Purpose guide

Anytime you want to process data you will need to have a clearly defined and communicated purpose for doing so.

‌‘Processing’ is any process in which data are processed or used. You can think of collecting or storing data. Updating, arranging, distributing or other forms of making available are also processing operations. Even deleting and anonymising personal data are types of processing.‌

‌An example of processing is receiving of application forms and CVs from new employees. Deleting them is also a form of data processing. Each step, from receiving the resumes, reading them, ordering them, and finally deleting them, is a separate processing event.

In order to process personal data, an organisation should be able to describe the specific purpose for each type of processing. On top of that each purpose must then also be supported by a legal ground for doing so. 

L‌et's look at the example of an online shop. It might collect an email address for two specific purposes:

Data type Purpose Legal ground Explanation
Email address Providing goods and services
Contract The email address is needed to send the receipt
Email address Marketing, sales and customer relations Permission To send coupons and updates about new products
 Bank account number Providing goods and services  Contract This is required by law
A real online shop would have a much larger list

‌European privacy law requires organisations to explain all the purposes for which they are collecting data. This is normally covered in detail in the full privacy policy. The label only offers a broad summary of this information.

Order of display

The purposes listed in a privacy label should not be placed in a random order. They should be arranged by how often they occur. The most commonly used purpose should be at the top, followed by the next most common purpose, and so forth. 

‌For example, in the table above the "providing goods and services" purpose occurs twice, while the marketing purpose occurs once. So in the label's purposes list, "providing goods and services" should be placed above "Marketing, sales and customer relations".


In Privacy Label we have divided the purposes we've come accross in our daily privacy practices into a finite number of categories. Based on our research and experience we believe these should cover all types of processing. If you feel your purpose cannot fit in any of these categories, then we'd love to hear from you.

Providing goods or services

This is likely at the top of the list in most privacy labels, as providing goods or services if the main purpose of a lot of organisations. It's intended to also cover a lot of internal processes within organisations, such as arranging meetings, shipping a product, general management, and so forth. 

  • ‌If you're a shop, handling and shipping orders might be covered here. 
  • If you're a local government, then things like arranging passports or permits is a service you provide. 
  • If you're a school, then you provide an education service.

‌If none of the other options below offers a better match, then this purpose should hopefully cover your situation.

Marketing, sales and customer relations

Another commonly used purpose. This covers activities to gain new customers, or reach out to existing ones. It also covers the more general purpose of relation management. For example, the use of electronic addressbooks or CRM software.

Human resources

This covers the processing of data for employment purposes. For example, the processing of a bank account number in order to pay a salary.

Financial administration

This is another common purpose. Accounting,. Note: if you're a bank or financial services provider, then offering financial products should fall under the "providing goods and services" category. 


Sometimes data is collected to be used in legal or regulatory processes. Note: if you're a lawyer providing legal assistance, then see if the "providing goods and services" purpose is a better fit.

Academic research

Science requires data. Universities and research institutions are likely to use this purpose.
‌If you are a company doing user or product research, this could fall under the "providing goods and services" header. If you are doing market research, the marketing purpose would be the best fit.

Health and medicine

This option is often used by health care practicioners. This purpose can cover physical or mental health, or even fitness. It may involve collecting data about bodily functions, for example when using sporting or medical equipment. The collected data is likely sensitive data.

Authorisation management

IT systems generally work by handing out accounts and passwords. These systems keep track of whom accessed what information, and can limit access to resources. For example, in a hospital only doctors' account have the authorisation to look at digital patient records. 

Security and surveillance

This is a more general category to cover processing that ensures safety and security. This can cover the use of security cameras, or anti-hacking activities - activities designed to keep people out. This purpose can also cover worker safety, for example at building sites, where sensors might be used to monitor hazards.

Fraud detection and prevention

Some organisations employ services (or build their own) that are intended to find abuse of their systems/organisation. For example, software can be used to find rare patterns or outliers in purchases or messages.

Crime and national security

This purpose is generally used by police and national security organisations.

‌Good to know

‌European privacy law requires that only the minimum needed data is required to fulfill a purpose. This is called the "Data minimalisation" requirement:

‌"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

‌Also, it's not allowed to use data for other purposes than initially stated. For example, if a phone number was originally collected for security purposes only, then it can't later be used for marketing. At least not without finding a new legal ground for doing so, such as asking for permission. This is called the "purpose limitation" principle:

‌"Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."