Purpose limitation is one of the fundamental principles of data protection enshrined in Article 5(1)(b) of the GDPR. It requires that personal data must be collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those original purposes. This principle ensures that organisations are transparent about why they collect data and do not repurpose it without appropriate legal basis.
Applying purpose limitation in practice requires organisations to clearly define and document the purpose of each processing activity at the time of data collection, communicate these purposes to data subjects through privacy notices, and evaluate compatibility before using data for any new purpose. The GDPR provides criteria for assessing compatibility, including the relationship between purposes, the context of collection, the nature of the data, and the possible consequences for data subjects.