What is purpose limitation? (GDPR Art. 5(1)(b))

Purpose limitation (GDPR Art. 5(1)(b)): personal data must be collected for "specified, explicit and legitimate purposes" and not further processed in a manner that is incompatible with those purposes. Two core rules: (1) Define + communicate purpose up front in the privacy statement. (2) Further use only if compatible with original purpose — or obtain new lawful basis (often consent). Compatibility test (Art. 6(4)): relationship between purposes, context, data nature, consequences, safeguards. Examples of incompatible use: webshop customer data sold to marketing partners (entirely new purpose), HR data used for scientific research (new basis needed), CCTV for theft prevention also used for performance assessment (function creep). Exceptions where further processing IS allowed (Art. 5(1)(b) end): archiving in public interest, scientific/historical research, statistical purposes. Fine example: AP fine 2024 against TikTok for using minors' data for purposes beyond those stated. Complaint? Suspect your data is being repurposed? Access request explicitly asking for "all purposes for which my data is processed" — if answer is incomplete or purposes shift: AP complaint.