UK GDPR

The UK General Data Protection Regulation

Please note: this resource is in the process of being updated to reflect changes made by regulations taking effect on 5 February 2026

Art. 8A GDPR Purpose limitation: further processing

This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose.
In making the determination, a person must take into account, among other things—
1. any link between the original purpose and the new purpose;
2. the context in which the personal data was collected, including the relationship between the data subject and the controller;
3. the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);
4. the possible consequences of the intended processing for data subjects;
5. the existence of appropriate safeguards (for example, encryption or pseudonymisation).
Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where—
1. the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate,
2. the processing is carried out in accordance with Article 84B—
  1. for the purposes of scientific research or historical research,
  2. for the purposes of archiving in the public interest, or
  3. for statistical purposes,
3. the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so,
4. the processing meets a condition in Annex 2, or
5. the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law or by relevant international law (see section 9A of the 2018 Act).
Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if—
1. it falls within paragraph 3(a) or (c), or
2. it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent.
The Secretary of State may by regulations amend Annex 2 by—
1. adding or varying provisions, or
2. omitting provisions added by regulations made under this paragraph.
The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j).
Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing.
Regulations under paragraph 5 are subject to the affirmative resolution procedure.

Corresponding Recitals

38 /uk-gdpr/recital/no-38Special Protection of Children's Personal Data
59 /uk-gdpr/recital/no-59Procedures for the Exercise of the Rights of the Data Subjects

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

View Recital

Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

View Recital

Prev. Article

View All

Further Information

This version of the UK GDPR is offered purely as what we hope will be a helpful resource. It does not have the status of law, and should not be relied on as such. Nor do we guarantee it is free from errors. It was originally prepared using a Keeling Schedule made available by the UK Government.

Since then, a consolidated version has also been made available on the legislation.gov.uk pages.

By virtue of section 3 of the European Union (Withdrawal Act) 2018, the GDPR (Regulation (EU) 2016/679) was retained in United Kingdom law as "direct EU legislation". However, the effect of the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, as amended by the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2020, was, from 1 January 2021, immediately to make changes to the retained GDPR, and to refer to it as the "UK GDPR". These pages reflect those changes.

This resource includes links to the GDPR recitals. The explanatory notes to the European Union (Withdrawal Act) 2018 confirm that where legislation is converted under section 3, it is the text of the legislation itself which will form part of domestic legislation, and this will include the full text of any EU instrument (including its recitals). Accordingly, recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a legal rule. However, it stands to reason that – as the recitals themselves have not been amended – they will in places contain language and references to EU bodies and rules which no longer apply to the UK.

In this resource we link Articles of the UK GDPR to the corresponding recitals. In deciding which recitals correspond to which Articles of UK GDPR, we have drawn on the working document of the EU GDPR which the Information Commissioner had previously published in 2017.

Downloads

Working document of the EU GDPR published 2017 and archived on the National Archives website

Contacts

Adam Rose Partner

Jon Baines Senior Data Protection Specialist (non-lawyer)