What Article 4 of the French Data Protection Act says
Processing may only involve personal data that meets the following conditions:
- The data is collected and processed in a fair and lawful manner ;
- It is collected for determined, explicit and legitimate purposes and is not further processed in a way incompatible with these purposes. However, further processing of data for statistical purposes or for the purposes of scientific or historical research shall be considered compatible with the purposes for which the data were originally collected if it is carried out in accordance with the principles and procedures laid down in this Chapter, in Chapter IV and in Section 1 of Chapter V as well as in Chapters IX and X and if it is not used for taking decisions relating to the data subjects;
- It is adequate, relevant and not excessive with regard to the purposes for which it is collected and its further processing;
- It is kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which it was collected and processed.
Definition and principle
1. Definition of purpose
This is the purpose of the processing operation. It defines the scope of use of the data and establishes the link between the data, the processing operations and the organisations.
Examples of purposes: recruitment management, customer management, protection of property and individuals.
Data must be processed for a precisely defined and legitimate purpose. The purpose of the processing must be :
- Precisely determined: it is therefore impossible to collect and process data "for any useful purpose", without the objective having been determined beforehand by the organisation. The purpose must be determined before browsing.
- Explicit: it must be defined and stated in an understandable and sufficiently clear manner to the persons concerned or internally.
- Legitimate: (Article 5 of the GDPR) in relation to the nature and activities of the organisation. For example, the purpose may be deemed too intrusive or unjustified for the data subjects.
The aim of the purpose principle is to delimit the scope of uses for data, to ensure that users have a choice upstream rather than downstream.
Diversion from the purpose
If this principle is not respected, the data controller is faced with a misuse of the purpose.
Example of misuse:
A Social Security fund file, created by the administration, is used to calculate the amount of aid to individuals. A misuse could be to transmit email addresses to a company that will use them for commercial canvassing.
An administrative penalty provided for in the GDPR (article 83-5) may be imposed on the organisation if the misuse is proven: the penalty may be up to €20 million and 4% of worldwide turnover. A criminal penalty for misuse is also provided for in the French Criminal Code (article 226-21), which provides for up to 300,000 euros and 5 years' imprisonment.
Evolution of the purpose without misappropriation
1. Compatible purposes
This is where, when a use evolves, you want to use the same data for a different purpose at a later date, so you need to define a compatible purpose.
NB: 3 purposes may be deemed compatible as a matter of principle:
Processing for archival purposes in the public interest, Processing for scientific and historical research purposes, Processing for statistical purposes.
Other purposes may be identified as compatible by means of the "bundle of evidence" method provided for by the GDPR (Article 6-4):
- The existence of a link between the initial purpose and the subsequent purpose
- The nature of the data
- The consequences for the data subjects.
- The existence of appropriate safeguards. (e.g. encryption).
CAUTION: THERE IS AN OBLIGATION TO BE TRANSPARENT ABOUT CHANGES IN PURPOSES.
2. Consent or legal text
It is possible to define a new purpose if one of these 2 conditions is met:
- The data controller obtains the consent of individuals to define a new use for the data.
- The new use is based on a provision of EU law or the law of the Member State.
The notion of purpose is essential in the construction of your data processing, as it determines how long your data is kept, the relevance of the data collected, the rights of the data subjects, and the list of people authorised to access the data.