38
5455/16
VH/np
23
ANNEX
DGD 2C
EN
(40) The processing of personal data for other purposes than the purposes for which the data have
been initially collected should be only allowed where the processing is compatible with those
purposes for which the data have been initially collected. In such case no separate legal basis
is required other than the one which allowed the collection of the data. If the processing is
necessary for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller, Union law or Member State law may determine and
specify the tasks and purposes for which the further processing shall be regarded as
compatible and lawful. The further processing for archiving purposes in the public interest, or
scientific and historical research purposes or statistical purposes should be considered as
compatible lawful processing operations. The legal basis provided by Union or Member State
law for the processing of personal data may also provide a legal basis for further processing.
In order to ascertain whether a purpose of further processing is compatible with the purpose
for which the data are initially collected, the controller, after having met all the requirements
for the lawfulness of the original processing, should take into account inter alia any link
between those purposes and the purposes of the intended further processing, the context in
which the data have been collected, in particular the reasonable expectations of data subjects
based on their relationship with the controller as to their further use, the nature of the
personal data, the consequences of the intended further processing for data subjects, and the
existence of appropriate safeguards in both the original and intended further processing
operations. Where the data subject has given consent or the processing is based on Union or
Member State law which constitutes a necessary and proportionate measure in a democratic
society to safeguard, in particular, important objectives of general public interests, the
controller should be allowed to further process the data irrespective of the compatibility of the
purposes. In any case, the application of the principles set out by this Regulation and in
particular the information of the data subject on those other purposes and on his or her rights
including the right to object, should be ensured. Indicating possible criminal acts or threats to
public security by the controller and transmitting the relevant data in individual cases or in
several cases relating to the same criminal act or threats to public security to a competent
authority should be regarded as being in the legitimate interest pursued by the controller.
However such transmission in the legitimate interest of the controller or further processing of
personal data should be prohibited if the processing is not compatible with a legal,
professional or other binding obligation of secrecy.