In principle, the GDPR forbids the processing of personal data, unless it is conducted for legitimate and lawful purposes.
A purpose describes a concrete objective that shall be reached by the processing.
Legitimate means compliance with the letter of the law (not limited to the GDPR), the spirit of the law (e.g., without exploiting legal loopholes), the values of society (as for example expressed in the European Charter of Fundamental Rights), and the principles of ethics. In certain areas of research, compliance with ethics may be verified in formal procedures such as approval by a research ethics committee.
Lawfulness is defined in Article 6 GDPR. In particular, for processing to be lawful, its purposes must fall into one of six foreseen categories that are called legal basis. Controllers are only allowed to process personal data if they can present a valid legal basis.
In terms of the problem addressed by data protection, this means that gaining power over individuals is only then permitted when it serves legitimate purposes of the kinds foreseen in the GDPR.
1See Article 5(1)(a) and (b) GDPR. ↑
2See Article 6(1) GDPR. ↑