European Union

A public authority reuses my data from one department in another. Is this lawful?

GDPR Art. 6

Legal basis required

GDPR Art. 5(1)(

Purpose limitation

72 hours

Breach notification

€20M or 4%

Max fine

The Short Answer

Reusing your personal data between departments of a public authority is lawful only if it is compatible with the original purpose, has a legal basis under GDPR, and respects your rights — including transparency and objection.

What the Law Says

The General Data Protection Regulation (GDPR) strictly governs how public authorities may reuse personal data across departments. Key principles include purpose limitation, lawfulness, and accountability.

Under GDPR Article 5(1)(b), personal data must be 'collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.' This means reusing data in another department is only lawful if the new use is compatible with the original purpose — or if a new legal basis applies.

Article 6 sets out lawful bases for processing. For public authorities, this is often Article 6(1)(e): 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.' But even then, compatibility must be assessed case by case.

Article 21 grants you the right to object to processing based on public interest or official authority — including internal data reuse — and the authority must stop unless it demonstrates 'compelling legitimate grounds' overriding your interests.

Statutory Text
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
— Regulation (EU) 2016/679, Art. 5(1)(b) — Principles relating to processing of personal data

Statutory Text
Processing shall be lawful only if and to the extent that at least one of the following applies: … (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
— Regulation (EU) 2016/679, Art. 6(1)(e) — Lawfulness of processing

Statutory Text
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her… where processing is necessary for the performance of a task carried out in the public interest…
— Regulation (EU) 2016/679, Art. 21(1) — Right to object

Sources

statuteRegulation (EU) 2016/679, Art. 5(1)(b) — Principles relating to processing of personal data statuteRegulation (EU) 2016/679, Art. 6(1)(e) — Lawfulness of processing statuteRegulation (EU) 2016/679, Art. 21(1) — Right to object

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.