The latest Council version of the European General Data Protection Regulation (GDPR) provides that personal data may be further processed by the same data controller even if the further purpose is incompatible with the original purpose “if the legitimate interests of that controller or a third party override the interests of the data subject.” The Article 29 Working Party (WP29) and a large number of non-governmental organisations have expressed concerns that this would render the fundamental principle of purpose limitation meaningless and void.
Is this indeed correct? We do not think so.
Originally published on IAPP’s Privacy Perspectives on June 2, 2015.
Please see full publication below for more information.