The purpose or purposes of data processing must always be defined before data processing begins (principle of purpose limitation). This is intended to ensure that all data processing is subject to justification and that the necessity of certain data processing has a clear reference point - i.e. the respective purpose.

Nevertheless, the GDPR recognises that there are situations in which a change of purpose is legitimate, i.e. the data may be used for another purpose. This is the case if the following criteria are met:

• close content-related connection between the old and the newly added purpose
• against the background of the data collection context, a change of purpose is not far-fetched from the data subject's perspective
• criticality of the data (e.g. no processing of data in accordance with Art. 9 or 10 GDPR)
• no negative consequences for the person concerned
• existence of protective measures such as encryption or pseudonymisation of the data.

An example of such a legitimate change of purpose could be that data (e.g. location data), which must be collected anyway in order to provide a service requested by the person, is also used to make it easier for the person to find this service.

In some cases, however, a change of purpose could contradict the so-called privacy by default principle, according to which the person and not the company should authorise the extended use of the data.

If a change of purpose is to be made, the person concerned must be informed in advance.