Personal data are permitted to be used only for the purpose for which they were originally gathered. This is the basis of the ‘purpose limitation principle’, which, as one of the key pillars of German data protection legislation, is often hotly debated. The use of this principle is a challenge, not only for startups but also for individuals affected by the processing of their personal data. Where startups often do not know how data may finally be used, and therefore find it difficult to specify precisely or broadly enough the purposes to which a user’s data might be put, affected individuals often find themselves in a labyrinth of possible purposes to which their data might be put followed by an endless series of data protection conditions. Users often emerge none the wiser regarding the possible purposes to which their data might be put. Therefore this chapter discusses how the purpose limitation principle might best be applied. The proposal given here allows a non-restrictive, indeed innovation-friendly, application of the principle.
