Principle 9: Compatible Purposes
Stick to the Purpose
Any company that collects and uses personal data should be accountable to its data subjects and the society around it. But what does it mean to be accountable in a data context?
‘Data analytics makes it possible to extract new knowledge from a given data set. This means that when a person, called Smith, gives a company access to his data, the company may be able to extract new knowledge from this data, even knowledge that Smith didn’t know could be extracted from the data.
According to the Principle of Consent (and the GDPR), any company should get consent from Smith every time they use the obtained data for a new purpose unless Smith has explicitly given consent for this purpose. This also includes when the company processes data.
The best way to comply with this is to make sure that you consider the purpose of the data processing, every time data is processed. If you are doing this for a purpose that is not the same as the purpose for which you collected the data in the first place, then it is a good sign that you should stop and consider whether you need new consent.
Here, the Principle of Compatible Purposes resembles the idea in the GDPR’s Article 5.2: “… collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…” (GDPR Article 5.2).
Let’s look at an example to see the practical implications of this.
Smith is a user of a social media company. Smith gave consent to the company collecting certain personal data for the purpose of targeted marketing. Jones works as a data analyst at the company. He discovers that the users’ data can be utilized to determine their political preferences. Jones starts employing data analytics on all users’ data, including Smith’s, and now the company holds precise political profiles of all their users.
Here, the company should inform Smith about the change in purpose and ask for a new consent. After all, he never knew that his consent implied that the company would create a political profile of him.
Complying with the Principle of Compatible Purposes
It can be very hard to determine whether two purposes are compatible. In order to be on the safe side, it’s a good idea to get new consent from the data subject whenever the purpose of data processing is not exactly the same as the purpose for collecting the data.
At Seluxit, we try our best to inform the data subjects and collect new consent, every time the purpose of processing their data changes. And, we strongly encourage our customers to do the same.
The purpose of processing data should be compatible with the purpose of collecting the data.