Compatibility as a Mechanism for Responsible Further Processing of Personal Data

  • Wouter Seinen
  • Andre WalterEmail author
  • Sari van Grondelle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11079)


Further processing is probably one of the lesser researched features of the General Data Protection Regulation (“GDPR”). This is remarkable since much of the data to be processed involves data that was collected at an earlier stage and further processing is highly relevant for data controllers.

“Further processing” in this article refers to the processing of personal data for a purpose other than that for which it was initially collected. Article 6(4) of the GDPR provides the legal basis for such further processing. The key mechanisms are consent and a compatibility assessment.

Many privacy advocates consider consent to be the gold standard for further processing and pay little attention to the compatibility option. Consent, however, puts a significant cognitive load on individuals (the “data subjects”), while it confronts data controllers with serious challenges in obtaining consent and recording its validity. On the other hand, the compatibility assessment allows data controllers to justify the further processing based on the criteria given in Article 6(4), but it might leave individuals powerless.

In this article, we compare the two key mechanisms for further processing, consent and compatibility, and we discuss various compensating measures controllers can take to ensure that compatibility-based processing is a real alternative to consent.


GDPR Personal data Data subjects Data controllers Consent Compatibility Privacy impact assessment 


  1. 1.
    For completeness, further processing is also possible on the basis of Union or Member State law, which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Given the specific nature and limited scope of this feature, we will not elaborate further on this in this articleGoogle Scholar
  2. 2.
    Report of the State Commission on the Protection of Privacy 1976, pp. 26–27Google Scholar
  3. 3.
    Blok, P.H.: Het recht op privacy (The Right to Privacy). The Hague: Boom Juridische Uitgevers, p. 135 (2002)Google Scholar
  4. 4.
    Article 5 GDPRGoogle Scholar
  5. 5.
    Article 6 GDPRGoogle Scholar
  6. 6.
    This is not a new concept: earlier, in the context of the Directive 95/46/EC, the Working Party 29 (hereinafter: WP29) published an opinion on further processing of personal data and the assessment of compatibility thereof in its working paper on purpose limitation. The GDPR codified this approach in Article 6(4)Google Scholar
  7. 7.
    WP29 Guidelines on Consent under Regulation 2016/679, WP259 rev. 01, (hereinafter: WP29, WP259), adopted on 10 April 2018, p. 23Google Scholar
  8. 8.
    Feiler, Lukas, Forgó, Nikolaus, Weigl, Michaela: The EU General Data Protection Regulation (GDPR): A Commentary, p. 83. UK, Global Law and Business Ltd (2018)Google Scholar
  9. 9.
    Article 4(11) GDPR and Recital 32 GDPRGoogle Scholar
  10. 10.
    Recital 42 GDPRGoogle Scholar
  11. 11.
    Recital 50 GDPRGoogle Scholar
  12. 12.
    Article 5(1)(b) on the principle of purpose limitationGoogle Scholar
  13. 13.
    WP29, WP203, III.2.2.d, p. 26Google Scholar
  14. 14.
    Article 5(1)(b) and (e) GDPRGoogle Scholar
  15. 15.
    See final sentence of Article 5(1)(b) GDPRGoogle Scholar
  16. 16.
    WP29, WP203, p. 29Google Scholar
  17. 17.
    Pursuant to Article 5 GDPR and based on Article 8 of the European Convention on Human Rights (ECHR)Google Scholar
  18. 18.
    WP29, WP259, p. 23Google Scholar
  19. 19.
    WP29 Guidelines on transparency under Regulation 2016/679, WP260 rev. 01, (hereinafter: WP29, WP260), adopted on 11 April 2018, p. 20Google Scholar
  20. 20.
    WP29, WP259, p. 21Google Scholar
  21. 21.
    WP29 recognizes permission management systems as meaningful measures for “pull notices” in WP29, WP260, p. 20Google Scholar
  22. 22.
    Article 21 GDPRGoogle Scholar
  23. 23.
    Article 17(1)(b) GDPRGoogle Scholar
  24. 24.
    Article 21(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposesGoogle Scholar
  25. 25.
    It is clear from the wording of Article 21 GDPR that the balancing test is different from that found in Article 6(1)(f) GDPR. In other words, it is not sufficient for a controller to just demonstrate that an earlier legitimate interest analysis was correct. This balancing test requires the legitimate interest to be compelling, implying a higher threshold for overriding objections. (WP29 Guidelines on the Automated Individual Decision-Making and Profiling, WP251 rev. 01, adopted on 6 February 2018)Google Scholar
  26. 26.
    Recital 7 GDPR: Natural persons should have control of their own personal dataGoogle Scholar
  27. 27.
    Information Commissioner’s Office (ICO). Consultation on GDPR consent guidance, March 2017Google Scholar
  28. 28.
    Chapter 4 of the GDPRGoogle Scholar
  29. 29.
    Chapter 5 of the GDPRGoogle Scholar
  30. 30.
    Article 49 GDPR and WP29 Guidelines on Article 49 of Regulation 2016/679, WP262, February 6, 2018Google Scholar
  31. 31.
    Article 9(1) GDPRGoogle Scholar
  32. 32.
    Article 9(2) GDPRGoogle Scholar
  33. 33.
    Articles 12, 13, and 14 GDPRGoogle Scholar
  34. 34.
    WP29 Guidelines on the Automated Individual Decision-Making and Profiling, WP251 rev. 01, adopted on 6 February 2018, p. 19Google Scholar
  35. 35.
    ICO. 2018. Guide to the General Data Protection Regulation (GDPR), version 1.0.34, p. 44, 22 March 2018Google Scholar
  36. 36.
    Dutch DPA. 2015. Wifi-tracking van mobiele apparaten in en rond winkels door Bluetrace (Wifi-tracking of mobile devices in and around stores by means of Bluetrace), (hereinafter: Dutch DPA 2015), 13 October 2015Google Scholar
  37. 37.
    International Association of Privacy Professionals (IAPP). Privacy Tech Vendor Report (2018).
  38. 38.
    KuppingerCole: Leadership Compass: CIAM-Platforms (2016)Google Scholar
  39. 39.
    Gartner: Critical Capabilities for Identity and Access Management as a Service, Worldwide (2016)Google Scholar
  40. 40.
    Ctrl-Shift. Is the EC waking up to PIMS?” (2015). (
  41. 41.
    Article 30 GDPRGoogle Scholar
  42. 42.
    Dutch DPA 2015Google Scholar
  43. 43.
    See working assumption in Section 3 that personal data initially collected based on consent will also have to be further processed based on the data subject’s consentGoogle Scholar
  44. 44.
    Article 45(3) GDPRGoogle Scholar
  45. 45.
    Article 46 GDPRGoogle Scholar
  46. 46.
    WP29, WP203, p. 22Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Wouter Seinen
    • 1
  • Andre Walter
    • 1
    Email author
  • Sari van Grondelle
    • 1
  1. 1.Baker McKenzie Amsterdam N.V.AmsterdamNetherlands

Personalised recommendations