There is little post-GDPR guidance for data controllers on assessing whether further processing for a different purpose is compatible. However,  pre-GDPR guidance and case law may remain applicable. Morgane Conaty has great expectations.

One of the fundamental principles relating to the processing of personal data under the GDPR is that personal data can only be collected for “specific, explicit and legitimate purposes” and cannot be further processed “in a manner that is incompatible with those purposes”, in accordance with article 5(1)(b).

The principle of ‘purpose limitation’ therefore only permits the further processing of personal data after collection if the manner of the processing is compatible with the purposes for which the data was collected.

Accordingly, a compatibility assessment will be required where the purpose of the further processing is different to the purpose for which the data was collected.

For example, when you purchase an item online and provide your address and phone number for the purposes of delivery, the business cannot use your address to send you advertisements by post.

Why? Because this would be the further processing of your personal data for a purpose (marketing) incompatible with the purpose for which the data was initially collected (to deliver the items) – unless, of course, you explicitly consented to it.

But giving your address to a delivery courier is further processing that is compatible with the initial purpose of delivery.

The GDPR provides that further processing for a different purpose will not be incompatible where it is for:

• “Archiving purposes in the public interest, scientific or historical
  research purposes, or statistical purposes” – article 5(1)(b),
• Where the data subject has given consent to the further processing
  – article 6(4), or
• Where the further processing constitutes a necessary and proportionate measure to safeguard specific objectives set out in sections 41 and 47 of the Data Protection Act 2018 (for example, to aid in the investigation of crime, protect national security, or for the purposes of obtaining legal advice).

However, in all other circumstances where data is processed for a different purpose, the data controller must conduct a compatibility assessment and take into account the following, as set out in article 6(4):

• Any link between the purposes for which the personal data has been collected and the purposes of the intended further processing,
• The context in which the personal data has been collected – in particular, regarding the relationship between data subjects and the controller,
• The nature of the personal data, in particular whether special categories of personal data are processed, pursuant to article 9, or whether personal data related to criminal convictions and offences is processed, pursuant to article 10,
• The possible consequences of the intended further processing for data subjects, and
• The existence of appropriate safeguards, which may include encryption or pseudonymisation.

Beyond these factors, there is little post-GDPR guidance for data controllers on assessing whether further processing for a different purpose is compatible, and no case law discusses the issue.

However, pre-GDPR guidance and case law may remain applicable: a recent Court of Appeal judgment on purpose limitation in the pre-GDPR legislative context considered, as a key factor, the expectation of data subjects as to the further processing of their data.

This tallies with a case study in the Data Protection Commission’s 2021 annual report, where the DPC also focused on the expectations of data subjects when determining a complaint relating to further processing for a different purpose.

DPC v Doolin

The respondent worked as a craftman’s mate at Our Lady’s Hospice and Care Services. Following the discovery of terrorism-related graffiti carved into a table in the staff tearoom, the employer conducted an investigation and, while reviewing CCTV monitoring access to the room, discovered that the respondent had been taking unauthorised breaks.

The employer commenced disciplinary proceedings, and the respondent was subsequently sanctioned. The respondent complained to the DPC that the further use by the employer of the CCTV for disciplinary purposes was in breach of the Data Protection Acts 1988 and 2003 (the relevant legislation at the time).

The employer’s CCTV policy stated that the “purpose of the system is to prevent crime and promote staff security and public safety”, and a sign was placed beside each camera stating: “Images are recorded for the purposes of health and safety and crime prevention.”

The DPC dismissed the complaint, holding that the employer’s use of information gleaned from the CCTV for disciplinary proceedings did not constitute further processing. This decision was upheld by the Circuit Court, but overturned by the High Court, which found that there was further processing of the data for an incompatible purpose. The DPC appealed to the Court of Appeal.

Noonan J, for the court, held that the capturing of the respondent’s data by the CCTV for security purposes was the initial collection of the data. Therefore, the use of the CCTV for the disciplinary proceedings was further processing for a different purpose.

In examining whether the disciplinary purpose was incompatible with the original purpose (security), the court considered the Article 29 Working Party’s (the predecessor to the European Data Protection Board) ‘Opinion 03/2013 on purpose limitation’, since it was accepted that the issue as to further processing had not been the subject of any decisions of the Court of Justice or of national courts.

The opinion dealt with the principle of purpose limitation contained in article 6(1)(b) of the Data Protection Directive, which is substantively the same as the GDPR, but does not set out factors to take into account when conducting a compatibility assessment, as are set out in article 6(4) of the GDPR.

The opinion gives guidance that an assessment of compatibility requires an analysis of:

• The relationship between the purposes for which the data was collected and the purposes of further processing,
• The context in which the data was collected and the reasonable expectations of the data subjects as to its further use,
• The nature of the data and the impact of the further processing on the data subjects, and
• The safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

‘Reasonable data subject’

The court focused on the “reasonable expectations of the data subjects” as a key factor in considering compatibility, and relied on one of the examples in the opinion, which related to a company installing CCTV to monitor the main entrance to its building for security purposes, but the CCTV also picks up that the receptionist is frequently away from her desk. A sign informs people that the CCTV is in operation for security purposes.

The opinion stated that a reasonable data subject would assume that the CCTV was there for security purposes only, and that the monitoring of employees “is an unrelated purpose which could not reasonably be expected by the data subject”.

The court noted that, in this case, the “fact that the viewing of the CCTV here was for the purpose of attempting to detect the perpetrator of the offensive graffiti and damage to hospice property is entirely irrelevant to the incidental observation of Mr Doolin taking unauthorised breaks”.

However, the court noted that the further processing of CCTV for disciplinary purposes would not have been incompatible if the disciplinary proceedings related to a security issue – for example, if the respondent had actually been viewed carving the graffiti, or if a security guard was seen to be away from his desk.

The Court of Appeal concluded that the respondent was not notified that the CCTV could be used for purposes other than security, nor was there any basis upon which he ought reasonably to have expected such use. The processing of the respondent’s data for disciplinary purposes was accordingly incompatible, and the appeal was dismissed.

It is interesting to note that, during the course of the investigation into the graffiti, the employer amended its CCTV policy to explicitly provide: “If, in the event of viewing CCTV for the specified purpose [to prevent crime and promote staff security and public safety], a disciplinary action is observed, the CCTV can be used for the purpose of a disciplinary investigation. However, CCTV will not be viewed solely for the purpose of monitoring staff.”

DPC case study

The case study in the Data Protection Commission’s 2021 annual report related to the use of location data to verify expense claims.

The complainant had been employed by a statutory service provider in the role of emergency-vehicle driver. In this role, he was entitled to claim for overtime or subsistence, and did so by completing forms provided by the employer detailing the relevant dates, places, dispatch reference numbers, and amounts claimed.

The employer used a dispatch system to ensure the most efficient use of drivers, and utilised vehicles that logged the performance and completion of service calls, when vehicles were out on calls, and when drivers were on or off duty.

The complainant made a claim for overtime and subsistence, and the employer used the record from the dispatch system to assess it. Finding inconsistencies between the form and the system, the employer rejected the claim. The complainant objected to the use of data from the dispatch system for this purpose and complained to the DPC.

The DPC considered whether the use of data from the dispatch system to verify overtime and subsistence claims was in line with fair processing requirements. The DPC noted that the purpose of the processing from the dispatch system was to aid logistics: the use of the data to verify overtime claims was, therefore, further processing.

Having determined that the employer did have a legal basis for this processing, the DPC considered whether the further processing was not incompatible with the initial purpose. In doing so, the DPC focused on whether the complainant and fellow employees had been made aware of the employer’s use of the data for this further purpose.

Although the employer did not have a written policy on the use of the system, it relied on the general awareness of employees of such use. The use of the system had been noted in an arrangement with its employees’ trade unions some years previously, and the claims form required employees to include relevant dispatch numbers from the system.

Having regard especially to this latter fact, the DPC held that the employees were aware that the system was used to verify their claims.

The DPC concluded that the use of the data to verify overtime claims was not incompatible with the initial purpose of aiding logistics, since that data was the only means available to the employer to verify claims. Furthermore, the employer had a legal and contractual obligation to verify overtime claims.

Great expectations

It is clear from the Court of Appeal judgment and the DPC case study that, when assessing whether a further purpose is compatible, one of the key factors is the expectation of the data subjects as to the further processing of their data.

Interestingly, although the factors listed in the opinion and in article 6(4) of the GDPR almost mirror each other, the latter does not refer to the “reasonable expectations of data subjects”, but focuses on the “relationship between data subjects and the controller”.

It is unlikely that there is much difference between the two factors and, in fact, a consideration of “the relationship between data subjects and the controllers” is arguably broader, and encompasses the reasonable expectations of data subjects.

This certainly seems to be the view taken by the DPC in its case study, and it is worth noting that the UK Information Commissioners’ Office’s view on the factors to be taken into account when undertaking a compatibility assessment (which currently have not changed since Britain left the EU) includes “the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect”.

Data controllers should, therefore, be aware that the reasonable expectations of data subjects as to the further use of their personal data is a key factor in conducting a compatibility assessment, and should ensure that data subjects are made aware of all the purposes for which their data are being processed.

In the case study, the DPC noted that, while the further processing was compatible in this instance, “controllers should bear in mind the overarching requirement to process personal data fairly, and must ensure that data subjects are made aware of what data is collected, and the nature and purpose of the processing.”

As can be seen by Doolin, it may be best to set out all the purposes of data processing in a written policy or statement provided to data subjects.

Look it up

CASES:

• Data Protection Commissioner v Doolin [2022] IECA 117 (unreported, Court of Appeal, Noonan J, 24 May 2022)

LEGISLATION:

• Data Protection Act 2018
• Data Protection Acts 1988 and 2003
• Data Protection Directive (Directive 95/46/EC)
• General Data Protection Regulation (Regulation [EU] 2016/679)

LITERATURE:

• Article 29 Working Party, ‘Opinion 03/2013 on purpose limitation’  (00569/13/EN WP 203, 2 April 2013)
• Data Protection Commission Annual Report 2021
• Information Commissioners’ Office, note on ‘Principle (b): Purpose limitation’

Read and print a PDF of this article here.