Purpose limitation: collected for one thing, used for another
Data collected for delivery may not quietly become marketing fuel; the emergency-contact list may not become a sales file. The purpose named at collection is a fence, not a suggestion.
Purpose limitation (Art. 5(1)(b)): data is collected for “specified, explicit and legitimate purposes” and may not be further processed incompatibly with them. The purpose must be named at collection (Art. 13) — which is why privacy policies list purposes, and why vague ones (“to improve our services”) are weak fences companies hope you won’t test. The compatibility test (Art. 6(4)) weighs the link between old and new purpose, the context, your reasonable expectations, the data’s sensitivity, and safeguards. Classic violations: the webshop delivery address feeding ad audiences; the COVID check-in lists used for marketing (fined, repeatedly, across Europe); CCTV “for security” mined for staff performance; the everything-into-AI-training pattern now testing this principle at scale. Compatible by law: archiving, statistics and research with safeguards. Your use of it: when data given for X surfaces in Y, the complaint writes itself — “collected for [X] per your policy; processed for [Y]; name the Art. 6(4) compatibility assessment.” Pair with objection for the new purpose and erasure where no basis survives. Purpose creep is the most common everyday GDPR violation — and the easiest to spot once you know its name.
Verified against the sources above on 18 July 2026. Information, not legal advice.