According to art. 5.1(b) of the GDPR, personal data shall be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." This means that the data controller must know the purpose of a given data collection activity from the outset, and cannot process personal data if it is not sure about the implications and the extent of the data processing.
Once the controller has its "specific and explicit" purpose of processing for a given set of data, if in the future processing of that data is planned for a different purpose, it shall make sure the data processing is not incompatible. Opinion 03/2013 on purpose limitation, an old but relevant opinion, provides an understanding of “compatibility.” A key element is that "rather than imposing a requirement of compatibility, the legislator chose a double negation: it prohibited incompatibility. By providing that any further processing is authorised as long as it is not incompatible (and if the requirements of lawfulness are simultaneously also fulfilled), it would appear that the legislators intended to give some flexibility with regard to further use. Such further use may fit closely with the initial purpose or be different. The fact that the further processing is for a different purpose does not necessarily mean that it is automatically incompatible: this needs to be assessed on a case-by-case basis."
This is also connected to other principles of processing. For instance, if data subject X was informed years ago of certain purposes of processing, X has expectations about it. Maybe, if X knew that personal data were to be processed for the "new" data processing activities, then X would not have provided the personal data in the first place (or would have objected thereto). In this example, a new data processing operation could not be aligned with X’s expectations, and may not respect information and transparency principles.
Another principle would be "lawfulness of the processing." If a data controller has processed personal data grounded on a legal basis (art. 6 GDPR), then as long as the new data processing operation is compatible, it can be grounded on the same initial legal basis. This is something extremely positive, as the data controller will not need to apply a different legal basis, which sometimes is a burdensome task. Therefore, in this scenario what matters (mainly) is the data processing being compatible, not finding a legal basis of processing. However, according to recital (50) of the GDPR, the data controller shall have "met all the requirements for the lawfulness of the original processing."
The Article 29 Working Party, sets out that purpose specification and the concept of compatible use contribute to transparency, legal certainty and predictability; they aim to protect the data subject by setting limits on how controllers are able to use their data and reinforce the fairness of the processing. The limitation should, for example, prevent the use of individuals’ personal data in a way (or for further purposes) that they might find unexpected, inappropriate or otherwise objectionable
How to Ensure Compatibility
Art. 6.4 GDPR requires data controllers to carry out a compatibility test. However, in some occasions the data controller is directly allowed to process the data for the new purpose (without a compatibility test):
- Where the new data processing operation is based on consent, the data controller is allowed to process the personal data regardless of whether the data processing activity is incompatible with the original one. The data subject has given green light, so the controller is ok. On the other hand, if the new data processing operation does not fit within the initial consent statement, the data controller shall consider asking for a new consent for the new data processing activity.
- Where the new data processing operation is based on a legal obligation (under art. 23 GDPR), the data controller is allowed to process the personal data regardless of whether the data processing activity is incompatible. The legal obligation is "enough", so no compatibility test is needed. On the other hand, if personal data was initially collected to comply with a legal obligation, any further different processing may be problematic. In this sense, in a very recent legal report, the Spanish Data Protection Agency has interpreted that, where data was processed to comply with a legal obligation in the first place, the data subject could not have any power of decision about it. It could not consent, object or even comment on it. Therefore, compatible use of the same data for another data processing operation may be problematic.
And what happens if the new data processing activity is not based on consent or a legal obligation? The situation may change in the future, but for now there is a requirement to carry out a "compatibility test". if the data controller has the intention to process personal data for new purposes.
The Heart of Compatibility: Compatibility Test
How is a compatibility test carried out in practice? Art. 6.4 GDPR states that in order to assess whether a data processing operation is compatible with a previous one, the data controller shall assess:
"any link between the purposes for which the personal data have been collected and the purposes of the intended further processing"
According to Opinion 03/2013, this factor may cover situations where the further processing was already more or less implied in the initial purposes, or assumed as a logical next step in the processing according to those purposes, as well as situations where there is only a partial or even non-existent link with the original purposes. In any case, the greater the distance between the purposes of collection and the purposes of further processing, the more problematic this would be for the compatibility assessment.
"the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller"
According to Opinion 03/2013, the point here is what a reasonable person in the data subject's situation would expect his or her data to be used for based on the context of the collection. In general, the more unexpected or surprising the further use is, the more likely it is that it would be considered incompatible. In general, the compatibility assessment will need to be more stringent if the data subject was not given sufficient freedom of choice and/or if the further use is considered objectionable.
"the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;"
According to Opinion 03/2013, the nature of the data processed plays a critical role in all its provisions. It would therefore be important to evaluate whether the further processing involves sensitive data. In general, the more sensitive the information involved, the narrower the scope for compatible use would be.
"the possible consequences of the intended further processing for data subjects"
According to Opinion 03/2013, in assessing the impact of the further processing, both positive and negative consequences should be taken into account. These may include potential future decisions or actions by third parties, and situations where the processing may lead to the exclusion or discrimination of individuals. In addition to adverse outcomes that can be specifically foreseen, emotional impacts also need to be taken into account, such as the irritation, fear and distress that may result from a data subject losing control over personal information, or realising that it has been compromised.
"the existence of appropriate safeguards, which may include encryption or pseudonymisation"
According to Opinion 03/2013, this might require technical and/or organisational measures to ensure functional separation (such as partial or full anonymisation, pseudonymisation, and aggregation of data), but also additional steps taken for the benefit of the data subjects, such as increased transparency, with the possibility to object or provide specific consent. If the purposes have changed or have not been specified clearly, a first necessary (but not always sufficient) condition towards ensuring compatibility is to re-specify the purposes. Often it is also necessary to provide additional notice to the data subjects.
It should be noted that all these criteria shall be considered as a whole. They should be assessed on a case-by-case basis, because in each specific scenario any of them may be more relevant.
Further processing for historical, statistical or scientific purposes
There are certain purposes of processing that are deemed to be compatible by law, and therefore do not require the assessment of art. 6.4 GDPR. The GDPR considers that in the field of research, researches shall have the right to use the data without this burdensome obligation. Besides, in many occasions the purpose of processing may not be compatible, but nevertheless it is good for society and the objectives overrides data subjects rights.
However, these purposes of processing, in order to get the protection of the GDPR, need to have a specific legal ground under European Union or member states laws. This legal ground will need to specify the limits and the appropriate safeguards for data subjects.
Consequences of incompatibility
According to Opinion 03/2013, the processing of personal data in a way incompatible with the purposes specified at collection is unlawful and therefore not permitted. In other words, the data controller cannot simply consider the further processing as a new processing activity disconnected from the previous one and circumvent this prohibition by using one of the legal grounds in art. 6 GDPR to legitimise the processing. Legalising an otherwise incompatible data processing activity simply by changing the terms of a contract with the data subject, or by identifying an additional legitimate interest of the controller, would go against the spirit of the purpose limitation principle and remove its substance.
- If you have projects involving personal data, you should always ask yourself whether the data processing is compatible or incompatible;
- Compatibility shall always be part of the assessment of lawfulness of a data processing, especially taking into account that European supervisory authorities are taking this topic very seriously;
- In the event the new processing requires a compatibility test, make sure you document all the assessment for the protection of data subjects' right to data protection and accountability purposes; and
- You should always count on privacy professionals to provide assistance, as this kind of assessment may require careful attention.
Authored by Juan Ramón Robles.