Skip to content

The principle of purpose limitation in data protection laws

26 April 2018

In his dissertation, Maximilian von Grafenstein examines the principle of purpose limitation in data protection law, which not only protects the autonomy of those affected, but also provides data processing companies sufficient scope to optimally implement data protection as part of their innovation processes. For our dossier on the GDPR, we asked him a few questions:

What inspired you to write your dissertation?

As a lawyer and later in the Startup Clinic at HIIG, I advised and supported startups in implementing legal requirements. It struck me that the legal requirements often stood in contrast to innovation processes in startups. This became particularly clear with the so-called principle of purpose limitation in data protection. This requires the processors of personal data to indicate the purposes of their later data processing before collecting any data. The processors are bound to these purposes. In the beginning, it is often not even 100% clear in what direction a startup is heading, thus, the purposes of future data processing cannot be specified at all. My question was therefore how the principle of purpose limitation should actually be interpreted and whether it can be brought into line with innovation processes.

…and what answer did you find?

The surprising result of my work is that the principle of purpose limitation is not an obstacle to innovation processes. On the contrary, as a legal principle it is a very suitable regulatory instrument for innovation processes. The reason for this is that it gives innovative data processors sufficient scope for implementation. This enables them to adapt the legal requirements specifically to their innovation processes and, above all, to their risks.

The principle of purpose limitation is in itself a regulative instrument open to innovation.

Combined with instruments for co-regulation, the principle of purpose limitation is not only in line with innovation, but can also even promote innovation under certain circumstances. This is because processors of personal data can reduce the high level of legal uncertainty through co-regulatory instruments. Scientific studies clearly point out that increasing legal certainty has a positive effect on innovation processes. In data protection law, this legal certainty is provided by so-called codes of conduct and certificates.

For who are the outcomes particularly interesting?

The results are particularly interesting for companies that process personal data. My thesis shows ways in which these companies can actually use their compliance with data protection regulations as a competitive advantage. It also helps regulators — especially data protection authorities — to interpret the principle of purpose limitation in such a way that it not only effectively protects against the risks of data processing, but also brings about the competitive advantages of the GDPR, which are often invoked by politicians.

What were your best and worst experiences during the research?

In my opinion, the debate on data protection law suffers from a great polarisation, which makes it difficult to find concrete solutions to problems. The best experiences were definitely the moments when I told actors from science, business or politics about my approach and was able to convey the great potential of this approach. Accordingly, the most difficult moments were when I realized that others who are concerned with data protection are not taking the time to at least understand this approach.

What’s the relevance of your publication for the GDPR?

The dissertation focuses on the principle of purpose limitation as implemented or should be interpreted in the GDPR. The principle of purpose limitation also exists in other legal systems or constitutions, for example as a core component of Germany’s fundamental right to informational self-determination and as (more implicit) component of the right to privacy of the European Convention on Human Rights. In my dissertation I work out the similarities and differences. Thereby the focus is always on the European Charter for Fundamental Rights as well as the GDPR. Thus, I was all the more surprised when an expert of the German Research Foundation came to the conclusion that my work does not deal with the principle of purpose limitation of the GDPR – in my opinion, a classic example of the case mentioned above, when people do not really engage with the approach.

What new perspectives does this illustrate to you on the subject of data protection?

Before my research, I saw data protection as a pure obstacle to innovation processes. In the course of my work, however, I have grown to understand that the GDPR in particular can be viewed as a relatively modern regulatory approach, which is particularly suitable for regulating the often unforeseeable risks of data-driven innovation processes.

In your opinion, is GDPR an effective tool?

The GDPR can be a very effective instrument. However, it must be implemented accordingly. If it is interpreted according to the classical approach, one runs the risk not only of unnecessarily hindering innovation processes, but also of not providing effective protection. The reason for this is that the GDPR mainly focuses on the time of data collection. In principle, it is designed in such a way that most of the obligations of the processors or rights of the data subjects take effect at the time of data collection. In order to provide effective protection and not unnecessarily hinder innovation processes, however, rights and obligations must at least apply equally during the subsequent use of the data.

What can I do to protect my data effectively?

We as consumers need to be aware of the risks we take when we disclose information about ourselves. For this purpose, however, the processors of personal data must provide information about these risks in the information or declarations of consent they provide. So far, in most cases, personal data processors have not sufficiently pointed out risks. For example, it is not sufficient for a data processor to write that it passes the data on to third parties. Such a reference does not say anything about whether the data will be used, for example, to offer the persons concerned personalised advertising, to evaluate their creditworthiness, or to attempt to influence them when they cast a vote. These are very different risks to the autonomous exercise of fundamental rights of those affected. Data may only be used for such purposes if these risks have been clearly indicated, the data subject has specifically consented to them, or legal regulations permit processing for these purposes. As soon as the person concerned is specifically informed about such risks, it is also reasonable to expect them to make a decision as to whether they agree with this risk. Of course, they can only make such a decision for themself, not for others.

Abstract: The principle of purpose limitation in data protection laws

In his dissertation, Maximilian von Grafenstein examines the principle of purpose limitation provided for by data protection law from the perspective of a regulation of innovation. This approach examines both the risks caused by innovation and whether risk protection instruments are appropriate with respect to their effects on innovation processes.

Read his dissertation

In light of this approach, this thesis examines, first, the function of the principle of purpose limitation in light of Article 8 of the ECFR, and second, which regulation instruments serve best, when implementing the principle of purpose limitation in the private sector, in order to balance the colliding fundamental rights of the data controller and the individual concerned. Pursuant to the previous analysis, the principle of purpose limitation is a regulation instrument that seeks to protect the individual’s autonomy against the risks caused by the processing of data related to him or her. In this regard, the first component of the principle of purpose limitation requires the controller to specify the purpose of the data processing. This requirement is a precautionary protection instrument obliging the data controller to discover specific risks caused by data processing against the individual’s fundamental rights to privacy, freedom, and non-discrimination.

In contrast, the second component, i. e., the requirement to limit the data processing to the preceding purpose, aims to limit the risk caused by the later data processing to the risks previously discovered. Whether a risk caused by the later processing of personal data is compatible or incompatible with the risk previously discovered depends, again, on the individual’s fundamental rights to privacy, freedom, and non-discrimination. However, as a legal principle, the principle of purpose limitation not only protects an individual’s autonomy but simultaneously leaves sufficient room for data controllers to find the best solution for protection with respect to the particularities of the specific case. This scope of action enables, combined with co-regulation instruments, data controllers to turn the principle of purpose limitation into an innovation-enhancing mechanism.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact

Maximilian von Grafenstein, Prof. Dr.

Associated Researcher, Co-Head of Research Programme

Sign up for HIIG's Monthly Digest

and receive our latest blog articles.

Man sieht in Leuchtschrift das Wort "Ethical"

Digital Ethics

Whether civil society, politics or science – everyone seems to agree that the New Twenties will be characterised by digitalisation. But what about the tension of digital ethics? How do we create a digital transformation involving society as a whole, including people who either do not have the financial means or the necessary know-how to benefit from digitalisation?  And what do these comprehensive changes in our actions mean for democracy? In this dossier we want to address these questions and offer food for thought on how we can use digitalisation for the common good.

Discover all 11 articles

Further articles

Image shows a visualized human brain with blue light effects

AI as a flying blue brain? How metaphors influence our visions about AI

Why is Artificial Intelligence so commonly depicted as a machine with a human brain? This article shows why one misleading metaphor became so prevalent.

Person in wheelchair taking photos outside

Exploiting potentials: Teaching AI Systems to See Accessibility Barriers

Barriers in our physical environment are still widespread. While AI systems could eventually support detecting them, it first needs open training data. Here we provide a dataset for detecting steps...

You can see a group of people from above doing lessons online. It symoblises digital teaching/digitale Lehre.

Sharing knowledge: Impact of Covid-19 on digital teaching

How can we address the many inequalities in access to digital resources and lack of digital skills that were revealed by the COVID-19 pandemic?