Collecting email for order confirmations, then using it for newsletters — that's a purpose limitation violation. Here's how to identify and fix secondary use problems in your data flows.
GDPR has seven data protection principles. Most organisations focus on the visible ones — lawfulness, consent, data breach notification. Purpose limitation sits quietly in the middle of Article 5(1)(b), and it's one of the most commonly violated principles in practice. Not because businesses are reckless, but because data use tends to expand over time, often invisibly.
You collected email addresses so you could send order confirmations. Then your marketing team asked if they could use the list for a newsletter campaign. That's a purpose limitation problem.
You collected analytics data to understand site traffic. Then your data science team asked if they could use it to build user profiles. That's another one.
You held job application data for a role that was filled. Then the same candidate applied for a new position and you pre-filled their details from the previous application without asking. That's a third.
This post explains what purpose limitation actually requires, why it's violated so often, and how to audit and fix your data flows before a regulator does it for you.
What Article 5(1)(b) Actually Says
GDPR Article 5(1)(b) states that personal data must be:
"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
Three requirements are packed into that sentence:
Specified — The purpose must be identified before you collect the data, not after. You cannot collect data and then figure out what you'll use it for.
Explicit — The purpose must be stated clearly, not buried in vague language. "We may use your data to improve our services" does not specify a purpose. "We use your email address to send order confirmation emails and shipping notifications" does.
Legitimate — The purpose must have a valid legal basis under Article 6. A purpose can be specified and explicit but still illegitimate if there's no lawful ground for the processing.
The "not further processed in an incompatible manner" clause is where most day-to-day violations occur. It means that once you've specified your purposes, you're constrained by them. Using data for something new requires either that it's compatible with the original purpose, or that you have a fresh legal basis (usually fresh consent).
What "Specified and Explicit" Requires in Your Privacy Notice
Your privacy notice is the primary mechanism through which you specify your purposes. This means your notice must:
Name the purpose, not just the category of data. "We process contact information" is a data category, not a purpose. "We use your email address to send order confirmations, account notifications, and — where you have opted in — our monthly newsletter" is a purpose statement.
Link each purpose to a legal basis. For each processing activity, your notice should state why you're processing (the purpose) and under what authority (the legal basis). These two things must match. Marketing emails require consent. Order confirmations can rely on contract performance.
Cover all the purposes you actually use data for. If your CRM also passes customer data to a retargeting platform, that's a purpose. If your analytics tool fingerprints visitors, that's a purpose. Your notice needs to cover the reality of your data processing, not just the polite version.
If you haven't audited what your website actually does with visitor data, you can't write an accurate privacy notice. Start at https://app.custodia-privacy.com/scan — a free scan will surface the trackers, cookies, and data flows your notice should be describing.
The Five Factors for Assessing Compatibility (Recital 50)
When you want to use data for a new purpose, GDPR doesn't automatically prohibit it — but it requires you to assess whether the new use is compatible with the original purpose. Recital 50 sets out five factors for that assessment:
1. The link between the original and new purposes. How closely related are they? Using order data to process a return is clearly linked. Using order data to build a behavioral profile for advertising is not.
2. The context in which the data was collected. What would the data subject reasonably expect? A customer who bought a product from you would expect you to use their data to handle the transaction. They would not expect their purchase history to be sold to a data broker.
3. The nature of the personal data. Sensitive data (health, biometric, political views) gets stricter scrutiny. The potential for harm from secondary use is higher, so the compatibility bar is higher.
4. The possible consequences of the intended further processing. What's the impact on the data subject? Processing that could lead to discrimination, financial harm, or reputational damage is much harder to justify as compatible.
5. The existence of appropriate safeguards. Encryption, pseudonymisation, and access controls don't make an incompatible purpose compatible — but they're relevant to the risk assessment when the question is genuinely close.
If your compatibility assessment concludes that the new purpose is incompatible, you need a fresh legal basis. For most secondary marketing uses, that means obtaining specific consent for the new purpose.
Common Purpose Limitation Violations
Email collected for transactional use, repurposed for marketing
A customer completes a purchase. You have their email. Your email platform adds them to the newsletter list by default. This is the textbook purpose limitation violation — and it's been the subject of enforcement actions across multiple EU member states.
The fix: segment your lists. Transactional emails (confirmations, receipts, shipping updates) can rely on contract performance. Marketing emails require separate, explicit opt-in consent.
Analytics data used for profiling
You installed Google Analytics to understand traffic. Someone in the data team exports a dataset of user behaviour and uses it to build a predictive churn model. The original purpose was aggregate analytics; the new purpose is individual profiling. These are not compatible without disclosure and a valid legal basis.
Job application data reused for future roles
An applicant applies for a position. The role is filled. Two years later, a similar position opens and HR pulls the candidate's details from the original application. The applicant consented to processing for a specific role in a specific hiring round — not to being retained indefinitely for future consideration. Many organisations add explicit consent for this at application stage; many don't.
Customer data shared with acquisition targets
A company goes through an M&A process. Customer data is shared with the acquiring company during due diligence or transferred post-acquisition. If the acquiring company uses that data for purposes incompatible with the original processing (or without informing affected customers), this is a violation. The ICO has specifically highlighted this risk in acquisition scenarios.
Retargeting without disclosure
You collect analytics data. A pixel on your site sends that data to an advertising platform that uses it to show your ads to the same users on other websites. If your privacy notice says you collect analytics data for "improving the website," retargeting is not a compatible purpose. It requires specific disclosure and consent.
Purpose Limitation and Data Minimisation: The Relationship
Purpose limitation and data minimisation (Article 5(1)(c)) are closely linked. Data minimisation says you should only collect data that is "adequate, relevant and limited to what is necessary in relation to the purposes." Purpose limitation says you should only use data for the purposes you collected it for.
Together, they create a discipline that most organisations don't naturally follow. The commercial instinct is to collect as much data as possible and find uses for it later. GDPR requires the opposite: decide what you need, explain why, collect that, and stop.
If you find yourself doing a compatibility assessment because you've found a new use for data you've already collected, that's often a sign that the original data collection was over-broad. The right approach is to collect only what you need for clearly defined purposes from the start.
Secondary Use for AI and Machine Learning Training
This is a significant and rapidly developing area of GDPR enforcement.
Many organisations are using customer data, interaction logs, and historical records to train internal AI models or fine-tune commercial foundation models. The question is whether this constitutes a purpose that is compatible with the purposes for which the data was originally collected.
In most cases, it isn't. A customer who provided their data to receive a service did not consent to that data being used to train an AI system — even if that system will eventually serve them better. The ICO and several European DPAs have taken a clear position: using personal data for AI training requires either a compatible purpose (rare), explicit consent (operationally complex), or a compelling legitimate interest that survives a balancing test (difficult to demonstrate when the data subject had no reason to expect this use).
If you're using customer data to train or fine-tune AI models, you should:
- Conduct a Data Protection Impact Assessment (DPIA)
- Assess compatibility explicitly against the Recital 50 factors
- Consider whether anonymisation or pseudonymisation can eliminate or reduce the personal data component
- Update your privacy notice if you proceed
- Document your reasoning
The ICO published specific guidance on generative AI and data protection in 2024; it's worth reviewing before any AI training project involving customer data.
How to Document Your Purposes
Your purposes should be documented in two places: your privacy notice (for data subjects) and your Record of Processing Activities (ROPA, required under Article 30 for most organisations).
For each processing activity, document:
- What data you're processing
- For what purpose (specific and explicit)
- The legal basis (and, where applicable, the legitimate interests assessment)
- Who has access (internal teams, third-party processors)
- Retention period (linked to the purpose — when the purpose ends, the data should be deleted or anonymised)
When you add a new processing activity or consider a secondary use, add it to the ROPA and update the privacy notice before you start — not after.
The Further Processing Assessment
Before using personal data for a new purpose, conduct and document a further processing assessment. This should answer:
- What is the new purpose?
- What was the original purpose?
- What is the link between them?
- What would a reasonable data subject have expected?
- Is the data sensitive or high-risk?
- What are the potential consequences for data subjects?
- What safeguards are in place?
- Based on all of the above, is the new purpose compatible?
If the answer is yes: document it, update your privacy notice, and proceed.
If the answer is no: you need a fresh legal basis. For most secondary marketing, profiling, or AI training uses, that means obtaining specific consent from the affected data subjects. If you can't obtain consent, you can't proceed.
Document this assessment and keep it on file. If a regulator asks why you used data in a particular way, your documented assessment is your evidence that you took the question seriously.
A Practical Audit for Purpose Limitation Drift
Purpose limitation drift — where data gradually gets used for more things than it was collected for — is common. Here's a practical audit to identify it in your systems:
Step 1: Map your data flows. For each system that holds personal data (CRM, email platform, analytics, support tool, HR system), list what data it holds and where it came from.
Step 2: For each dataset, identify the collection purpose. What did you tell data subjects you were collecting this data for? Check the privacy notice that was in place at the time of collection.
Step 3: List all current uses. How is this data actually being used today? Who accesses it? Does it flow to third parties?
Step 4: Compare. Are any current uses going beyond the stated collection purpose? Pay particular attention to: marketing lists, analytics exports, retargeting pixels, API integrations, and AI/ML projects.
Step 5: For each discrepancy, assess compatibility. Use the Recital 50 framework. Is the new use compatible? Or does it require a fresh legal basis?
Step 6: Remediate. Either stop the incompatible processing, obtain fresh consent, or (in rare cases) establish a different valid legal basis. Update your privacy notice to reflect your actual processing.
If you're not sure where to start, a website scan will surface the third-party data flows that are easiest to miss — the analytics tags, advertising pixels, and session recording tools that may be sending visitor data to destinations not covered by your privacy notice. Run a free scan at https://app.custodia-privacy.com/scan.
Summary
Purpose limitation is not a technical requirement. It's a discipline — the discipline of deciding what you need data for before you collect it, explaining that clearly to the people whose data it is, and staying within those boundaries.
The violations are usually not intentional. They happen because marketing needs a list, because a data team sees an opportunity, because a legacy system was set up before anyone thought carefully about data governance. The Recital 50 framework exists precisely because the GDPR recognises that secondary use isn't always wrong — but it requires a conscious decision, not a convenient assumption.
Document your purposes. Conduct compatibility assessments before secondary use. Update your privacy notice when you add new processing activities. And audit regularly for drift.
Last updated: March 27, 2026. This post provides general educational information about GDPR purpose limitation under Article 5(1)(b). It does not constitute legal advice. Requirements may vary based on jurisdiction, sector, and specific processing activities — consult a qualified data protection professional for advice tailored to your circumstances.
Top comments (0)