cdpse-d3-data-purpose-data-use-limitation

Data Use Limitation

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Use Limitation

Data Use Limitation is the privacy principle that personal data collected for a specific, documented purpose must not be used for any incompatible purpose without additional legal justification or explicit consent. It establishes a defined scope of permissible use; any deviation from that scope violates the data subject's reasonable expectations and, in most major jurisdictions, the law. It is not a blanket prohibition on secondary uses—it is a governance requirement to assess, document, and control those uses before they occur. Organizations implement data use limitation through purpose registries, compatibility assessments, and technical access controls that bind data to its declared purpose throughout the data lifecycle.

Where it stops · what it isn't

—IS: A governance principle requiring that data processing remain within the bounds of the original documented collection purpose, or a demonstrably compatible secondary purpose with an appropriate legal basis
—IS: Applicable primarily to personal and sensitive data under GDPR (Article 5(1)(b)), CCPA, LGPD, PDPA, and equivalent regulations—though best practice extends the principle to all organizational data
—IS NOT: A total prohibition on secondary data use—GDPR explicitly permits compatible further processing when assessed via a structured compatibility test and adequate safeguards are in place
—IS NOT: The same as data minimization (which limits volume collected) or data retention limitation (which limits storage duration)—though all three are interdependent lifecycle controls
—IS NOT: Automatically satisfied by a privacy policy disclosure alone—disclosure is necessary but not sufficient; processing must also be technically restricted to the stated purpose
—IS NOT: Exclusively a legal compliance task—it is equally a data governance and data architecture responsibility spanning legal, IT, operations, and business teams

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Data Purpose (CDPSE Data Lifecycle domain)

REQUIRES

Data Inventory and ClassificationPurpose Mapping Register

ENABLES

Compatible Further Processing AssessmentCompliant Secondary Analytics and AI/ML Use Cases

RELATED TO

Data MinimizationData Retention Limitation

CONSTRAINS

Marketing Analytics and Customer ProfilingAI/ML Model Training on Historical DataCross-Departmental Data Sharing

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.