Start-ups often face the challenge of meeting two fundamental requirements provided for by European data protection law. First, the requirement to specify the purpose of their processing operations the moment personal data is collected by them (‘purpose specification’); and, second, the requirement that the collected data must not be processed further in a way that is incompatible with the initially specified purpose (‘purpose limitation’). In particular, Start-ups have difficulties specifying the purpose because they often do not know their final product or service (and sometimes have not even finished their business model) when they commence collecting data. This brief thus focuses on the criteria, which assist start-ups to comply with the two requirements as well as comply with specific regulation instruments transposing these requirements in the private sector and, simultaneously, meeting a need for openness toward innovation as well as legal certainty.
This policy brief was contributed by Maximilian von Grafenstein LL.M. (Alexander von Humboldt Institute for Internet and Society).