Provision of personal data

Organisation are not allowed to provide (transfer) personal data to other organisations or persons without a reason. The general rule is that this is only permitted if it is compatible with the purpose for which the data were collected. However, this is subject to strict requirements that will not be met very easily.

On this page

Provision must be compatible with the purpose

Do you, as an organisation, want to provide personal data to another organisation? Usually, you did not collect personal data for this purpose (as well). That is why it will not be permitted very often. After all, you must have a clear purpose for collecting personal data. And you are not allowed to process the data for a different purpose (providing is a form of processing). This is one of the main rules for the protection of personal data and it is called 'purpose limitation'.

This requirement of purpose limitation is strict, but the GDPR offers some leeway: further processing of personal data is permitted if that processing is compatible with the original purpose for which the data were collected. This means that there must be a concrete, logical and close connection between the original purpose and the further processing. And that the further processing is also in line with the expectations of the data subject(s). 

Did you not receive consent from the data subject(s) for the provision of personal data to another organisation? And does the provision not follow from a statutory provision either? Then you are only allowed to provide the data if the purpose of processing is compatible with the original purpose for which you collected the data. You have to assess this for yourself.

Determining whether provision is compatible

When answering the question of whether a provision is compatible, various factors play a part. For example:

  • Is there a connection with the purpose for which you collected the data?
  • Within which context did you collect the personal data? This means: what is the relationship between you and the data subject(s)?
  • What is the nature of the data? This means: how sensitive are the data? Does it, for example, concern special categories of personal data/criminal personal data?
  • What are the (possible) consequences of a provision?
  • Are there appropriate safeguards, such as encryption or pseudonymisation of the data?
  • What are the expectations of the data subject(s)?

However, provision of personal data to another organisation will not meet the requirement of purpose limitation very easily. Because often:

  • the purpose of the provision or of the other organisation is often far removed from this original purpose;
  • the provision to another organisation may have far-reaching consequences;
  • the provision may come as a surprise for the data subject(s).

Provision is compatible

Is the provision of data nevertheless compatible? Then you are allowed to provide the data. You do this on the same legal basis as the legal basis on which you collected the data. You therefore do not need a new legal basis for the provision of the data.

Provision is not compatible

Is the provision of data not compatible? Then you are only allowed to provide the data if the data subject gives you consent for processing the data for the new purpose (as well). Or if the legislator has determined, in view of specific, substantial interests, that the data already collected may also be used for other purposes. 

If you have a valid legal basis, you can formulate a new purpose and start collecting new data for that purpose.