Purpose guide
Anytime you want to process data you will need to have a clearly defined and communicated purpose for doing so.
An example of processing is receiving of application forms and CVs from new employees. Deleting them is also a form of data processing. Each step, from receiving the resumes, reading them, ordering them, and finally deleting them, is a separate processing event.
In order to process personal data, an organisation should be able to describe the specific purpose for each type of processing. On top of that each purpose must then also be supported by a legal ground for doing so.
Let's look at the example of an online shop. It might collect an email address for two specific purposes:
Data type | Purpose | Legal ground | Explanation |
Email address | Providing goods and services |
Contract | The email address is needed to send the receipt |
Email address | Marketing, sales and customer relations | Permission | To send coupons and updates about new products |
Bank account number | Providing goods and services | Contract | This is required by law |
European privacy law requires organisations to explain all the purposes for which they are collecting data. This is normally covered in detail in the full privacy policy. The label only offers a broad summary of this information.
Order of display
The purposes listed in a privacy label should not be placed in a random order. They should be arranged by how often they occur. The most commonly used purpose should be at the top, followed by the next most common purpose, and so forth.
For example, in the table above the "providing goods and services" purpose occurs twice, while the marketing purpose occurs once. So in the label's purposes list, "providing goods and services" should be placed above "Marketing, sales and customer relations".
Categories
In Privacy Label we have divided the purposes we've come accross in our daily privacy practices into a finite number of categories. Based on our research and experience we believe these should cover all types of processing. If you feel your purpose cannot fit in any of these categories, then we'd love to hear from you.
Providing goods or services
This is likely at the top of the list in most privacy labels, as providing goods or services if the main purpose of a lot of organisations. It's intended to also cover a lot of internal processes within organisations, such as arranging meetings, shipping a product, general management, and so forth.
- If you're a shop, handling and shipping orders might be covered here.
- If you're a local government, then things like arranging passports or permits is a service you provide.
- If you're a school, then you provide an education service.
If none of the other options below offers a better match, then this purpose should hopefully cover your situation.
Marketing, sales and customer relations
Another commonly used purpose. This covers activities to gain new customers, or reach out to existing ones. It also covers the more general purpose of relation management. For example, the use of electronic addressbooks or CRM software.
Human resources
This covers the processing of data for employment purposes. For example, the processing of a bank account number in order to pay a salary.
Financial administration
This is another common purpose. Accounting,. Note: if you're a bank or financial services provider, then offering financial products should fall under the "providing goods and services" category.
Legal
Sometimes data is collected to be used in legal or regulatory processes. Note: if you're a lawyer providing legal assistance, then see if the "providing goods and services" purpose is a better fit.
Academic research
Science requires data. Universities and research institutions are likely to use this purpose.
If you are a company doing user or product research, this could fall under the "providing goods and services" header. If you are doing market research, the marketing purpose would be the best fit.
Health and medicine
This option is often used by health care practicioners. This purpose can cover physical or mental health, or even fitness. It may involve collecting data about bodily functions, for example when using sporting or medical equipment. The collected data is likely sensitive data.
Authorisation management
IT systems generally work by handing out accounts and passwords. These systems keep track of whom accessed what information, and can limit access to resources. For example, in a hospital only doctors' account have the authorisation to look at digital patient records.
Security and surveillance
This is a more general category to cover processing that ensures safety and security. This can cover the use of security cameras, or anti-hacking activities - activities designed to keep people out. This purpose can also cover worker safety, for example at building sites, where sensors might be used to monitor hazards.
Fraud detection and prevention
Some organisations employ services (or build their own) that are intended to find abuse of their systems/organisation. For example, software can be used to find rare patterns or outliers in purchases or messages.
Crime and national security
This purpose is generally used by police and national security organisations.
European privacy law requires that only the minimum needed data is required to fulfill a purpose. This is called the "Data minimalisation" requirement:
"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Also, it's not allowed to use data for other purposes than initially stated. For example, if a phone number was originally collected for security purposes only, then it can't later be used for marketing. At least not without finding a new legal ground for doing so, such as asking for permission. This is called the "purpose limitation" principle:
"Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."