The purpose limitation principle (see the “Purpose limitation” section within “Principles”, Part II of these Guidelines) requires that personal data collected and processed in the context of IoT are processed only for the purpose for which the data were collected.
In addition to that, purposes need to be specified. That is, a wide and open wording that does not allow an average person to understand all and every purpose of the data, will fall out of the law.
The main problem is that IoT systems often collect vast amounts of data for vague or broadly defined purposes. As Watcher stated, “sensor fusion or the linkage of existing but previously unconnected datasets, can offer new opportunities for data analytics that were not envisioned when the data were collected. Invasive and unpredictable inferential profiling is enabled by identification services that link devices and the data they collect.”  As a consequence, controllers might produce inferred data about the data subject that are not related to the purposes for which the data was originally collected and to which the data subject never consented. Furthermore, data subjects might not even be aware of such processing. Worse enough, it might happen that data are processed by third parties for other purposes to which the data subject never gave consent.
In order to avoid such scenario, controllers should implement tools able to ensure that processing only takes place if a legal basis applies. The utility of stored data for the intended purpose of a particular product or service will need to be periodically reassessed to avoid unlawful data processing.
1Wachter, Sandra (2018). The GDPR and the Internet of Things: a three-step transparency model. Law, Innovation and Technology, 1–29. doi:10.1080/17579961.2018.1527479 . ↑