In Article 5, at the end insert—

“3.

For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.”

After Article 8 insert—

“Article 8APurpose limitation: further processing

1.

This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.

2.

In making the determination, a person must take into account, among other things—

(a)

any link between the original purpose and the new purpose;

(b)

the context in which the personal data was collected, including the relationship between the data subject and the controller;

(c)

the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);

(d)

the possible consequences of the intended processing for data subjects;

(e)

the existence of appropriate safeguards (for example, encryption or pseudonymisation).

3.

Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—

(a)

the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,

(b)

the processing is carried out in accordance with Article 84B—

(i)

for the purposes of scientific research or historical research,

(ii)

for the purposes of archiving in the public interest, or

(iii)

for statistical purposes,

(c)

the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,

(d)

the processing meets a condition in Annex 2, or

(e)

the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law.

4.

Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—

(a)

it falls within paragraph 3(a) or (c), or

(b)

it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.

5.

The Secretary of State may by regulations amend Annex 2 by—

(a)

adding or varying provisions, or

(b)

omitting provisions added by regulations made under this paragraph.

6.

The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).

7.

Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.

8.

Regulations under paragraph 5 are subject to the affirmative resolution procedure.”