Op-Ed: “Is making a backup copy of a database lawful under the GDPR? Case C-77/21 Digi”, by Alberto Miglio

Introduction

At the core of the Court of Justice’s judgment in Digi (C-77/21, not yet available in English) is the principle of purpose limitation of data processing under General Data Protection Regulation 2016/679 (the GDPR). Long regarded as a cornerstone of EU data protection law, this principle is now enshrined in Article 5(1)(b) GDPR, which prescribes that personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. In Digi, the Court addressed both the question of what constitutes ‘further’ processing and that of compatibility with the original purpose of data collection.

The case originates from the rather common occ