← Glossary·Privacy

Purpose Limitation

GDPR

GDPR Art. 5(1)(b): personal data must be collected for specified, explicit, legitimate purposes and not further processed incompatibly.

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing for archiving in the public interest, scientific/historical research, or statistical purposes is not considered incompatible (Art. 5(1)(b)).

Why it matters
Reusing customer data to train ML models is the modern flashpoint — most original consents/lawful bases don't cover it, triggering DPIA + fresh consent.

Related terms

Data Minimisation
GDPR Art. 5(1)(c) principle: personal data must be adequate, relevant, and limited to what is necessary.
Lawful Basis (Legal Basis for Processing)
One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.
Consent (GDPR)
Freely given, specific, informed, unambiguous indication by the data subject — must be as easy to withdraw as to give.

Does your program actually cover Purpose Limitation?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary