The purpose limitation principle (see the “Purpose limitation” subsection in the Main Principles section of these Guidelines) requires that personal data collected are processed only for the purpose for which they weregathered. Purpose limitation is a key concept when processing data obtained from social networks and most platforms include it in their Developer Policies. Researchers and innovators shall strictly follow such policies. On the other hand, it is often true that data subjects are not truly aware of the permissions they provide the social networks for the processing. This is a particularly important reason why controllers using those data should not process the data for purposes that could be considered as incompatible with the initial consent.

Thus, controllers should implement tools able to ensure that processing does not take place if the data subjects do not provide their consent, unless an alternative legal basis allows for the processing (see the “Lawfulness, fairness and Transparency” subsection of the Main Principles section of the General Part of these Guidelines). The utility of stored data for the intended purpose of research will need to be periodically reassessed to avoid unlawful data processing.

It should be noted that when data are used for reasons of public interest or for research, archiving or statistical purposes, these derived uses will not be considered incompatible with the initial purposes, as long as they are properly pseudonymized, whenever that further processing of such data does not allow re-identification of the data subjects (Art. 5.1.b& 89.1 GDPR) (see the “Consider if the regulatory framework regarding scientific research applies to the activity” section of the Guidelines).