What it Means
Under GDPR, the specific purposes for processing personal data must be identified and subsequently documented. Such a purpose must ensure that personal data Is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Organisations must also make sure to implement measures to restrict further processing beyond the specified purpose.