The processing of personal data is only permitted if the processing is necessary to achieve the research purpose (or other purposes). Therefore, as a researcher, you must always describe the purpose of the processing of personal data before you start processing it.
Only you as a researcher can write the purpose description, as you know your research and future research (and maybe other purposes) best. Here you will find some advice on what to consider before describing your purpose or purposes.
Start by asking yourself why you need to process personal data.
Then ask yourself what personal data is necessary for you to achieve the research purpose (or other purposes). You may only process the information necessary to achieve your research purpose (or other purposes) in accordance with the data minimisation principle. The data minimisation principle means that you may only process the data that is necessary. To assess this, consider: Is it 'need to have' or 'nice to have'?
Please keep in mind that the purpose description is the 'framework' for how you may process the personal data. Therefore, it is important that you think carefully when describing a purpose.
For instance, it is not permitted to have a description that is too broad, as such a description would not comply with the principles and rules of data protection law.
Examples of descriptions that are too broad:
On the other hand, you should not describe the purpose so narrowly that there is no room for your research to develop along the way.
Example of a narrow description:
The processing of personal data must always be transparent. It must therefore be sufficiently specified why the personal data will be processed.
If the purpose of the processing of personal data is not sufficiently specified, the data subjects cannot understand why their personal data are being processed. The requirement of ‘purpose limitatio’n (i.e. that there must be a specific purpose for processing personal data) is intended, among other things, to ensure that data subjects are able to exercise their rights against the data controller.
As a data controller, AU must ensure that the processing takes place in a fair and lawful manner – you contribute to this when you describe your purpose for processing personal data in a clear manner.
It is a good idea to consider whether you need to process the personal data for one or more purposes, otherwise you risk excluding yourself from processing the personal data later on.
It is important that you inform the data subject about the purposes for which you are to process the data in a way that makes it clear that there are multiple purposes. You can find guidance on duty of disclosure here.