In this blog I touch upon the conceptual gap related to the purpose limitation principle. In the GDPR, this principle establishes that the definition of the purpose should be done in relation to the data collection and does not allow further use incompatible with that purpose, but the provision says nothing about processing in line with the defined purpose. It was not always like that.
Article 5(1)(b) GDPR on the purpose limitation principle states that personal data must be “collected for specified, explicit and legitimate purposes.” So, purpose specification is linked to the act of collection. This creates a conceptual gap, for it does not explicitly refer to the purpose of processing as such. Surprisingly, controllers are defined (cf. Article 4(7) GDPR) as those that determine the purpose of the processing.
The focus on collection dates back to the 1970s, 1980s, 1990s when to obtain personal data, controllers predominantly had to collect it from the data subjects, and the amount of data were limited. You were asked to provide your name, address, telephone number, etc. Presently, and also before the GDPR was finalized, much personal data is not “collected” but automatically generated, observed, or derived: for behavioural data, metadata, and algorithmic inferences the act of “collection” is not always central. As a funny side note, in case you receive a bunch of data, unsolicited, you did not collect them, so purpose limitation cannot be applied. The above argument that collection as such is less relevant these days has been made before. My point is that the focus should not be on collecting and further use, because based on the letter of the law as such, all other processing is not covered by the purpose limitation principle.
WP29 (Opinion 03/2013 on purpose limitation, p. 11) does explicitly link collection to processing: “Data are collected for certain aims; these aims are the ‘raison d’être’ of the processing operations.” Leaving aside that data can be generated, and are not necessarily collected, the question remains why purpose limitation does not refer to the purpose of processing (including collection) in stead of a purpose just related to the collection.
It has not always been like that. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data articulate the principle more completely: purposes must be specified not later than at the time of collection, and the subsequent use limited to the fulfilment of those purposes. This formulation closes the conceptual gap. It not only requires specification but also expressly ties all subsequent use to the fulfilment of the defined purposes, making the limiting function explicit. The collection, therefore, becomes the ultimate moment at which the purposes must be defined, but not the type of processing to which all purposes should refer.
This was also how the first draft of the predecessor of the GDPR (Directive 95/46) framed it initially:
The distinction between collection and storing is archaic, but what it does correctly is explicitly stating that the data should be used in a way compatible with the purpose. Unfortunately, this initial draft was modified by subsequent amendments, and the definitive text of the Data protection directive did not use this language. This is how the principle was formulated in the definitive version of the Data protection directive:
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
The GDPR contains the same formulation; there is just a reference to the purpose of the collection and further processing. No reference is made to processing in line with the defined purpose, that part is missing from the GDPR too.
Maybe the EU can redraft Article 6(1)(b) in its Digital omnibus, that already includes another amendment by adding an explicit reference to “the conditions of Article 6(4) of this Regulation.” (Digital omnibus, Brussels, 19.11.2025, COM(2025) 837 final, p. 55). Here is how Article 5(1)(b) could be amended:
Personal data are processed for specified, explicit and legitimate purposes. They may not be further processed in a manner that is incompatible with those purposes.
Any input on the above is very welcome. Also if you know any sources addressing this specific point (the conceptual gap), let me know. I might have overlooked, but did not find it addressed in e.g. Lee A. Bygrave (2014), Data Privacy Law. An International Perspective; Orla Lynskey (2015), The Foundations of EU Data Protection Law, Oxford University Press; Christopher A. Docksey et al. (2020), The EU General Data Protection Regulation (GDPR). A Commentary, Oxford University Press. (just a coincidence they are all OUP I guess).
Thanks to Silvia De Conca, Tijmen Wisman, and Eline Leijten for valuable discussions.
