The purpose or purposes of data processing must always be defined before data processing begins (principle of purpose limitation). This is to ensure that data processing is not carried out indiscriminately and that the necessity of certain data processing to be specified (principle of necessity) has a clear reference point - i.e. the respective purpose.

Nevertheless, the GDPR recognises that there are situations in which a change of purpose is legitimate, i.e. the data may be used for another purpose. This is the case if the following criteria are met:

• close content-related connection between the old and the newly added purpose
• against the background of the data collection context, a change of purpose is not far-fetched from the data subject's perspective
• criticality of the data (e.g. no processing of particularly sensitive data in accordance with Art. 9 or 10 GDPR)
• no negative consequences for the person concerned
• existence of protective measures such as encryption or pseudonymisation of the data.

An example of such a legitimate change of purpose could be that data (e.g. location data), which must be collected anyway in order to provide a service requested by the person (e.g. renting a rental car), is also used to send the person location-based special offers for this service.

In some cases, however, a change of purpose could contradict the so-called privacy by default principle, according to which the person and not the company should authorise the extended use of the data.

If a change of purpose is to be made, the person concerned must be informed in advance.