial processing, the conditions will not be the same.
If the re-use is based on a legal obligation or a mission in the public interest, then no particular steps need to be taken other than complying with the legal provisions.
If re-use is based on consent, then free, informed, specific and unequivocal consent is required.
In other cases, an assessment of the compatibility of the purposes must be carried out (compatibility test).
5 questions to ask yourself when assessing the compatibility of your data processing purposes
Article 6.4 of the GDPR requires a test to be carried out before personal data is re-used.
This compatibility test is necessary when the initial processing is founded on the basis of a legitimate interest, a contract or the safeguarding of vital interests.
Is there a relationship between the purposes of the processing operations?
This means, for example, that the second processing operation may already have been included in the initial purposes, or may have been another stage in the initial processing operation.
In what context is the data collected?
The question is whether the data subject has a reasonable expectation that his or her data will be re-used. If further processing is impossible or difficult for the individual to envisage, it will probably be considered incompatible.
What is the nature of the personal data used?
The test will be less favourable to compatibility if sensitive data is processed. Conversely, if the data is very ordinary, the risks associated with re-use are less.
What are the possible consequences of the second processing operation for individuals?
If the second processing operation is likely to infringe a person's rights and freedoms, the test will not be favourable.
Are there appropriate safeguards for individuals?
If technical procedures are put in place to ensure privacy, such as encryption or pseudonymisation, a negative result for the 2 previous criteria can be offset. Guarantees such as greater transparency or the possibility of easily objecting to processing may also be taken into account.
When is it necessary to carry out this compatibility test?
3 scenarios should be considered when assessing whether it is necessary to carry out a test:
- Scenario 1: compatibility is obvious at first sight because the purposes are the same or very similar.
Example: A customer has products delivered to their home by a professional every week, and their address, personal details including e-mail address and bank details are collected.
This data may be re-used in subsequent weeks for delivery and invoice purposes. The customer's address may also be used in the event of non-payment, in order to send a formal notice to pay.
- Scenario 2: compatibility is unclear and a compatibility test needs to be carried out.
Example: The professional wishes to use the customer's email address to send them personalised offers. He also wants to communicate the customer's personal details to his contact network so that the latter can send him offers.
Here, there may be a connection between the way in which the data is collected and the purposes, even if the latter are not exactly the same. It will be necessary to examine clusters of indicators concerning compatibility, such as the link between the initial purpose and the subsequent purpose, and the context in which the data is collected. Here is an example:
A tour operator organises a weekend for 15 loyal customers. During the stay, the trip organiser takes numerous photos. The photos are shared on a secure website. Customers are informed that the photos are shared on a personal and restricted basis to serve as souvenirs, to the exclusion of any commercial re-use.
2 years later, the organiser wanted to extract and re-use these photos to create and promote his new weekend sales website. During a meeting, he gathered together the 15 clients and asked them personally if they wished to give their consent to the publication of these photos, and to choose a sample of them to post on his site. Most of the participants gave their consent and signed a summary document prepared by the organiser. The organiser then posts on his site only those photos for which people have given their consent.
Even if the purpose of data collection has changed radically, these 2 purposes can be considered compatible because additional safeguards have been put in place to ensure that individuals are informed, and that their consent is obtained, before any data is processed.
- Scenario 3: incompatibility is manifest.
Example: the customer orders other products on the professional's website. He finds some of these products at a reduced price. Without informing the customer, the trader has set up an advanced price personalisation solution that detects which operating system and browser the customer is using. Depending on the data collected, the customer may or may not receive a discount.
In this case, the data is collected for the sole purpose of implementing a secret and discriminatory pricing policy. The method of data collection is unfair: the customer is not informed and could not reasonably have expected this re-use of their data.
It is only in very rare cases that even more detailed analyses could be useful to justify the processing.
Example of a recruiter wishing to re-use a recruitment file to make commercial offers to candidates:
The data was collected and processed for the purpose of searching for relevant profiles. A re-use of this same data to carry out a commercial prospecting campaign could not be considered compatible with the purpose of the initial processing with regard to these criteria and particularly the absence of a link between the purposes, and the context in which the data is collected.
Dastra natively integrates questionnaire assessment.
An exception for statistical processing
Article 5-1 b) of the GDPR provides that further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered, [...], as incompatible with the original purposes (purpose limitation).
This means that when data is re-used for statistical or scientific research purposes, it is not necessary to carry out a compatibility test.
Example of a temporary employment agency wishing to re-use candidate files for statistical purposes:
A temporary employment agency collects and processes the personal data of candidates who register on its online platform in order to offer them jobs and assignments. The temporary employment agency wishes to re-use candidates' personal data for statistical purposes in order to analyse and optimise its candidate placement process.
This new purpose could be considered compatible with the purpose of the initial processing, particularly in view of the link between the purposes, the absence of consequences for the data subjects and the context in which the data was collected.
What are the issues behind the re-use of personal data?
This concept contributes to transparency, lawfulness and predictability for data subjects, but also for the supervisory authorities. This makes it possible to restrict the way in which data is used by data controllers, thereby strengthening the security of individuals.
Dastra helps you to identify your purposes as soon as the register is created
In practice, data protection authorities such as the CNIL in France does not hesitate to sanction data controllers for non-compliance with purposes.
In a decision dated 24 July 2018, the CNIL fined the Office public de l'habitat (OPH) from Rennes for using user files for purposes incompatible with the initial purposes.
In this case, the chairwoman of the Rennes OPH and mayor of the town sent a letter to all social housing tenants criticising a government decision to reduce the amount of personalised housing assistance.
The CNIL assessed the real purpose of the letter and decided that it was not purely informative in nature, nor was it compatible with the main purposes of processing social housing tenants. In addition, there were other means of avoiding a use incompatible with the purpose of the initial collection, such as communication by means of posters.