Purpose of processing of personal data

The content on this page was updated in October 2023. Note that we regularly update these pages.

When processing personal data for your research, you must keep track of:

  • Why it is necessary to process personal data.
  • What personal data is necessary to process in order to achieve your purpose.

The processing of personal data is only permitted if the processing is necessary to achieve the research purpose (or other purposes). Therefore, as a researcher, you must always describe the purpose of the processing of personal data before you start processing it.

Only you as a researcher can write the purpose description, as you know your research and future research (and maybe other purposes) best. Here you will find some advice on what to consider before describing your purpose or purposes. 

1. Identification

Start by asking yourself why you need to process personal data.


  • I need to process personal data, as this is necessary to investigate the correlation between a particular mental disorder and other diseases.
  • I need to process personal data because it is necessary to examine how children act in institutions.
  • I need to process personal data to assess whether a certain management style affects employees' well-being.

Then ask yourself what personal data is necessary for you to achieve the research purpose (or other purposes). You may only process the information necessary to achieve your research purpose (or other purposes) in accordance with the data minimisation principle. The data minimisation principle means that you may only process the data that is necessary. To assess this, consider: Is it 'need to have' or 'nice to have'?

2. Not too broad and not too narrow

Please keep in mind that the purpose description is the 'framework' for how you may process the personal data. Therefore, it is important that you think carefully when describing a purpose.

For instance, it is not permitted to have a description that is too broad, as such a description would not comply with the principles and rules of data protection law.

Examples of descriptions that are too broad:

  • 'Research on diseases'.
  • 'Research on children'.
  • 'Future research'.

On the other hand, you should not describe the purpose so narrowly that there is no room for your research to develop along the way.

Example of a narrow description:

  • Research on sixth grade Summer School boys’ (age 12) perception of vegetarian school meals in the 2021 school year.

3. Transparency – Why process personal data?

The processing of personal data must always be transparent. It must therefore be sufficiently specified why the personal data will be processed.

If the purpose of the processing of personal data is not sufficiently specified, the data subjects cannot understand why their personal data are being processed. The requirement of ‘purpose limitatio’n (i.e. that there must be a specific purpose for processing personal data) is intended, among other things, to ensure that data subjects are able to exercise their rights against the data controller.

As a data controller, AU must ensure that the processing takes place in a fair and lawful manner – you contribute to this when you describe your purpose for processing personal data in a clear manner.

4. One or more than one purpose?

It is a good idea to consider whether you need to process the personal data for one or more purposes, otherwise you risk excluding yourself from processing the personal data later on.

It is important that you inform the data subject about the purposes for which you are to process the data in a way that makes it clear that there are multiple purposes. You can find guidance on duty of disclosure here.