GDPR Data Minimisation and Purpose Limitation: Official

In one sentence. GDPR Article 5(1)(b) purpose limitation requires that personal data be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; Article 5(1)© data minimisation requires that data be adequate, relevant and limited to what is necessary in relation to those purposes. Together they form the collection-side core of GDPR compliance. Official text: Regulation (EU) 2016/679, Article 5 on EUR-Lex, reaffirmed in European Commission GDPR guidance.

These two principles are sanctioned under Article 83(5)(a) — the top tier (€20M / 4%). They are the most-invoked principles in CJEU rulings and DPA decisions because they govern what data may be collected at all.

Key takeaways

• Purpose limitation = specified, explicit, legitimate + no incompatible further use.
• Data minimisation = adequate, relevant, limited to what is necessary.
• Both are principles (Article 5) — breach is among the most serious GDPR infringements.
• Compatibility test (Article 6(4)) governs further processing.
• Statistical, research and archiving purposes are deemed compatible (Article 5(1)(b) + Article 89).
• Sanctions: Article 83(5)(a) — up to €20M or 4% of global turnover.

1. Article 5 official text (excerpts)

1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); © adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Source: EUR-Lex, European Commission.

2. Purpose limitation: three requirements

(a) Specified: precise enough to enable accountability — “marketing” is too vague; “monthly newsletter about product X” is acceptable. (b) Explicit: communicated to the data subject in a transparent privacy notice (Articles 13-14). © Legitimate: lawful under GDPR and EU/national law.

Plus: no incompatible further processing.

3. The Article 6(4) compatibility test

If a controller wants to process collected data for a new purpose, Article 6(4) sets a compatibility test:

• Link between original and new purpose
• Context of collection (relationship with data subject)
• Nature of the data (special categories?)
• Possible consequences for the data subject
• Existence of appropriate safeguards (encryption, pseudonymisation)

A compatible further purpose can be pursued without a new legal basis. Incompatible = new consent or other Article 6 basis required.

4. Data minimisation: three requirements

(a) Adequate: sufficient to fulfil the purpose (b) Relevant: linked to the purpose © Limited to what is necessary: nothing more

Common failures: collecting date of birth when only an age range is needed; storing full IP when last octet suffices; HR systems retaining CVs of rejected candidates indefinitely.

5. Necessity test (EDPB and CJEU)

EDPB Guidelines and CJEU consistently apply a strict necessity test:

• The data must be objectively necessary for the purpose
• “Useful” or “convenient” is not enough
• The least intrusive option must be preferred (privacy by default — Article 25)

6. Relationship with Article 25 (privacy by design)

Article 25 operationalises minimisation: technical and organisational measures must ensure that by default only data necessary for each specific purpose are processed. This affects:

• Default form fields (optional vs mandatory)
• Default visibility settings
• Default data retention
• Default API field exposure

7. CJEU case law

• C-291/12 Schwarz — biometric passport: even mandatory data must be minimised
• C-13/16 Rīgas — necessity over usefulness
• C-708/18 Asociaţia de Proprietari — CCTV minimisation
• C-439/19 Latvijas — public data registers; purpose limitation extends
• C-184/20 OT — special category data + purpose limitation

8. DPA enforcement — purpose limitation cases

• Google (CNIL 2019): €50M — vague purposes for ads personalisation
• H&M (HmbBfDI 2020): €35.3M — employee profiles beyond purpose
• WhatsApp (Irish DPC 2021): €225M — transparency + purpose
• Amazon (CNPD Luxembourg 2021): €746M — ad targeting purposes
• Meta (Irish DPC 2023): €390M — behavioural ads basis + purpose

9. DPA enforcement — minimisation cases

• Deutsche Wohnen (Berlin 2019): €14.5M — tenant data over-retention
• Marriott (ICO 2020): £18.4M — passport scans beyond necessity
• Discord (CNIL 2022): €800,000 — log retention disproportionate
• Multiple HR cases — over-collection of medical data

10. Implementation checklist

1. Define each processing purpose in the ROPA
2. Map data fields to purposes (each field justified)
3. Privacy notice with explicit purposes
4. Compatibility test before any reuse
5. Default-deny form fields (privacy by default)
6. Retention rules per purpose (see storage limitation)
7. Annual review

11. Tooling

Legiscope ties each ROPA processing activity to declared purposes and to the fields collected — flagging over-collection automatically. Compatibility test workflow built in.

FAQ

What is purpose limitation under GDPR Article 5?

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Article 5(1)(b)). Compatibility for new purposes is tested under Article 6(4).

What does data minimisation require?

Article 5(1)© requires data to be adequate, relevant and limited to what is necessary for the purposes. EDPB and CJEU apply a strict necessity test, not mere usefulness.

Where is the official European Commission text?

European Commission — GDPR principles and the official Regulation on EUR-Lex.

Can I reuse data for a new purpose?

Only if compatible under Article 6(4) (link, context, nature, consequences, safeguards). Otherwise a new legal basis is required, typically consent.

What’s the sanction for breaching these principles?

Top tier: up to €20M or 4% of global turnover (Article 83(5)(a)). Amazon €746M (CNPD 2021) is the leading purpose-limitation sanction.