A processing activity is conceived by determining its purposes. This sets the objective of what the processing activity should achieve. This specification of “what” has to be done is still relatively abstract and lacks any detail of “how” this objective is reached. The “how” is subject to the determination of the means.
Purposes are typically determined by the top management that represents and is responsible for an organization (or organizational unit). Purposes are typically expressed in the same language in which the mission or mandate of the organization are expressed. This means, they come from the “application domain” and lack any technical content. A purpose specification falls short of determining technical decisions such as what resources (i.e., means) are needed for achieving the objectives, what data has to be collected, etc. In fact, a purpose specification can be implemented in many different ways. The objective of the determination of the means is then to find the best implementation from a data protection point of view.
According to Art. 5(1)(a) GDPR, purposes must be “specified [and] explicit”. This means that they must be captured in a precise written form.
The determination of the purposes of processing is typically an iterative process. Starting with the main purpose(s), the specification is continuously completed and refined until it results in a final version. Each version has to be assessed, taking into account the data protection principles, the reasonable expectations of data subjects, and the overall risk the processing is likely to pose. Based on this assessment, improvements are made to the purpose specification which improve the observance of principles, are more balanced with the expectations of data subjects, and keep the need/benefit of the processing in balance with the risk it poses to data subjects. The iterations can be seen as a process to find the minimal impact on the rights and freedoms of data subjects while still achieving the essential objectives of the organization. Typically, in every integration, the purpose specification becomes more focused, narrower, and specific and imposes a lower impact on data subjects.
This process is visualized in Figure 2.
Figure 2: The process of purpose specification.
Data protection by design applies the principles of data protection to every step of determination. While some of the data protection principles are better applicable to means of processing, legitimacy, lawfulness, and fairness are directly applicable to purposes. Indirectly, also data minimization is applicable in the sense that the impact of the processing on data subjects should be minimized. This then typically results in a minimization of data that is collected about data subjects. Note also that purpose limitation during the determination of the means is only meaningful if the purposes are specified narrowly; only then it can be precisely determined whether data or processing steps are indeed necessary for the purposes. The main principles are discussed in further detail in the following.
According to Art. 6 GDPR, processing is lawful if one of the legal bases described in its paragraph 1 apply. Art. 9 GDPR adds additional requirements for special categories of data. To comply with the principle of lawfulness, the controller must choose a legal basis from Art. 6 and possibly 9 GDPR for every single purpose that is pursued by the processing activity.
Note that it is common that a processing activity pursues a multitude of purposes that use different legal bases. An illustration of this using the example of online shopping was described by Bruegger et. al.
While lawfulness is concerned with Art. 6 and 9 of the GDPR, legitimacy requires to follow the law in the broadest sense. It is thus not limited to the GDPR but extends to any other applicable law. Arguably, laws should not only be followed by the letter but also in spirit. In many situations, legitimacy may also be interpreted to include soft law such as commonly used ethics requirements and professional standards. It may even extend to protect the values of society at large.
The assessment of the legitimacy of purposes depends largely on the nature, scope and context of the processing. In some cases, compliance with legitimacy may require formal steps. This is for example typical in research organization where a processing activity has to be preventively approved by a research ethics committee.
A key element of fairness is to take the reasonable expectations and situations of data subjects into account. The interests of the controller, as expressed in the purpose specification, are then balanced with those of data subjects. The impact on the rights and freedoms of data subjects should be justified with an according level of necessity and potential benefits to the controller.
The assessment of the fairness of purposes typically requires assessing the expectations of data subjects. There are various ways of doing this, including just “putting oneself in the position of data subjects” up to involving consumer organizations or conducting surveys.
To assess the expectations of data subjects, it is often useful to distinguish different personae that represent different types and situations of data subjects. These should also include particularly vulnerable data subjects (such as minors or patients), or groups of data subjects who may be impacted much more significantly by the processing than the average.
The balancing must consider the risks that the processing activity represents for the rights and freedoms of data subjects. An quick overall assessment of the risk is provided by the Article 29 Data Protection Working Party’s 9 criteria whether a processing activity results in high risk (and therefore requires a data protection impact assessment). This should be complemented by an analysis of how special categories of data subjects and vulnerable data subjects are affected by the planned processing activity.
Note that a balancing test is formally required where the legal basis of legitimate interest (see Art. 6(1)(f) GDPR) was chosen for a given purpose. Guidance on how to conduct a balancing test in this context was provided by the Article 29 Data Protection Working Party(see the “Legitimate interest and balancing test” subsection in the “Main Tools and Actions” section in the general part of these Guidelines):. In a more general setting, the EDPS has provided guidelines on proportionality.
1Bud P. Bruegger, Eva Schlehahn and Harald Zwingelberg, Data Protection Aspects of Online Shopping – A Use Case, W3C Data Privacy Vocabularies and Controls Community Group, December 12, 2019, https://www.w3.org/community/dpvcg/2019/12/12/data-protection-aspects-of-online-shopping-a-use-case/ (last visited 15/7/2021). ↑
2See pages 9 – 11 in Article 29 Data Protection Working Party, WP 248rev.01, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017,As last Revised and Adopted on 4 October2017, https://ec.europa.eu/newsroom/article29/items/611236 (last visited 15/7/2021). ↑
3in Article 29 Data Protection Working Party, WP217, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, Adopted on 9 April 2014, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf (last visited 15/7/2021). ↑
4European Data Protection Supervisor, EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, 19 December 2019, https://edps.europa.eu/data-protection/our-work/publications/guidelines/assessing-proportionality-measures-limit_en (last visited 15/7/2021). ↑