A bank collected customer transaction records under a privacy notice that stated the data would be used to operate accounts and detect fraud. The data science team now wants to reuse those same records to train a marketing propensity model. Under the GDPR principle of purpose limitation, what must the team establish before proceeding on this basis?
- AThat the marketing model will, as a secondary benefit, improve the accuracy of the existing fraud detection model for the same customers
- BThat the records have been pseudonymised so that direct identifiers are replaced with tokens before training begins
- CThat the new marketing purpose is compatible with the original purposes, or otherwise obtain a fresh lawful basis such as consent for the reuse Correct
- DThat the resulting model will be evaluated for demographic bias before any marketing campaign is launched
Why A is wrong: This is tempting because linking the new use to the original fraud purpose sounds like a compatibility argument, but a marketing propensity model is a distinct commercial objective, so an incidental fraud benefit does not make the marketing use lawful under the original notice.
Why B is wrong: Pseudonymisation is a useful safeguard and can support a compatibility assessment, but on its own it does not authorise a new incompatible purpose because pseudonymised data remains personal data subject to purpose limitation.
Why C is correct: Purpose limitation permits further processing only where it is compatible with the purposes for which data was collected, and where it is not compatible the controller must secure a separate lawful basis such as fresh consent before reusing the records.
Why D is wrong: Bias evaluation is good governance and may be required for fairness, but it addresses model outputs rather than the lawfulness of reusing the data, so it does not resolve the purpose limitation question about whether the reuse is permitted at all.